having problems removing virtumonde and smitfraud

**ghent52** · 2008-07-27, 07:02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:53 AM, on 7/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\winself.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = By D&E Jazzd
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uoyzsydz.exe,
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [bedpco] c:\windows\system32\bedpco.exe bedpco
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [8c5bd2a2] rundll32.exe "C:\WINDOWS\system32\jsymkfol.dll",b
O4 - HKLM\..\Run: [BM8f68e13e] Rundll32.exe "C:\WINDOWS\system32\idulqtnq.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7816] command /c del "C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5278] cmd /c del "C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3367] command /c del "C:\WINDOWS\SYSTEM32\cbXPgEtS.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8837] cmd /c del "C:\WINDOWS\SYSTEM32\cbXPgEtS.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6276] command /c del "C:\WINDOWS\SYSTEM32\idulqtnq.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9475] cmd /c del "C:\WINDOWS\SYSTEM32\idulqtnq.dll_old"
O4 - HKCU\..\Policies\Explorer\Run: [{8C5BD20D-0AE9-1033-0110-050412200001}] "C:\Program Files\Common Files\{8C5BD20D-0AE9-1033-0110-050412200001}\Update.exe" te-110-12-0000073
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kel\Local Settings\Temp\{0EB6FF53-8AE8-4A4C-A157-27F0368B225D}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {04CCFF26-7D52-4E42-BF6A-F8ECE0896EB7} - http://scripts.downloadv3.com/binari...SS_1071_XP.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gamesville.worldwinner.com/ga...amesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {3DAD912E-D2B9-4323-B7C9-7F2C5CC0C57B} - http://scripts.downloadv3.com/binari...SS_1070_XP.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8D8BAF56-B581-4B90-A549-C4AC6B03F1BB} - http://scripts.downloadv3.com/binari...SS_1074_XP.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binari...SS_1068_XP.cab
O16 - DPF: {BA749BC1-143E-430D-B1DA-1D2AF67A3658} - http://scripts.downloadv3.com/binari...SS_1069_XP.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C2481ED1-9896-4D49-AE90-69858DFDE446} - http://scripts.downloadv3.com/binari...SS_1073_XP.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47...familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E24E8472-89B7-479F-8AD8-BBD7206A6A02} - http://scripts.downloadv3.com/binari...SS_1067_XP.cab
O16 - DPF: {EC4AFBF3-4540-4306-AF10-4CAC509EA16B} - http://scripts.downloadv3.com/binari..._ASPIV4_XP.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://static.35mb.com/applet/applet_o.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: mszb32.dll - {B1F43681-88F8-FC7B-3582-4440AA32AC9C} - c:\windows\system32\mszb32.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\winself.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)

--
End of file - 10912 bytes

**shelf life** · 2008-07-28, 23:52

hi ghent52,

ok we will get two downloads to use. the first is Sdfix which runs in safe mode. the second is combofix. you can get them both at the same time, run sdfix first, followed by combofix.

links and directions:

sdfix:

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/R...ools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

combofix:

Download combofix from one of these links and save it to your Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

post:
the sdfix log
the combofix log
a new hjt log

**ghent52** · 2008-07-29, 01:01

thanks for the response, here are the new reports.

SDFix:

SDFix: Version 1.209
Run by Kel on Mon 07/28/2008 at 06:39 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Kel\Desktop\SDFix

Checking Services :

Name :
MsSecurity1.209.4

Path :
C:\WINDOWS\winself.exe service

MsSecurity1.209.4 - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\cbXPgEtS.dll - Deleted
C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\astctl32.ocx - Deleted
C:\WINDOWS\ctfmon32.exe - Deleted
C:\WINDOWS\directx32.exe - Deleted
C:\WINDOWS\dnsrelay.dll - Deleted
C:\WINDOWS\explorer32.exe - Deleted
C:\WINDOWS\funniest.exe - Deleted
C:\WINDOWS\funny.exe - Deleted
C:\WINDOWS\gfmnaaa.dll - Deleted
C:\WINDOWS\helpcvs.exe - Deleted
C:\WINDOWS\inetinf.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\mainms.vpi - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\msspi.dll - Deleted
C:\WINDOWS\mswsc10.dll - Deleted
C:\WINDOWS\mswsc20.dll - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\quicken.exe - Deleted
C:\WINDOWS\rundll32.vbe - Deleted
C:\WINDOWS\searchword.dll - Deleted
C:\WINDOWS\svcinit.exe - Deleted
C:\WINDOWS\system32\hljwugsf.bin - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\time.exe - Deleted
C:\WINDOWS\winself.exe - Deleted
C:\WINDOWS\xplugin.dll - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 115,980 bytes - Deleted

Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk

Folder C:\Temp\1cb - Removed
Folder C:\Temp\tn3 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 18:49:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Disabled:TaskPanl"
"C:\\Program Files\\America Online 9.0b\\waol.exe"="C:\\Program Files\\America Online 9.0b\\waol.exe:*:Disabled:America Online 9.0b"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Disabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Disabled:AOLTsMon"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Disabled:avginet.exe"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Setup.exe"="D:\\Setup.exe:*:Enabled:Setup"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Kel\\Desktop\\aim.exe"="C:\\Documents and Settings\\Kel\\Desktop\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0b\\waol.exe"="C:\\Program Files\\America Online 9.0b\\waol.exe:*:Enabled:America Online 9.0b"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

C:\WINDOWS\system32\drivers\core.cache.dsk Found

File Backups: - C:\DOCUME~1\Kel\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Wed 28 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Wed 28 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Wed 18 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Mon 2 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Mon 2 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Mon 2 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Mon 2 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Mon 2 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Mon 2 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Mon 2 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Wed 28 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Thu 20 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 7 Jul 2008 2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 18 Jul 2008 706,136 A.SH. --- "C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp"
Thu 21 Apr 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 22 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT21.tmp"
Thu 21 Apr 2005 4,348 ...H. --- "C:\Documents and Settings\Kel\My Documents\My Music\License Backup\drmv1key.bak"
Tue 20 Sep 2005 20 A..H. --- "C:\Documents and Settings\Kel\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 5 May 2005 312 A.SH. --- "C:\Documents and Settings\Kel\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

**ghent52** · 2008-07-29, 01:02

combofix:

ComboFix 08-07-28.4 - Kel 2008-07-28 18:58:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.131 [GMT -4:00]
Running from: C:\Documents and Settings\Kel\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{8C5BD~1
C:\Program Files\outlook
C:\WINDOWS\444.470
C:\WINDOWS\BM8f68e13e.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\egdaccess_aspiv4.inf
C:\WINDOWS\Downloaded Program Files\sysiasvc32.inf
C:\WINDOWS\msskinner
C:\WINDOWS\pskt.ini
c:\WINDOWS\SYSTEM32\bedpco.dat
c:\WINDOWS\SYSTEM32\bedpco_nav.dat
C:\WINDOWS\system32\bedpco_navps.dat
C:\WINDOWS\system32\bljuwlfq.dll
C:\WINDOWS\system32\CcIOVyay.ini
C:\WINDOWS\SYSTEM32\CcIOVyay.ini2
C:\WINDOWS\system32\drivers\TOSIDEE.sys
C:\WINDOWS\SYSTEM32\eOoqBcfe.ini
C:\WINDOWS\SYSTEM32\eOoqBcfe.ini2
C:\WINDOWS\system32\fdecbbabbfb.dll
C:\WINDOWS\system32\gbehtjfj.ini
C:\WINDOWS\SYSTEM32\IjkTCcfe.ini
C:\WINDOWS\SYSTEM32\IjkTCcfe.ini2
C:\WINDOWS\SYSTEM32\jwvvvmpt.ini
C:\WINDOWS\system32\lofkmysj.ini
C:\WINDOWS\system32\luttencj.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\opuwts.dll
C:\WINDOWS\SYSTEM32\qflwujlb.ini
C:\WINDOWS\system32\qoMeEttt.dll
C:\WINDOWS\system32\sjghrngc.dll
C:\WINDOWS\system32\tnmqjavf.ini
C:\WINDOWS\system32\tttEeMoq.ini
C:\WINDOWS\SYSTEM32\tttEeMoq.ini2
C:\WINDOWS\system32\ulovid.dll
C:\WINDOWS\SYSTEM32\upyufycj.ini
C:\WINDOWS\system32\wcbwqmjg.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TOSIDEE
-------\Service_TOSIDEE

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))
.

