PDA

View Full Version : Virtumond + Vundo ... Very Stubborn Viruses :(



GirLovesWaffles
2009-04-27, 11:27
My computer is doing the following:

When I boot it up, as soon as i reach my desktop 3 errors come up, each a ddl error.

lukosayu.dll
gelapele.dll
jawohame.dll

Secondly, if i try to close these errors my system usually lags incredibly or i have to manually restart because it freezes entirely. So for now im just keeping the errors up, just hiding them way down at the bottom of my screen where they arent seen.. although they are still in the task bar.

Third thing thats happening is that there is the occasional bubble in the botton right where the system tray is. It tells me my computer is at risk, and if i try to close the bubble, it brings up a wizard to install a false antivirus. I have not installed it though :bigthumb:

I did a scan with both spybot & bitdefender. Spybot found about 15 things, and bitdefender cleaned up a couple of viruses, although you will see in my log that it didnt go so well for one of them.

So heres a bitdefender log, and after that is an HJT log i took right after the scans were completed.


//-----------------------------------------------------------------
//
// Product BitDefender Free Edition v10
// Product 10.2
//
// Created on: 27/04/2009 02:36:17
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
D:\
Folders : 8237
Files : 336254
Memory processes scanned : 0
Archives : 11738
Runtime packers : 16495
Identified viruses : 4
Infected files : 5
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 3
Moved files : 1
I/O errors : 45
Scan time : 01:37:45
Scan speed (files/sec) : 57

Spyware Statistics

Registry keys scanned : 0
Registry keys infected : 0
Cookies scanned : 0
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 2850365
Scan plugins : 17
Archive plugins : 45
Unpack plugins : 7
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1240810577.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\WINDOWS\system32\appmgmt\bdsm.dll Infected: Trojan.Vundo.Gen.1
C:\WINDOWS\system32\appmgmt\bdsm.dll Disinfection failed
C:\WINDOWS\system32\appmgmt\bdsm.dll Move failed
C:\WINDOWS\system32\nudeleze.exe Infected: Dropped:Trojan.Vundo.Gen.1
C:\WINDOWS\system32\nudeleze.exe Disinfection failed
C:\WINDOWS\system32\nudeleze.exe Moved
C:\Documents and Settings\Spook\Local Settings\Temp\AntivirusSetup.exe=>(Dropped 0)=>wise0010 Infected: Trojan.FakeAlert.ASU
C:\Documents and Settings\Spook\Local Settings\Temp\AntivirusSetup.exe=>(Dropped 0)=>wise0010 Deleted
C:\Documents and Settings\Spook\Local Settings\Temp\AntivirusSetup.exe=>(Dropped 0) Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\Spook\Local Settings\Temp\XPShieldSetup.exe=>wise0010 Infected: Trojan.FakeAlert.ASU
C:\Documents and Settings\Spook\Local Settings\Temp\XPShieldSetup.exe=>wise0010 Deleted
C:\Documents and Settings\Spook\Local Settings\Temp\XPShieldSetup.exe Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\Spook\My Documents\My Music\Limewire DL's\Reel Big Fish - New York, New York.mp3 Infected: Trojan.Downloader.WMA.Wimad.Z
C:\Documents and Settings\Spook\My Documents\My Music\Limewire DL's\Reel Big Fish - New York, New York.mp3 Deleted


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:22 AM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\Program Files\Ares\Ares.exe
C:\Documents and Settings\Spook\Application Data\pidle\pidle.exe
C:\Program Files\Maple Story\npkcmsvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\SysNotifier.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [0b16c933] rundll32.exe "C:\WINDOWS\system32\gelapele.dll",b
O4 - HKLM\..\Run: [CPM0825faaf] Rundll32.exe "C:\WINDOWS\system32\lukosayu.dll",a
O4 - HKLM\..\Run: [wipehuhubi] Rundll32.exe "C:\WINDOWS\system32\jawohame.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\Spook\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\tosilihu.dll c:\windows\system32\ c:\windows\system32\lukosayu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lukosayu.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lukosayu.dll (file missing)
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Program Files\Maple Story\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 10038 bytes

Shaba
2009-04-28, 08:19
Hi GirLovesWaffles

Rename HijackThis.exe to GirLovesWaffles.exe and post back a fresh HijackThis log, please :)

GirLovesWaffles
2009-04-28, 08:31
Here you are, Shaba

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:06 AM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maple Story\npkcmsvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\Documents and Settings\Spook\Application Data\pidle\pidle.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\DOCUME~1\Spook\LOCALS~1\Temp\3378854450.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Trend Micro\HijackThis\GirLovesWaffles.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {74FA5D99-38CD-4E3E-B765-54FAD4BDA166} - C:\WINDOWS\system32\appmgmt\bdsm.dll
O2 - BHO: C:\WINDOWS\system32\yhs783ijfo3fe.dll - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKLM\..\Run: [0b16c933] rundll32.exe "C:\WINDOWS\system32\gelapele.dll",b
O4 - HKLM\..\Run: [CPM0825faaf] Rundll32.exe "C:\WINDOWS\system32\lukosayu.dll",a
O4 - HKLM\..\Run: [wipehuhubi] Rundll32.exe "C:\WINDOWS\system32\jawohame.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\Spook\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Spook\LOCALS~1\Temp\3378854450.exe
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\cqmesi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\cqmesi.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\664953284.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\cqmesi.exe (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: *.antimalwareguard.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\tosilihu.dll c:\windows\system32\ c:\windows\system32\lukosayu.dll
O20 - Winlogon Notify: bdsm - C:\WINDOWS\system32\appmgmt\bdsm.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lukosayu.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lukosayu.dll (file missing)
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\icf.exe.exe:ext.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Program Files\Maple Story\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 11281 bytes