2008-07-28 19:05 . 2008-07-28 19:05 294 ---hs---- C:\WINDOWS\SYSTEM32\upyufycj.ini
2008-07-28 18:45 . 2008-07-28 18:45 167,976 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-07-28 18:30 . 2008-07-28 18:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-28 18:26 . 2008-07-28 00:39 <DIR> d-------- C:\SDFix
2008-07-28 18:16 . 2008-07-28 18:16 83,456 --a------ C:\WINDOWS\SYSTEM32\jcyfuypu.dll
2008-07-28 18:13 . 2008-07-28 18:13 105,472 --a------ C:\WINDOWS\SYSTEM32\vkfwpwge.dll
2008-07-28 18:13 . 2008-07-28 18:13 105,472 --a------ C:\WINDOWS\SYSTEM32\grzmsq.dll
2008-07-28 18:10 . 2008-07-28 18:10 91,648 --a------ C:\WINDOWS\SYSTEM32\tpmhokox.dll
2008-07-27 23:01 . 2008-07-27 23:01 83,456 --a------ C:\WINDOWS\SYSTEM32\jfjthebg.dll
2008-07-27 22:58 . 2008-07-27 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\omycbutn.dll
2008-07-27 22:58 . 2008-07-27 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\ibxkzz.dll
2008-07-27 01:06 . 2008-07-27 01:06 <DIR> d-------- C:\SIMEARTH
2008-07-26 23:01 . 2008-07-26 23:02 83,456 --a------ C:\WINDOWS\SYSTEM32\jsymkfol.dll
2008-07-26 22:58 . 2008-07-26 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\zovsgy.dll
2008-07-26 22:58 . 2008-07-26 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\tcobkauo.dll
2008-07-25 22:59 . 2008-07-25 22:59 83,456 --a------ C:\WINDOWS\SYSTEM32\fvajqmnt.dll
2008-07-25 22:56 . 2008-07-25 22:56 105,472 --a------ C:\WINDOWS\SYSTEM32\wwmakw.dll
2008-07-25 22:56 . 2008-07-25 22:56 105,472 --a------ C:\WINDOWS\SYSTEM32\vqiiqehb.dll
2008-07-24 22:18 . 2008-07-24 22:18 83,456 --a------ C:\WINDOWS\SYSTEM32\gjmqwbcw.dll
2008-07-24 22:15 . 2008-07-24 22:15 105,472 --a------ C:\WINDOWS\SYSTEM32\rlryds.dll
2008-07-24 22:15 . 2008-07-24 22:15 105,472 --a------ C:\WINDOWS\SYSTEM32\dkjdwham.dll
2008-07-20 00:51 . 2008-07-20 00:52 1,160 --a------ C:\WINDOWS\mozver.dat
2008-07-19 17:50 . 2008-07-19 17:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-19 17:50 . 2008-07-19 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 10:50 . 2008-07-19 10:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-19 03:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-19 02:58 . 2008-07-19 02:58 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-19 02:21 . 2008-07-19 19:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-19 01:59 . 2008-07-19 01:59 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-18 23:53 . 2008-07-18 23:53 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-07-18 03:14 . 2008-07-18 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 02:55 . 2008-07-18 02:55 706,136 --ahs---- C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp
2008-07-18 01:25 . 2008-07-28 16:57 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-18 01:22 . 2008-07-28 17:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-07-18 01:22 . 2008-07-18 21:37 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\AVGTOOLBAR
2008-07-18 01:22 . 2008-07-18 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-18 01:22 . 2008-07-18 01:22 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-07-18 01:22 . 2008-07-18 01:22 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-07-17 22:25 . 2008-07-17 22:25 73 --a------ C:\WINDOWS\4173.bat
2008-07-17 19:58 . 2008-07-20 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\6148
2008-07-17 19:00 . 2008-07-17 19:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-07-17 18:59 . 2008-07-17 18:59 <DIR> d-------- C:\WINDOWS\SYSTEM32\aumsDK06
2008-07-17 18:58 . 2008-07-17 22:25 121,344 --a------ C:\WINDOWS\task32.exe
2008-07-17 18:58 . 2008-07-17 18:58 73 --a------ C:\WINDOWS\3586.bat
2008-07-17 18:57 . 2008-07-17 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\vdll
2008-07-17 18:57 . 2008-07-17 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\dv32
2008-07-17 18:57 . 2008-07-17 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\bin1
2008-07-17 18:57 . 2008-07-18 00:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\BDE
2008-07-17 18:57 . 2008-07-17 18:57 <DIR> d-------- C:\WINDOWS\SYSTEM32\aumsDK18
2008-07-17 18:57 . 2008-07-17 18:58 <DIR> d-------- C:\TEMP\zpv201
2008-07-17 16:36 . 2008-07-17 16:36 268 --ah----- C:\sqmdata00.sqm
2008-07-17 16:36 . 2008-07-17 16:36 244 --ah----- C:\sqmnoopt00.sqm
2008-07-17 13:07 . 2008-07-28 19:05 111,548 --a------ C:\WINDOWS\BM8f68e13e.xml
2008-07-15 22:49 . 2008-07-15 22:49 32,768 --a------ C:\WINDOWS\SYSTEM32\aumsDK18\aumsDK182328.exe
2008-07-15 22:47 . 2008-07-15 22:47 32,768 --a------ C:\WINDOWS\SYSTEM32\aumsDK06\aumsDK061083.exe
2008-07-15 16:17 . 2008-07-15 16:17 <DIR> d-------- C:\Program Files\AVG
2008-07-14 01:53 . 2008-07-14 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-07-12 23:51 . 2008-07-12 23:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-07-27 05:13 --------- d-----w C:\Program Files\Trend Micro
2008-07-19 21:56 --------- d-----w C:\Program Files\Lavasoft
2008-07-19 07:01 --------- d-----w C:\Program Files\Java
2008-07-19 04:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-18 23:27 --------- d-----w C:\Program Files\Google
2008-07-18 17:53 --------- d-----w C:\Program Files\D&E Jazzd Self-Repair Technician
2008-07-18 07:15 --------- d-----w C:\Documents and Settings\Kel\Application Data\Lavasoft
2008-07-18 05:48 --------- d-----w C:\Program Files\Freeciv-2.1.4-gtk2
2008-07-18 05:47 --------- d-----w C:\Program Files\AntWar_at
2008-07-15 20:33 --------- d-----w C:\Program Files\Viewpoint
2008-07-15 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-13 06:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 06:57 --------- d-----w C:\Program Files\EACOM
2008-06-26 06:55 --------- d-----w C:\Program Files\EA SPORTS
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53dd4007-9e10-458c-8735-b54c7115fcfc}]
2008-07-28 18:13 105472 --a------ C:\WINDOWS\system32\grzmsq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 11:48 26112]
"HostManager"="C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18 101888]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-18 01:22 1232152]
"8c5bd2a2"="C:\WINDOWS\system32\jcyfuypu.dll" [2008-07-28 18:16 83456]
"BM8f68e13e"="C:\WINDOWS\system32\tpmhokox.dll" [2008-07-28 18:10 91648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 07:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-18 01:22]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 01:22]
S2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\portsv.exe service []
S3 adxapie;adxapie;C:\DOCUME~1\Kel\LOCALS~1\Temp\adxapie.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{25D5FAE1-369F-4A14-9E58-17BC3A2486AC} - C:\WINDOWS\system32\efcBqoOe.dll
BHO-{5681AA18-555F-4964-A661-E6F0EB82A812} - C:\WINDOWS\system32\efcCTkjI.dll
BHO-{FECB8A9C-D65D-4998-BD3C-5398311A06E3} - C:\WINDOWS\system32\yayVOIcC.dll
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKCU-Run-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\ypager.exe
HKCU-Run-BitTorrent - C:\Program Files\BitTorrent\bittorrent.exe
SSODL-mszb32.dll-{B1F43681-88F8-FC7B-3582-4440AA32AC9C} - c:\windows\system32\mszb32.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Local Page = \blank.htm
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Local Page = \blank.htm
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Window Title = By D&E Jazzd
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s
O8 -: &AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 -: {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 -: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 -: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