Shaba
2009-04-28, 08:40
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

GirLovesWaffles
2009-04-28, 08:43
Acer Empowering Technology
Acer ePerformance Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer OrbiCam
Acer Screensaver
Active GIF Creator 3.2
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Media Player
Adobe Reader 7.0
Adobe Shockwave Player 11
Advertisement Service
AIM 6
ALZip
Ares 2.1.1
Armagetron Advanced 0.2.8.3_rc1.gcc
ASIO4ALL
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
BitDefender Free Edition v10
CDisplay 1.8
Choice Guard
Collab
Critical Update for Windows Media Player 11 (KB959772)
Diablo II
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
EA Download Manager
ERUNT 1.1j
FL Studio 8
G-Force
Gimp 2.6.1
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB895961-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
IL Download Manager
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Junk Mail filter update
Launch Manager
LimeWire 4.18.8
MapleStory GL
Media Center Extender
Media Center Extender
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.9)
MSVCRT
Network Magic
Network Play System (Patching)
NTI Backup NOW! 4
NTI CD & DVD-Maker
Opera 9.63
Pando Media Booster
PoiZone
PowerDVD
PowerProducer
Realtek High Definition Audio Driver
RebirthRO SMALL CLIENT
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
SMSC IrCC V5.1.3600.7
Soft Data Fax Modem with SmartCP
Sonic Encoders
SPORE™ Creature Creator Trial Edition
Spybot - Search & Destroy
Starcraft
Synaptics Pointing Device Driver
TeamSpeak 2 RC2
The Sims Livin' Large
The Sims™ 2 Double Deluxe
Toxic Biohazard
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6i
Viewpoint Media Player
Vista Transformation Pack 8.0
WhiteCap
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
Windows Internet Explorer 8 Release Candidate 1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3

Shaba
2009-04-28, 08:45
As per forum rules (http://forums.spybot.info/showthread.php?t=282), all p2p programs has to be uninstalled.

So you will need to uninstall these:

Ares 2.1.1
LimeWire 4.18.8

Please post a fresh uninstall list after that.

GirLovesWaffles
2009-04-28, 08:50
My apologies, those programs have been uninstalled now.

Acer Empowering Technology
Acer ePerformance Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer OrbiCam
Acer Screensaver
Active GIF Creator 3.2
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Media Player
Adobe Reader 7.0
Adobe Shockwave Player 11
Advertisement Service
AIM 6
ALZip
Armagetron Advanced 0.2.8.3_rc1.gcc
ASIO4ALL
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
BitDefender Free Edition v10
CDisplay 1.8
Choice Guard
Collab
Critical Update for Windows Media Player 11 (KB959772)
Diablo II
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
EA Download Manager
ERUNT 1.1j
FL Studio 8
G-Force
Gimp 2.6.1
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB895961-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
IL Download Manager
Java(TM) 6 Update 13
Java(TM) 6 Update 7
Junk Mail filter update
Launch Manager
MapleStory GL
Media Center Extender
Media Center Extender
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.9)
MSVCRT
Network Magic
Network Play System (Patching)
NTI Backup NOW! 4
NTI CD & DVD-Maker
Opera 9.63
Pando Media Booster
PoiZone
PowerDVD
PowerProducer
Realtek High Definition Audio Driver
RebirthRO SMALL CLIENT
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
SMSC IrCC V5.1.3600.7
Soft Data Fax Modem with SmartCP
Sonic Encoders
SPORE™ Creature Creator Trial Edition
Spybot - Search & Destroy
Starcraft
Synaptics Pointing Device Driver
TeamSpeak 2 RC2
The Sims Livin' Large
The Sims™ 2 Double Deluxe
Toxic Biohazard
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6i
Viewpoint Media Player
Vista Transformation Pack 8.0
WhiteCap
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0)
Windows Internet Explorer 8 Release Candidate 1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3

Shaba
2009-04-28, 08:51
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review along with a fresh HijackThis log.

GirLovesWaffles
2009-04-28, 10:08
Sorry that took so long, there was a lot to go through for combofix.
Here is the combofix log:

ComboFix 09-04-27.03 - Spook 04/28/2009 3:44.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.501 [GMT -3:00]
Running from: c:\documents and settings\Spook\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Spook\LOCALS~1\Temp\mousehook.dll
c:\docume~1\Spook\LOCALS~1\Temp\ntdll64.dll
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\SysNotifier.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\ak1.exe
c:\windows\system32\drivers\ovfsthknixshtprnyokvxvnpvjdlirmkoiwsji.sys
c:\windows\system32\frmwrk32.exe
c:\windows\system32\ovfsthauonskkcnoetlrcwtlmivxxqcwuulvdy.dll
c:\windows\system32\ovfsthcddebeaamhbejcauvslgtheqrjliirac.dll
c:\windows\system32\ovfsthnodxongfdryngdcaloucomajjnnrydvt.dat
c:\windows\system32\ovfsthsaxmhpkdatewcxjaqvunfpjilrnqplth.dll
c:\windows\system32\ovfsthyxpgatlejqbvnveipokamynqsggsxydy.dat
c:\windows\system32\p2hhr.bat
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\yhs783ijfo3fe.dll
c:\windows\Temp\664953284.exe
c:\windows\TEMP\ntdll64.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthardoetoaybirddhfetiyobfdexwppkld
-------\Legacy_ICF
-------\Service_ICF


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 06:53 . 2009-04-28 06:53 -------- d-----w c:\program files\Jcore
2009-04-28 06:41 . 2009-04-28 06:41 -------- d-sh--w C:\FOUND.000
2009-04-28 00:34 . 2009-04-28 00:34 29696 ----a-w c:\windows\system32\loader49.exe
2009-04-27 08:39 . 2009-04-27 08:39 -------- d-----w c:\program files\ERUNT
2009-04-27 03:47 . 2009-04-27 03:47 -------- d-----w c:\program files\Trend Micro
2009-04-27 01:04 . 2009-04-27 01:04 8192 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-26 22:38 . 2009-04-26 22:38 -------- d-----w c:\documents and settings\Spook\Application Data\pidle
2009-04-18 05:28 . 2009-04-18 05:28 -------- d-----w c:\documents and settings\Spook\Application Data\Armagetron
2009-04-15 16:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:50 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 04:54 . 2009-04-14 04:54 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Help
2009-04-12 02:27 . 2009-04-12 02:27 -------- d-----w c:\documents and settings\Spook\Application Data\DivX
2009-04-05 02:55 . 2009-04-05 02:55 -------- d-----w c:\documents and settings\Spook\Application Data\teamspeak2
2009-04-05 02:54 . 2009-04-05 02:54 -------- d-----w c:\program files\Teamspeak2_RC2
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\dllcache\usbaudio.sys
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys
2009-04-03 04:35 . 2009-04-03 04:35 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Ares
2009-03-31 20:45 . 2009-03-31 20:45 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-31 20:44 . 2009-03-31 20:44 -------- d-----w c:\documents and settings\Spook\Application Data\SPORE Creature Creator
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w C:\ProgramData
2009-03-31 20:14 . 2009-03-31 20:14 3858 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 06:50 . 2008-08-04 05:43 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-26 22:43 . 2009-01-26 22:43 52224 --sha-w c:\windows\system32\guvuvara.exe
2009-04-26 22:38 . 2009-04-26 22:37 182911 ----a-w c:\windows\system32\prnet.tmp
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\DivX
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 02:53 . 2009-04-05 02:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Viewpoint
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Common Files\AOL
2009-03-26 05:01 . 2009-03-26 05:01 -------- d-----w c:\program files\AIM6
2009-03-21 02:02 . 2009-03-21 02:02 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-21 01:37 . 2009-03-21 01:37 -------- d-----w c:\program files\EA GAMES
2009-03-17 04:33 . 2009-03-10 04:49 35190 ----a-w c:\windows\scunin.dat
2009-03-17 04:33 . 2009-03-10 04:49 967 ----a-w c:\windows\ScUnin.pif
2009-03-17 04:33 . 2009-03-10 04:49 94208 ----a-w c:\windows\ScUnin.exe
2009-03-16 05:18 . 2006-06-01 20:59 84632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViSplore
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\WinFlip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\TrueTransparency
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\VisualTooltip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViStart
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViOrb
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Rainbar
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Styler
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Drive Icon
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\LClock
2009-03-16 04:31 . 2009-03-16 04:31 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Microsoft
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-16 04:23 . 2009-03-16 04:23 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-11 21:17 . 2009-03-11 20:50 746 ----a-w c:\windows\eReg.dat
2009-03-11 20:49 . 2009-03-11 20:49 -------- d-----w c:\program files\Electronic Arts
2009-03-11 20:47 . 2009-03-11 20:47 -------- d-----w c:\program files\Maxis
2009-03-09 08:19 . 2008-12-10 21:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-24 19:35 . 2009-04-06 06:09 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-06 06:09 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-06 06:09 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-06 06:09 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-06 06:09 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:35 . 2005-05-12 21:54 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-15 15:29 . 2009-02-11 16:51 35391 ----a-w c:\windows\DIIUnin.dat
2009-02-15 15:28 . 2009-02-11 17:04 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-02-15 15:28 . 2009-02-11 17:04 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-02-15 15:28 . 2009-02-11 17:04 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-02-11 16:51 . 2009-02-11 16:51 94208 ----a-w c:\windows\DIIUnin.exe
2009-02-11 16:51 . 2009-02-11 16:51 2829 ----a-w c:\windows\DIIUnin.pif
2009-02-09 12:10 . 2004-08-10 23:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 23:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 23:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 23:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:03 . 2009-02-06 22:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 21:52 . 2009-02-06 21:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-10 23:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 23:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-10 23:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:01 . 2009-02-03 20:00 127 ----a-w c:\documents and settings\MCX1\Local Settings\Application Data\fusioncache.dat
2009-02-03 19:59 . 2004-08-10 23:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1423872 6A8B0B64F8D7EBEF70B16FF689C3C76D c:\windows\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\VITrans\explorer.exe
[-] 2004-08-10 23:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74FA5D99-38CD-4E3E-B765-54FAD4BDA166}]
2009-04-26 22:43 299008 ----a-w c:\windows\system32\appmgmt\bdsm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}]
2009-04-28 06:53 135168 ----a-w c:\program files\Jcore\Jcore2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2008-11-12 602112]
"TrueTransparency"="c:\program files\TrueTransparency\TrueTransparency.exe" [2008-06-25 372224]
"prnet"="c:\windows\system32\prnet.tmp" [2009-04-26 182911]
"pidle"="c:\documents and settings\Spook\Application Data\pidle\pidle.exe" [2009-04-26 56832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 53248]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 69632]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"DrvIcon"="c:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"prnet"="c:\windows\system32\prnet.tmp" [2009-04-26 182911]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-3-27 45056]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bdsm]
2009-04-26 22:43 299008 ----a-w c:\windows\system32\appmgmt\bdsm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spook^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Spook\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58255:TCP"= 58255:TCP:Pando Media Booster
"58255:UDP"= 58255:UDP:Pando Media Booster
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver; [x]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\User_Feed_Synchronization-{6A6751F0-5C2A-427A-B368-B6246AD69287}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 05:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-0b16c933 - c:\windows\system32\gelapele.dll
HKLM-Run-CPM0825faaf - c:\windows\system32\lukosayu.dll
HKLM-Run-wipehuhubi - c:\windows\system32\jawohame.dll
HKLM-Run-LaunchApp - (no file)
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\cqmesi.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\664953284.exe
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lukosayu.dll
SharedTaskScheduler-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: antimalwareguard.com
FF - ProfilePath - c:\documents and settings\Spook\Application Data\Mozilla\Firefox\Profiles\q0vhrz2h.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 03:53
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\appmgmt\bdsm.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\appmgmt\bdsm.dll
c:\program files\TrueTransparency\TrueTransparencyHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\msls31.dll
c:\windows\system32\netshell.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\DHCPCSVC.DLL
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\program files\ViStart\StartHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\acer\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\MAPLE STORY\NPKCMSVC.EXE
c:\windows\EHOME\RMSVC.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER UPDATE SERVICE\LIVESRV.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\program files\COMMON FILES\PURE NETWORKS SHARED\PLATFORM\NMSRVC.EXE
c:\program files\SOFTWIN\BITDEFENDER10\VSSERV.EXE
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\EHOME\EHMSAS.EXE
c:\program files\LAUNCH MANAGER\LMANAGER.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-04-28 3:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 06:59