O16 -: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
C:\WINDOWS\Downloaded Program Files\OSDED4D.OSD
C:\WINDOWS\Downloaded Program Files\InstallerControl.dll

O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
C:\WINDOWS\Downloaded Program Files\stg_drm.ocx

O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
C:\WINDOWS\Downloaded Program Files\armhelper.ocx

O16 -: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - hxxp://static.35mb.com/applet/applet_o.cab
C:\WINDOWS\Downloaded Program Files\applet.INF
C:\WINDOWS\SYSTEM32\MSInet.ocx
C:\WINDOWS\system32\MSSTKPRP.DLL
C:\WINDOWS\system32\msvbvm60.dll
C:\WINDOWS\system32\OLEAUT32.DLL
C:\WINDOWS\system32\OLEPRO32.DLL
C:\WINDOWS\system32\ASYCFILT.DLL
C:\WINDOWS\system32\STDOLE2.TLB
C:\WINDOWS\system32\COMCAT.DLL
C:\WINDOWS\Downloaded Program Files\applet.ocx

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 19:05:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SYSTEM32\WSCNTFY.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-07-28 19:13:05 - machine was rebooted [Kel]
ComboFix-quarantined-files.txt 2008-07-28 23:12:41

Pre-Run: 4,058,005,504 bytes free
Post-Run: 4,150,808,576 bytes free

258 --- E O F --- 2008-07-10 02:25:05

**ghent52** · 2008-07-29, 01:03

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:17 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {cfcf5117-c45b-5378-c854-01e97004dd35} - {53dd4007-9e10-458c-8735-b54c7115fcfc} - C:\WINDOWS\system32\grzmsq.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [8c5bd2a2] rundll32.exe "C:\WINDOWS\system32\jcyfuypu.dll",b
O4 - HKLM\..\Run: [BM8f68e13e] Rundll32.exe "C:\WINDOWS\system32\tpmhokox.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kel\Local Settings\Temp\{0EB6FF53-8AE8-4A4C-A157-27F0368B225D}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gamesville.worldwinner.com/ga...amesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47...familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://static.35mb.com/applet/applet_o.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)

--
End of file - 8845 bytes

**shelf life** · 2008-07-29, 02:38

hi,

ok thanks for the info. you have quite a load. ok we will use combofix again:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

File::
C:\WINDOWS\SYSTEM32\upyufycj.ini
C:\WINDOWS\SYSTEM32\jcyfuypu.dll
C:\WINDOWS\SYSTEM32\vkfwpwge.dll
C:\WINDOWS\SYSTEM32\grzmsq.dll
C:\WINDOWS\SYSTEM32\tpmhokox.dll
C:\WINDOWS\SYSTEM32\jfjthebg.dll
C:\WINDOWS\SYSTEM32\omycbutn.dll
C:\WINDOWS\SYSTEM32\ibxkzz.dl
C:\WINDOWS\SYSTEM32\jsymkfol.dll
C:\WINDOWS\SYSTEM32\zovsgy.dll
C:\WINDOWS\SYSTEM32\tcobkauo.dll
C:\WINDOWS\SYSTEM32\fvajqmnt.dll
C:\WINDOWS\SYSTEM32\wwmakw.dll
C:\WINDOWS\SYSTEM32\vqiiqehb.dll
C:\WINDOWS\SYSTEM32\gjmqwbcw.dll
C:\WINDOWS\SYSTEM32\rlryds.dll
C:\WINDOWS\SYSTEM32\dkjdwham.dll
C:\WINDOWS\mozver.dat
C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\task32.exe
C:\WINDOWS\4173.bat
C:\WINDOWS\SYSTEM32\aumsDK18\aumsDK182328.exe
C:\WINDOWS\SYSTEM32\aumsDK06\aumsDK061083.exe

Folder::
C:\WINDOWS\SYSTEM32\aumsDK18
C:\WINDOWS\SYSTEM32\dv32
C:\WINDOWS\SYSTEM32\vdll
C:\WINDOWS\SYSTEM32\bin1
C:\TEMP\zpv201
C:\WINDOWS\SYSTEM32\BDE

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8c5bd2a2"="-
"BM8f68e13e"="-

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.
--------------------------------------------------------
we will get another download to use also. malwarebytes. link and directions:

Please download Malwarebytes' Anti-Malware to your desktop:

http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

after the above please post the new combofix log, the malwarebytes log and last: rescan and post a new hjt log.