Pre-Run: 16,325,148,672 bytes free
Post-Run: 16,284,712,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
343 --- E O F --- 2009-04-16 07:33


And heres a fresh HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:19 AM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maple Story\npkcmsvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\Documents and Settings\Spook\Application Data\pidle\pidle.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Spook\Application Data\Twain\Twain.exe
C:\Program Files\Trend Micro\HijackThis\GirLovesWaffles.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: CPV - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\WWShow\WWShow.dll
O2 - BHO: (no name) - {74FA5D99-38CD-4E3E-B765-54FAD4BDA166} - C:\WINDOWS\system32\appmgmt\bdsm.dll
O2 - BHO: HelloWorldBHO - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Jcore\Jcore2.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [prnet] "C:\WINDOWS\system32\prnet.tmp"
O4 - HKCU\..\Run: [pidle] "C:\Documents and Settings\Spook\Application Data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Spook\Application Data\Twain\Twain.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: bdsm - C:\WINDOWS\system32\appmgmt\bdsm.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Program Files\Maple Story\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9579 bytes

GirLovesWaffles
2009-04-28, 10:47
Gah... now im getting these irritating popups, wasnt getting those before. And my cpu is constantly around 30%. The good news is that those 3 dll errors dont show up anymore, the bubble still does though. Still more to do i guess :red:

Shaba
2009-04-28, 10:58
We are not done yet :)

Open notepad and copy/paste the text in the codebox below into it:


File::
c:\windows\system32\loader49.exe
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\guvuvara.exe
c:\windows\system32\prnet.tmp
c:\windows\system32\appmgmt\bdsm.dll

Folder::
c:\documents and settings\Spook\Local Settings\Application Data\Ares
c:\program files\Jcore
c:\documents and settings\Spook\Application Data\pidle
C:\Documents and Settings\Spook\Application Data\Twain

DDS::
Trusted Zone: antimalwareguard.com


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh combofix log
- a fresh HijackThis log

GirLovesWaffles
2009-04-28, 21:54
A lot of things seem better now, but the popups are still coming.

I didnt need to end any processes, it ran very well. Thanks so far!