**ghent52** · 2008-07-29, 03:42

combofix:

ComboFix 08-07-28.4 - Kel 2008-07-28 21:07:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.160 [GMT -4:00]
Running from: C:\Documents and Settings\Kel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kel\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\4173.bat
C:\WINDOWS\mozver.dat
C:\WINDOWS\SYSTEM32\aumsDK06\aumsDK061083.exe
C:\WINDOWS\SYSTEM32\aumsDK18\aumsDK182328.exe
C:\WINDOWS\SYSTEM32\dkjdwham.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\SYSTEM32\fvajqmnt.dll
C:\WINDOWS\SYSTEM32\gjmqwbcw.dll
C:\WINDOWS\SYSTEM32\grzmsq.dll
C:\WINDOWS\SYSTEM32\ibxkzz.dl
C:\WINDOWS\SYSTEM32\jcyfuypu.dll
C:\WINDOWS\SYSTEM32\jfjthebg.dll
C:\WINDOWS\SYSTEM32\jsymkfol.dll
C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp
C:\WINDOWS\SYSTEM32\omycbutn.dll
C:\WINDOWS\SYSTEM32\rlryds.dll
C:\WINDOWS\SYSTEM32\tcobkauo.dll
C:\WINDOWS\SYSTEM32\tpmhokox.dll
C:\WINDOWS\SYSTEM32\upyufycj.ini
C:\WINDOWS\SYSTEM32\vkfwpwge.dll
C:\WINDOWS\SYSTEM32\vqiiqehb.dll
C:\WINDOWS\SYSTEM32\wwmakw.dll
C:\WINDOWS\SYSTEM32\zovsgy.dll
C:\WINDOWS\task32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\TEMP\zpv201
C:\TEMP\zpv201\chckNB2.log
C:\WINDOWS\4173.bat
C:\WINDOWS\mozver.dat
C:\WINDOWS\SYSTEM32\aumsDK06\aumsDK061083.exe
C:\WINDOWS\SYSTEM32\aumsDK18
C:\WINDOWS\SYSTEM32\aumsDK18\aumsDK182328.exe
C:\WINDOWS\SYSTEM32\BDE
C:\WINDOWS\SYSTEM32\bin1
C:\WINDOWS\SYSTEM32\bin1\tocoDB3.exe
C:\WINDOWS\SYSTEM32\dkjdwham.dll
C:\WINDOWS\SYSTEM32\dv32
C:\WINDOWS\SYSTEM32\dv32\LKremp43.exe
C:\WINDOWS\SYSTEM32\fvajqmnt.dll
C:\WINDOWS\SYSTEM32\gjmqwbcw.dll
C:\WINDOWS\SYSTEM32\grzmsq.dll
C:\WINDOWS\SYSTEM32\jcyfuypu.dll
C:\WINDOWS\SYSTEM32\jfjthebg.dll
C:\WINDOWS\SYSTEM32\jsymkfol.dll
C:\WINDOWS\SYSTEM32\jwvvvmpt.tmp
C:\WINDOWS\SYSTEM32\omycbutn.dll
C:\WINDOWS\SYSTEM32\rlryds.dll
C:\WINDOWS\SYSTEM32\tcobkauo.dll
C:\WINDOWS\SYSTEM32\upyufycj.ini
C:\WINDOWS\SYSTEM32\vdll
C:\WINDOWS\SYSTEM32\vdll\shotrem3.exe
C:\WINDOWS\SYSTEM32\vkfwpwge.dll
C:\WINDOWS\SYSTEM32\vqiiqehb.dll
C:\WINDOWS\SYSTEM32\wwmakw.dll
C:\WINDOWS\SYSTEM32\zovsgy.dll
C:\WINDOWS\task32.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-29 )))))))))))))))))))))))))))))))
.