ComboFix 09-04-27.05 - Spook 04/28/2009 15:37.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.542 [GMT -3:00]
Running from: c:\documents and settings\Spook\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Spook\Desktop\CFScript.txt
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\appmgmt\bdsm.dll
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\guvuvara.exe
c:\windows\system32\loader49.exe
c:\windows\system32\prnet.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Spook\Application Data\pidle
c:\documents and settings\Spook\Application Data\pidle\pidle.exe
c:\documents and settings\Spook\Application Data\Twain
c:\documents and settings\Spook\Application Data\Twain\Twain.exe
c:\documents and settings\Spook\Local Settings\Application Data\Ares
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\ChatroomIPs.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\default.m3u
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\DHTnodes.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\FailedSNodes.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\PHashIdx.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\ShareH.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\ShareL.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\SNodes.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\TempDL\PHash_9589AB653DF41498B3685388B371C103F5AE047F.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\TempDL\PHash_992F5D14ACAF36A73D27D313A397318B0EF74E19.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\TempDL\PHash_BD0D749C9A81FF1D5DC0777C91430C3BEDA9235E.dat
c:\documents and settings\Spook\Local Settings\Application Data\Ares\Data\TempDL\PHash_DA760775015A529CC2C5E76EEC6A1DE22AF256D0.dat
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\Cpvff.stt
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Jcore
c:\program files\Jcore\Jcore2.dll
c:\windows\SysNotifier.exe
c:\windows\system32\appmgmt\bdsm.dll
c:\windows\system32\ftp_non_crp.exe
c:\windows\system32\garowori.dll
c:\windows\system32\guvuvara.exe
c:\windows\system32\ibosahom.ini
c:\windows\system32\loader49.exe
c:\windows\system32\mohasobi.dll
c:\windows\system32\prnet.tmp
c:\windows\system32\tukibazi.dll
c:\windows\system32\vuhuviti.dll
c:\windows\system32\zinipelu.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 07:08 . 2009-04-28 07:08 -------- d-----w c:\documents and settings\Spook\Application Data\digifast
2009-04-28 06:58 . 2009-04-28 06:58 -------- d-----w c:\program files\WWShow
2009-04-28 06:41 . 2009-04-28 06:41 -------- d-sh--w C:\FOUND.000
2009-04-27 08:39 . 2009-04-27 08:39 -------- d-----w c:\program files\ERUNT
2009-04-27 03:47 . 2009-04-27 03:47 -------- d-----w c:\program files\Trend Micro
2009-04-18 05:28 . 2009-04-18 05:28 -------- d-----w c:\documents and settings\Spook\Application Data\Armagetron
2009-04-15 16:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:50 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 04:54 . 2009-04-14 04:54 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Help
2009-04-12 02:27 . 2009-04-12 02:27 -------- d-----w c:\documents and settings\Spook\Application Data\DivX
2009-04-05 02:55 . 2009-04-05 02:55 -------- d-----w c:\documents and settings\Spook\Application Data\teamspeak2
2009-04-05 02:54 . 2009-04-05 02:54 -------- d-----w c:\program files\Teamspeak2_RC2
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\dllcache\usbaudio.sys
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys
2009-03-31 20:45 . 2009-03-31 20:45 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-31 20:44 . 2009-03-31 20:44 -------- d-----w c:\documents and settings\Spook\Application Data\SPORE Creature Creator
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w C:\ProgramData
2009-03-31 20:14 . 2009-03-31 20:14 3858 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 18:44 . 2008-08-04 05:43 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-28 07:26 . 2009-01-28 07:26 61952 --sha-w c:\windows\system32\sobipore.exe
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\DivX
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 02:53 . 2009-04-05 02:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Viewpoint
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Common Files\AOL
2009-03-26 05:01 . 2009-03-26 05:01 -------- d-----w c:\program files\AIM6
2009-03-21 02:02 . 2009-03-21 02:02 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-21 01:37 . 2009-03-21 01:37 -------- d-----w c:\program files\EA GAMES
2009-03-17 04:33 . 2009-03-10 04:49 35190 ----a-w c:\windows\scunin.dat
2009-03-17 04:33 . 2009-03-10 04:49 967 ----a-w c:\windows\ScUnin.pif
2009-03-17 04:33 . 2009-03-10 04:49 94208 ----a-w c:\windows\ScUnin.exe
2009-03-16 05:18 . 2006-06-01 20:59 84632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViSplore
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\WinFlip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\TrueTransparency
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\VisualTooltip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViStart
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViOrb
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Rainbar
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Styler
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Drive Icon
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\LClock
2009-03-16 04:31 . 2009-03-16 04:31 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Microsoft
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-16 04:23 . 2009-03-16 04:23 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-11 21:17 . 2009-03-11 20:50 746 ----a-w c:\windows\eReg.dat
2009-03-11 20:49 . 2009-03-11 20:49 -------- d-----w c:\program files\Electronic Arts
2009-03-11 20:47 . 2009-03-11 20:47 -------- d-----w c:\program files\Maxis
2009-03-09 08:19 . 2008-12-10 21:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-24 19:35 . 2009-04-06 06:09 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-06 06:09 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-06 06:09 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-06 06:09 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-06 06:09 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:35 . 2005-05-12 21:54 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-15 15:29 . 2009-02-11 16:51 35391 ----a-w c:\windows\DIIUnin.dat
2009-02-15 15:28 . 2009-02-11 17:04 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-02-15 15:28 . 2009-02-11 17:04 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-02-15 15:28 . 2009-02-11 17:04 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-02-11 16:51 . 2009-02-11 16:51 94208 ----a-w c:\windows\DIIUnin.exe
2009-02-11 16:51 . 2009-02-11 16:51 2829 ----a-w c:\windows\DIIUnin.pif
2009-02-09 12:10 . 2004-08-10 23:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 23:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 23:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 23:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:03 . 2009-02-06 22:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 21:52 . 2009-02-06 21:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-10 23:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 23:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-10 23:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:01 . 2009-02-03 20:00 127 ----a-w c:\documents and settings\MCX1\Local Settings\Application Data\fusioncache.dat
2009-02-03 19:59 . 2004-08-10 23:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
2009-04-28 07:09 . 2009-04-28 07:09 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1423872 6A8B0B64F8D7EBEF70B16FF689C3C76D c:\windows\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\VITrans\explorer.exe
[-] 2004-08-10 23:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_06.54.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 18:24 . 2009-04-28 18:24 16384 c:\windows\Temp\Perflib_Perfdata_fd0.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_a8.dat
+ 2009-04-28 18:46 . 2009-04-28 18:46 16384 c:\windows\Temp\Perflib_Perfdata_98c.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_520.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
+ 2009-04-28 18:20 . 2009-04-28 18:20 16384 c:\windows\Temp\Perflib_Perfdata_168.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2008-11-12 602112]
"TrueTransparency"="c:\program files\TrueTransparency\TrueTransparency.exe" [2008-06-25 372224]
"DigiFast"="c:\documents and settings\Spook\Application Data\digifast\digifast.exe" [2009-04-28 225792]
"SfKg6wIPuSpdc"="c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe" [2009-04-28 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 53248]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 69632]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"DrvIcon"="c:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BDMCon"="c:\progra~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 290816]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-3-27 45056]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spook^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Spook\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58255:TCP"= 58255:TCP:Pando Media Booster
"58255:UDP"= 58255:UDP:Pando Media Booster
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver; [x]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\User_Feed_Synchronization-{6A6751F0-5C2A-427A-B368-B6246AD69287}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 05:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5595b6b9-ed14-4735-a42e-c4b84a714505} - c:\windows\system32\tukibazi.dll
BHO-{74FA5D99-38CD-4E3E-B765-54FAD4BDA166} - c:\windows\system32\appmgmt\bdsm.dll
HKCU-Run-prnet - c:\windows\system32\prnet.tmp
HKCU-Run-pidle - c:\documents and settings\Spook\Application Data\pidle\pidle.exe
HKLM-Run-prnet - c:\windows\system32\prnet.tmp
Notify-bdsm - c:\windows\system32\appmgmt\bdsm.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Spook\Application Data\Mozilla\Firefox\Profiles\q0vhrz2h.default\
FF - component: c:\program files\Mozilla Firefox\components\dfff.dll
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 15:47
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'explorer.exe'(3456)
c:\program files\TrueTransparency\TrueTransparencyHook.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\ieframe.dll
c:\program files\ViStart\StartHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\acer\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\MAPLE STORY\NPKCMSVC.EXE
c:\windows\EHOME\RMSVC.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
c:\program files\COMMON FILES\SOFTWIN\BITDEFENDER UPDATE SERVICE\LIVESRV.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\program files\COMMON FILES\PURE NETWORKS SHARED\PLATFORM\NMSRVC.EXE
c:\program files\SOFTWIN\BITDEFENDER10\VSSERV.EXE
c:\windows\SYSTEM32\DLLHOST.EXE
c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
c:\windows\EHOME\EHMSAS.EXE
c:\program files\LAUNCH MANAGER\LMANAGER.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-04-28 15:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 18:50
ComboFix2.txt 2009-04-28 07:00

Pre-Run: 16,237,297,664 bytes free
Post-Run: 16,243,490,816 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
347 --- E O F --- 2009-04-16 07:33


----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:16 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maple Story\npkcmsvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ViStart\ViStart.exe
C:\Program Files\TrueTransparency\TrueTransparency.exe
C:\Documents and Settings\Spook\Application Data\digifast\digifast.exe
C:\Documents and Settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\GirLovesWaffles.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - HKCU\..\Run: [DigiFast] C:\Documents and Settings\Spook\Application Data\digifast\digifast.exe
O4 - HKCU\..\Run: [SfKg6wIPuSpdc] C:\Documents and Settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Program Files\Maple Story\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 9056 bytes

Shaba
2009-04-28, 21:59
Yes there are still some files.

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

c:\windows\explorer.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

GirLovesWaffles
2009-04-28, 22:21
Everything is good for that particular file :)

Shaba
2009-04-28, 22:25
Good. Then that was due to Vista packs.


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::
c:\windows\system32\sobipore.exe
c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe

Folder::
c:\documents and settings\Spook\Application Data\digifast

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58255:TCP"=-
"58255:UDP"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

GirLovesWaffles
2009-04-28, 22:37
Ran faster than ever this time :bigthumb:

ComboFix 09-04-27.05 - Spook 04/28/2009 16:30.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.512 [GMT -3:00]
Running from: c:\documents and settings\Spook\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Spook\Desktop\CFScript.txt
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe
c:\windows\system32\sobipore.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Spook\Application Data\digifast
c:\documents and settings\Spook\Application Data\digifast\config.cfg
c:\documents and settings\Spook\Application Data\digifast\DFUninstall.exe
c:\documents and settings\Spook\Application Data\digifast\digifast.exe
c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe
c:\documents and settings\Spook\Local Settings\Temporary Internet Files\Cpvff.stt
c:\windows\system32\sobipore.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 06:58 . 2009-04-28 06:58 -------- d-----w c:\program files\WWShow
2009-04-28 06:41 . 2009-04-28 06:41 -------- d-sh--w C:\FOUND.000
2009-04-27 08:39 . 2009-04-27 08:39 -------- d-----w c:\program files\ERUNT
2009-04-27 03:47 . 2009-04-27 03:47 -------- d-----w c:\program files\Trend Micro
2009-04-18 05:28 . 2009-04-18 05:28 -------- d-----w c:\documents and settings\Spook\Application Data\Armagetron
2009-04-15 16:51 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 16:51 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 16:51 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 16:51 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 16:51 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 16:51 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 16:51 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 16:51 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 16:51 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 16:50 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 16:50 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 04:54 . 2009-04-14 04:54 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Help
2009-04-12 02:27 . 2009-04-12 02:27 -------- d-----w c:\documents and settings\Spook\Application Data\DivX
2009-04-05 02:55 . 2009-04-05 02:55 -------- d-----w c:\documents and settings\Spook\Application Data\teamspeak2
2009-04-05 02:54 . 2009-04-05 02:54 -------- d-----w c:\program files\Teamspeak2_RC2
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\dllcache\usbaudio.sys
2009-04-05 02:54 . 2008-04-13 18:45 60032 ----a-w c:\windows\system32\drivers\USBAUDIO.sys
2009-03-31 20:45 . 2009-03-31 20:45 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-31 20:44 . 2009-03-31 20:44 -------- d-----w c:\documents and settings\Spook\Application Data\SPORE Creature Creator
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w C:\ProgramData
2009-03-31 20:14 . 2009-03-31 20:14 3858 ----a-w c:\windows\system32\ealregsnapshot1.reg
2009-03-31 20:14 . 2009-03-31 20:14 -------- d-----w c:\documents and settings\Spook\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 19:31 . 2008-08-04 05:43 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\DivX
2009-04-06 06:09 . 2009-04-06 06:09 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-05 02:53 . 2009-04-05 02:53 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Viewpoint
2009-03-26 05:02 . 2009-03-26 05:02 -------- d-----w c:\program files\Common Files\AOL
2009-03-26 05:01 . 2009-03-26 05:01 -------- d-----w c:\program files\AIM6
2009-03-21 02:02 . 2009-03-21 02:02 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-03-21 01:37 . 2009-03-21 01:37 -------- d-----w c:\program files\EA GAMES
2009-03-17 04:33 . 2009-03-10 04:49 35190 ----a-w c:\windows\scunin.dat
2009-03-17 04:33 . 2009-03-10 04:49 967 ----a-w c:\windows\ScUnin.pif
2009-03-17 04:33 . 2009-03-10 04:49 94208 ----a-w c:\windows\ScUnin.exe
2009-03-16 05:18 . 2006-06-01 20:59 84632 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViSplore
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\WinFlip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\TrueTransparency
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\VisualTooltip
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViStart
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\ViOrb
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Rainbar
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Styler
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\Vista Drive Icon