2008-07-28 21:04 . 2008-07-28 21:04 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\Malwarebytes
2008-07-28 21:03 . 2008-07-28 21:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-28 21:03 . 2008-07-28 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-28 21:03 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-07-28 21:03 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-07-28 18:30 . 2008-07-28 18:31 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-28 18:26 . 2008-07-28 00:39 <DIR> d-------- C:\SDFix
2008-07-28 18:10 . 2008-07-28 18:10 91,648 --------- C:\WINDOWS\SYSTEM32\tpmhokox.dll_old
2008-07-27 22:58 . 2008-07-27 22:58 105,472 --a------ C:\WINDOWS\SYSTEM32\ibxkzz.dll
2008-07-27 01:06 . 2008-07-27 01:06 <DIR> d-------- C:\SIMEARTH
2008-07-19 17:50 . 2008-07-19 17:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-19 17:50 . 2008-07-19 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-19 10:50 . 2008-07-19 10:50 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-19 03:01 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-19 02:58 . 2008-07-19 02:58 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-19 02:21 . 2008-07-19 19:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-19 01:59 . 2008-07-19 01:59 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-07-18 23:53 . 2008-07-18 23:53 230 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.inf
2008-07-18 03:14 . 2008-07-18 03:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-18 01:25 . 2008-07-28 19:26 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-18 01:22 . 2008-07-28 17:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\Avg
2008-07-18 01:22 . 2008-07-18 21:37 <DIR> d-------- C:\Documents and Settings\Kel\Application Data\AVGTOOLBAR
2008-07-18 01:22 . 2008-07-18 01:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-18 01:22 . 2008-07-18 01:22 96,520 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgldx86.sys
2008-07-18 01:22 . 2008-07-18 01:22 10,520 --a------ C:\WINDOWS\SYSTEM32\avgrsstx.dll
2008-07-17 19:58 . 2008-07-20 17:04 <DIR> d-------- C:\WINDOWS\SYSTEM32\6148
2008-07-17 19:00 . 2008-07-17 19:00 <DIR> d--hs---- C:\Documents and Settings\LocalService\UserData
2008-07-17 18:59 . 2008-07-28 21:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\aumsDK06
2008-07-17 18:58 . 2008-07-17 18:58 73 --a------ C:\WINDOWS\3586.bat
2008-07-17 16:36 . 2008-07-17 16:36 268 --ah----- C:\sqmdata00.sqm
2008-07-17 16:36 . 2008-07-17 16:36 244 --ah----- C:\sqmnoopt00.sqm
2008-07-17 13:07 . 2008-07-28 20:30 111,548 --a------ C:\WINDOWS\BM8f68e13e.xml
2008-07-15 16:17 . 2008-07-15 16:17 <DIR> d-------- C:\Program Files\AVG
2008-07-14 01:53 . 2008-07-14 01:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FunGames
2008-07-12 23:51 . 2008-07-12 23:51 <DIR> d-------- C:\Program Files\MSN Messenger
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-07-03 11:28 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
2008-07-27 05:13 --------- d-----w C:\Program Files\Trend Micro
2008-07-19 21:56 --------- d-----w C:\Program Files\Lavasoft
2008-07-19 07:01 --------- d-----w C:\Program Files\Java
2008-07-19 04:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-18 23:27 --------- d-----w C:\Program Files\Google
2008-07-18 17:53 --------- d-----w C:\Program Files\D&E Jazzd Self-Repair Technician
2008-07-18 07:15 --------- d-----w C:\Documents and Settings\Kel\Application Data\Lavasoft
2008-07-18 05:48 --------- d-----w C:\Program Files\Freeciv-2.1.4-gtk2
2008-07-18 05:47 --------- d-----w C:\Program Files\AntWar_at
2008-07-15 20:33 --------- d-----w C:\Program Files\Viewpoint
2008-07-15 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-13 06:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 06:57 --------- d-----w C:\Program Files\EACOM
2008-06-26 06:55 --------- d-----w C:\Program Files\EA SPORTS
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-28_19.11.45.51 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-09-14 08:39:49 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
- 2006-09-14 08:39:49 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
- 2006-09-14 08:39:50 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
+ 2008-04-21 07:03:57 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
- 2006-09-14 08:39:49 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
+ 2008-04-21 07:03:56 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
- 2006-09-14 08:39:49 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
+ 2008-04-21 07:03:56 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
- 2006-09-14 08:39:50 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
+ 2008-04-21 07:03:57 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
- 2006-09-14 08:39:50 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
- 2006-09-14 08:39:50 205,312 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
- 2006-09-14 08:39:50 55,808 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
- 2006-09-13 08:52:55 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
+ 2008-04-17 10:52:54 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
- 2006-09-14 08:39:50 251,392 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
+ 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
- 2006-09-14 08:39:50 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
- 2006-09-14 08:39:50 16,384 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
- 2006-09-14 08:39:52 3,054,592 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
- 2006-09-14 08:39:53 448,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
- 2006-09-14 08:39:53 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
- 2006-09-14 08:39:53 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
- 2006-09-14 08:39:53 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
- 2006-09-04 06:08:01 1,494,016 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
- 2006-09-14 08:39:54 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
- 2006-09-14 08:39:55 613,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
- 2006-09-14 08:39:55 658,944 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
- 2006-09-14 08:39:50 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-04-21 07:03:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2006-09-14 08:39:50 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-04-21 07:03:57 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2006-09-14 08:39:50 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-04-21 07:03:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2006-09-14 08:39:50 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
+ 2008-04-21 07:03:58 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
- 2006-09-14 08:39:50 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
+ 2008-04-21 07:03:58 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
- 2006-09-14 08:39:50 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-04-21 07:03:58 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2006-09-14 08:39:52 3,054,592 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-04-21 07:03:59 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2006-09-14 08:39:53 448,512 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-04-21 07:03:59 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2006-09-14 08:39:53 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-04-21 07:03:59 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2006-09-14 08:39:53 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-04-21 07:03:59 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2006-09-14 08:39:53 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-04-21 07:03:59 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2006-09-04 06:08:01 1,494,016 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
+ 2008-04-21 07:04:00 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
- 2006-09-14 08:39:54 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
+ 2008-04-21 07:04:00 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
- 2006-09-14 08:39:55 613,888 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-04-21 07:04:00 615,936 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2006-09-14 08:39:55 658,944 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-04-21 07:04:00 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
- 2007-10-29 10:04:03 350,720 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2008-04-17 10:37:04 351,744 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB2362"="command" [X]
"SpybotDeletingD3734"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 03:01 110592]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 11:48 26112]
"HostManager"="C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe" [2006-05-09 20:24 50760]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50 114688]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-10-31 11:05 278528]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-10-31 11:18 101888]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-18 01:22 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 07:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1139686249\\ee\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-18 01:22]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-18 01:22]
S2 PlugPlayRPC;Plug and Play (RPC);C:\WINDOWS\portsv.exe service []
S3 adxapie;adxapie;C:\DOCUME~1\Kel\LOCALS~1\Temp\adxapie.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-07-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-8c5bd2a2 - C:\WINDOWS\system32\jcyfuypu.dll
HKLM-Run-BM8f68e13e - C:\WINDOWS\system32\tpmhokox.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-28 21:10:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-28 21:12:28
ComboFix-quarantined-files.txt 2008-07-29 01:12:09
ComboFix2.txt 2008-07-28 23:13:06

Pre-Run: 4,033,568,768 bytes free
Post-Run: 4,007,632,896 bytes free

289 --- E O F --- 2008-07-29 00:11:19

**ghent52** · 2008-07-29, 03:43

malwarebytes:

Malwarebytes' Anti-Malware 1.23
Database version: 1004
Windows 5.1.2600 Service Pack 2

9:55:35 PM 7/28/2008
mbam-log-7-28-2008 (21-55-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 85876
Time elapsed: 37 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ppo.ob (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ppo.ob.1 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{587097ab-a686-4c3b-83a7-2b8e2d47868e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5f2b8ee3-5b51-4424-a4bd-6c0595c40007} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlayRPC (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\444.470.vir (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fdecbbabbfb.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bin1\tocoDB3.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vdll\shotrem3.exe.vir (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1162\A0142618.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1165\A0142852.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1165\A0142854.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8f68e13e.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8f68e13e.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

**ghent52** · 2008-07-29, 03:43

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:53 PM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139686249\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kel\Local Settings\Temp\{0EB6FF53-8AE8-4A4C-A157-27F0368B225D}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gamesville.worldwinner.com/ga...amesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47...familyfeud.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} - http://static.35mb.com/applet/applet_o.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8183 bytes

**shelf life** · 2008-07-30, 00:23

hi,

ok good thanks for the info. we will use combofix again. i left the extra l off by mistake. (ibxkzz.dl)

just like last time:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

File::
C:\WINDOWS\SYSTEM32\ibxkzz.dll

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log

rerun spybot now and see how it all looks on your end.

Thread: having problems removing virtumonde and smitfraud

Thread Tools

Display

having problems removing virtumonde and smitfraud

Posting Permissions