2009-03-16 05:15 . 2009-03-16 05:15 -------- d-----w c:\program files\LClock
2009-03-16 04:31 . 2009-03-16 04:31 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Microsoft
2009-03-16 04:28 . 2009-03-16 04:28 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-16 04:23 . 2009-03-16 04:23 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-11 21:17 . 2009-03-11 20:50 746 ----a-w c:\windows\eReg.dat
2009-03-11 20:49 . 2009-03-11 20:49 -------- d-----w c:\program files\Electronic Arts
2009-03-11 20:47 . 2009-03-11 20:47 -------- d-----w c:\program files\Maxis
2009-03-09 08:19 . 2008-12-10 21:24 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-24 19:35 . 2009-04-06 06:09 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-06 06:09 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-06 06:09 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-06 06:09 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-06 06:09 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:35 . 2005-05-12 21:54 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-15 15:29 . 2009-02-11 16:51 35391 ----a-w c:\windows\DIIUnin.dat
2009-02-15 15:28 . 2009-02-11 17:04 21840 ----a-w c:\windows\system32\SIntfNT.dll
2009-02-15 15:28 . 2009-02-11 17:04 17212 ----a-w c:\windows\system32\SIntf32.dll
2009-02-15 15:28 . 2009-02-11 17:04 12067 ----a-w c:\windows\system32\SIntf16.dll
2009-02-11 16:51 . 2009-02-11 16:51 94208 ----a-w c:\windows\DIIUnin.exe
2009-02-11 16:51 . 2009-02-11 16:51 2829 ----a-w c:\windows\DIIUnin.pif
2009-02-09 12:10 . 2004-08-10 23:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 23:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 23:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 23:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:03 . 2009-02-06 22:03 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 21:52 . 2009-02-06 21:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-10 23:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 23:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-10 23:00 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:01 . 2009-02-03 20:00 127 ----a-w c:\documents and settings\MCX1\Local Settings\Application Data\fusioncache.dat
2009-02-03 19:59 . 2004-08-10 23:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
2009-04-22 07:12 . 2009-04-22 07:12 90624 ----a-w c:\program files\mozilla firefox\components\WWShow.dll
2009-04-28 07:09 . 2009-04-28 07:09 211968 ----a-w c:\program files\mozilla firefox\components\dfff.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1423872 6A8B0B64F8D7EBEF70B16FF689C3C76D c:\windows\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\VITrans\explorer.exe
[-] 2004-08-10 23:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-04-28_06.54.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_a8.dat
+ 2009-04-28 18:46 . 2009-04-28 18:46 16384 c:\windows\Temp\Perflib_Perfdata_98c.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_520.dat
+ 2009-04-28 18:45 . 2009-04-28 18:45 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ViStart"="c:\program files\ViStart\ViStart.exe" [2008-11-12 602112]
"TrueTransparency"="c:\program files\TrueTransparency\TrueTransparency.exe" [2008-06-25 372224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-04-14 53248]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-06-23 602112]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"BDAgent"="c:\program files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 69632]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2008-05-21 451896]
"DrvIcon"="c:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"BDMCon"="c:\progra~1\Softwin\BITDEF~1\bdmcon.exe" [2007-04-02 290816]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-3-27 45056]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Spook^Start Menu^Programs^Startup^Adobe Media Player.lnk]
path=c:\documents and settings\Spook\Start Menu\Programs\Startup\Adobe Media Player.lnk
backup=c:\windows\pss\Adobe Media Player.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\System32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver; [x]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\User_Feed_Synchronization-{6A6751F0-5C2A-427A-B368-B6246AD69287}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 05:01]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DigiFast - c:\documents and settings\Spook\Application Data\digifast\digifast.exe
HKCU-Run-SfKg6wIPuSpdc - c:\documents and settings\Spook\Application Data\Microsoft\Windows\xwujdx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Spook\Application Data\Mozilla\Firefox\Profiles\q0vhrz2h.default\
FF - component: c:\program files\Mozilla Firefox\components\dfff.dll
FF - component: c:\program files\Mozilla Firefox\components\WWShow.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 16:33
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
.
Completion time: 2009-04-28 16:35
ComboFix-quarantined-files.txt 2009-04-28 19:35
ComboFix2.txt 2009-04-28 18:50
ComboFix3.txt 2009-04-28 07:00

Pre-Run: 16,186,867,712 bytes free
Post-Run: 16,181,198,848 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
266 --- E O F --- 2009-04-16 07:33

Shaba
2009-04-28, 22:39
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

GirLovesWaffles
2009-04-28, 23:09
Half way through updating kaspersky it failed, and im going out for a while so i wont be back until tonight. Ill try it again later and if it doesnt work the second time, ill let you know.

GirLovesWaffles
2009-04-29, 06:59
Took a very long time to complete that scan, about 2.5 hours actually. I had to go through it a few times because it wouldnt work properly on firefox, had to use IE. But finally, here is the log.

Also, just as a note, there is a file call WWshow in my program files with a wwshow.dll file in it that was not there before.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 01:57:39
Records in database: 2088355
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 109048
Threat name: 12
Infected objects: 25
Suspicious objects: 0
Duration of the scan: 02:43:33


File name / Threat name / Threats count
C:\WINDOWS\system32\viwc.exe Infected: Trojan.Win32.Agent2.cdb 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048904.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048918.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048920.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048921.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0048922.dll Infected: Trojan.Win32.Tdss.aald 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0049936.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0049962.exe Infected: Trojan.Win32.Agent.ccwx 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP168\A0049995.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP169\A0050137.EXE Infected: Trojan-Downloader.Win32.Agent.bsdk 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP169\A0050138.exe Infected: Trojan.Win32.Agent.ccwx 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP169\A0050140.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP169\A0050141.dll Infected: not-a-virus:FraudTool.Win32.XPShield.o 1
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP170\A0050272.exe Infected: Trojan-Downloader.Win32.Agent.bozu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthknixshtprnyokvxvnpvjdlirmkoiwsji.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthauonskkcnoetlrcwtlmivxxqcwuulvdy.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthcddebeaamhbejcauvslgtheqrjliirac.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthsaxmhpkdatewcxjaqvunfpjilrnqplth.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\appmgmt\bdsm.dll.vir Infected: not-a-virus:FraudTool.Win32.XPShield.o 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prnet.tmp.vir Infected: Trojan.Win32.Agent.ccwg 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\664953284.exe.vir Infected: Trojan-Downloader.Win32.Suurch.oa 1
C:\Qoobox\Quarantine\C\WINDOWS\SysNotifier.exe.vir Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
C:\Qoobox\Quarantine\C\Documents and Settings\Spook\Application Data\pidle\pidle.exe.vir Infected: Trojan-Downloader.Win32.Agent.bsdk 1
C:\Qoobox\Quarantine\C\Documents and Settings\Spook\Application Data\Twain\Twain.exe.vir Infected: Trojan.Win32.Agent.ccwx 1
C:\Qoobox\Quarantine\C\Documents and Settings\Spook\Application Data\digifast\digifast.exe.vir Infected: Trojan-Downloader.Win32.Agent.bozu 1

The selected area was scanned.



--------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:06 AM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maple Story\npkcmsvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ViStart\ViStart.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\GirLovesWaffles.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [TrueTransparency] "C:\Program Files\TrueTransparency\TrueTransparency.exe"
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Program Files\Maple Story\npkcmsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8617 bytes

Shaba
2009-04-29, 07:14
Please scan this file next in jotti/virustotal and post back results:

C:\WINDOWS\system32\viwc.exe

GirLovesWaffles
2009-04-29, 07:47
We are onto something here!

CPsecure
Found Troj.W32.Agent2.cdb

Dr.Web
Found Tool.Prockill

F-Secure Anti-Virus
Found Trojan.Win32.Agent2.cdb

Kaspersky Anti-Virus
Found Trojan.Win32.Agent2.cdb

Quick Heal
Found Trojan.Agent2.cdb

Sophos Antivirus
Found Mal/Generic-A

VBA32
Found Trojan.Win32.Agent2.cdb

Shaba
2009-04-29, 08:26
Do you recognize that file?

I research a bit and it might be part of vista transformation pack.

GirLovesWaffles
2009-04-29, 08:44
I did some looking around and found someone asking the same question, here is the reply they got:

"kay to clarify one final time. Its a false positive.

The files are not dangerous, when downloaded from an official source.

They will show up under a decent virus scanner as dangerous and generic trojans as they stop Windows processes and modify them, and modify dll files.

They don't harm the files, just modify them.

So again, one final time: There is no virus in the VTP pack when downloaded from an official source. Period."

I did download this from the official page of the program, and its not given me any trouble since i got it a few months ago. I believe this file is okay.

GirLovesWaffles
2009-04-29, 08:53
As for your question, yes, it is part of the vista transformation pack and is marked as a trojan because it modifies windows files.

Shaba
2009-04-29, 09:00
Yes I think that as well.

Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?

GirLovesWaffles
2009-04-29, 09:13
Alright, qoobox quarantine is now completely empty. But what of all the things kaspersky found in system volume information?

GirLovesWaffles
2009-04-29, 09:17
In addition to that last reply, there is still a wwshow.dll file in a wwshow folder located in program files that i did not put there myself. Searched it up on google and apparently its a virus, should i just go ahead and delete that?

Shaba
2009-04-29, 09:55
Those will get deleted during final instructions.

Entire wwshow folder is a bad, so delete it not just file.

Still some issues? :)

GirLovesWaffles
2009-04-29, 10:16
Just deleted the wwshow folder.

A lot of things have improved since we started, a great difference from what it was doing before. Im not longer getting those dll errors, and there are no longer any bubbles trying to make me install false antiviruses. My CPU is running at a normal rate, things arent going slowly anymore. Im also not getting the annoying popups that i would get even when not using the internet.

The only thing left is the occasional popup when i open my web browser, but it doesnt happen that often.

So whats left to do here?

Shaba
2009-04-29, 12:18
In which browser those popups take place?

GirLovesWaffles
2009-04-29, 20:27
Actually, you know what? Theyre gone too! I guess deleting the files in quarantine must have fixed it. I just did a test by opening a whole lot of both IE and firefox, and not ONE popup! :bigthumb:

Shaba
2009-04-29, 20:28
Great :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

GirLovesWaffles
2009-04-29, 20:37
Thanks for all the help Shaba, i owe you one :laugh: :oreo::oreo::oreo:

I have just a few questions though before we finish:

1) Are we leaving the viruses in system volume information?

2) Im interested in installing Comodo, but i already use bitdefender and teatimer. My bitdefender is a free edition, which basically means it contains no real time defense, the only time it will get rid of things is after a scan. Will installing comodo along with these things cause them all to work less effectively or slowly?

Shaba
2009-04-29, 20:40
1. No they will get away with system restore flush

2. No but then I suggest that you switch bitdefender to some with real-time protection. I can give suggestion if you like to?

GirLovesWaffles
2009-04-29, 20:43
Sure, i just like bitdefender for its massive database. Im thinking of just going out and buying bitdefender + firewall, but that wont be for a little while, so for now im just sticking to free programs. Im willing to get rid of it for the greater good :laugh:

So what do you recommend? And would i install comodo alongside one of these programs, or not?

Shaba
2009-04-29, 20:48
Below are some free alternatives.

Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

GirLovesWaffles
2009-04-29, 20:52
All I can say is thank you, you and your team has helped me twice now and saved my computer from plundering into its doom.

Ill make a donation someday, you guys deserve it a lot. Free service isnt easy to come by, but the spybot team is quick and precise, without asking for anything in return.

So thanks again, and keep up the good work :laugh::bigthumb::oreo:

Shaba
2009-05-01, 11:30
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.