Combofix Report

[golferman]

I'm totally new at this. Please advise what I should do. I've run Spybot and it finds this stuff, removes it BUT then it comes right back.

Here's my ComboFix report, would someone please advise me on my next step?

ComboFix 08-11-05.02 - lwilson 2008-11-06 17:00:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1169 [GMT -6:00]
Running from: c:\documents and settings\lwilson.INTERNAL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\lwilson.INTERNAL\Application Data\gadcom
c:\documents and settings\lwilson.INTERNAL\Application Data\Microsoft\Windows\lsass.exe
c:\documents and settings\lwilson.INTERNAL\Favorites\Videos.url
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_bg_popup.gif
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\AlxRes_dll_IMAGE_window_sliver.gif
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\lwilson.INTERNAL\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\alexa toolbar
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\system32\bszip.dll
c:\windows\system32\djsfxudb.dll
c:\windows\system32\efcBTlMe.dll
c:\windows\system32\efcBtUom.dll
c:\windows\system32\iifcDvuS.dll
c:\windows\system32\jqrugf.dll
c:\windows\system32\kahkcvyl.dll
c:\windows\system32\kr_done1
c:\windows\system32\lkjloUtv.ini
c:\windows\system32\lkjloUtv.ini2
c:\windows\system32\mcggwt.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\MSINET.oca
c:\windows\system32\skinboxer43.dll
c:\windows\system32\tfrxupqn.dll
c:\windows\system32\trcack.dll
c:\windows\system32\urqOHWNH.dll
c:\windows\system32\vtUoljkl.dll
c:\windows\Tasks\guwcvfwr.job
c:\windows\Tasks\vwcevndk.job

----- BITS: Possible infected sites -----

hxxp://kakoitodomen.com
.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-06 09:23 . 2008-11-06 09:23 20,992 --ahs---- c:\windows\system32\c007E93E.mat
2008-11-05 10:47 . 2008-11-05 10:47 20,992 --ahs---- c:\windows\system32\c00D94B4.mat
2008-11-04 17:35 . 2008-11-04 17:35 20,992 --ahs---- c:\windows\system32\c00FD544.mat
2008-11-04 16:40 . 2008-11-04 16:40 60,928 --ahs---- c:\windows\system32\efcBqNGy.dll
2008-11-04 16:08 . 2008-11-06 09:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 16:08 . 2008-11-04 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-04 15:21 . 2008-11-04 15:22 <DIR> d-------- c:\program files\NoAdware
2008-11-03 10:21 . 2008-11-03 10:21 20,992 --ahs---- c:\windows\system32\c00F9D63.mat
2008-11-02 23:11 . 2008-11-02 23:11 20,992 --ahs---- c:\windows\system32\c0015819.mat
2008-11-02 23:00 . 2008-11-02 23:00 20,992 --ahs---- c:\windows\system32\c008195E.mat
2008-11-02 11:25 . 2008-11-02 11:25 20,992 --ahs---- c:\windows\system32\c00E8919.mat
2008-11-01 09:45 . 2008-11-01 09:45 20,992 --ahs---- c:\windows\system32\c00F682D.mat
2008-10-31 17:49 . 2008-10-31 17:49 20,992 --ahs---- c:\windows\system32\c002FAE.mat
2008-10-31 17:46 . 2008-11-01 13:59 <DIR> d-------- c:\windows\system32\QI19
2008-10-31 17:46 . 2008-10-31 17:46 <DIR> d-------- c:\temp\NT32
2008-10-31 17:46 . 2008-10-31 17:46 60,928 --ahs---- c:\windows\system32\jkkHXPHy.dll
2008-10-31 17:46 . 2008-10-31 17:46 34,816 --a------ c:\windows\system32\prun.exe
2008-10-27 07:10 . 2008-10-27 07:10 <DIR> d-------- c:\program files\DVDx
2008-10-26 17:18 . 2008-11-04 21:50 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-26 17:18 . 2008-10-26 17:18 1,409 --a------ c:\windows\QTFont.for
2008-10-25 10:09 . 2008-11-03 10:32 <DIR> d-------- C:\Temp
2008-10-25 10:09 . 2008-10-25 10:09 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\Sierra Wireless
2008-10-25 10:08 . 2004-07-21 10:40 17,920 --a------ c:\windows\system32\apintfnt.dll
2008-10-25 10:06 . 2008-10-25 10:06 <DIR> d-------- c:\windows\SierraWireless3.5.4.1
2008-10-24 12:46 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 15:25 . 2008-10-16 15:25 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\HP
2008-10-16 15:25 . 2007-10-25 09:38 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-10-16 15:25 . 2007-10-25 09:38 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-10-16 15:24 . 2008-10-16 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-16 15:24 . 2007-10-25 09:38 675,840 -ra------ c:\windows\system32\hpowiax4.dll
2008-10-16 15:24 . 2007-10-25 09:38 569,344 -ra------ c:\windows\system32\hpotscl4.dll
2008-10-16 15:24 . 2007-10-25 09:38 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-10-16 15:24 . 2007-10-25 09:38 309,760 -ra------ c:\windows\system32\difxapi.dll
2008-10-16 15:24 . 2007-10-25 09:38 294,912 -ra------ c:\windows\system32\hpovst11.dll
2008-10-16 15:24 . 2007-10-25 09:35 258,048 -ra------ c:\windows\system32\hpzids01.dll
2008-10-16 15:24 . 2007-10-29 16:14 117,760 --a------ c:\windows\system32\hpzll4xl.dll
2008-10-16 15:24 . 2007-10-25 09:38 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\program files\Common Files\HP
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-15 09:03 . 2008-10-15 09:03 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\windows\zhenghe2
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\program files\HP
2008-10-15 08:53 . 2008-10-16 15:27 144,681 --a------ c:\windows\hpwins16.dat
2008-10-15 08:36 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:36 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:35 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:35 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 17:08 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-25 16:08 --------- d-----w c:\program files\Sierra Wireless
2008-10-21 19:10 --------- d-----w c:\program files\Celtx
2008-10-20 00:10 --------- d-----w c:\program files\Norton Security Scan
2008-10-20 00:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-16 06:13 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Skype
2008-09-23 20:05 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Greyfirst
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2007-12-07 18:02 36,640 ----a-w c:\documents and settings\lwilson.INTERNAL\Application Data\GDIPFONTCACHEV1.DAT
2007-08-15 22:08 56,912 ----a-w c:\documents and settings\lwilson.INTERNAL\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 68856]
"Google Update"="c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-12 185896]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-08 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-14 24576]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-01 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"Intellimenus"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c002FAE]
2008-10-31 17:49 20992 c:\windows\system32\c002FAE.mat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mcggwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=PushPrinterConnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1120\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1145\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1251\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 swmsflt;swmsflt;c:\windows\system32\drivers\swmsflt.sys [2007-08-10 24456]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2001-01-07 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]

2008-11-06 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-11-06 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-30 16:01]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C951EC90-1AAB-4368-B54F-B4EB9D8D8AD4} - c:\windows\system32\vtUoljkl.dll
BHO-{ef55576c-d264-4939-ad2f-19cf10724df6} - c:\windows\system32\mcggwt.dll
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\lwilson.INTERNAL\Application Data\Microsoft\Windows\lsass.exe
Notify-sys32 - sys32.dll
MSConfigStartUp-admincfg - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\lwilson.INTERNAL\Application Data\Mozilla\Firefox\Profiles\wqxc4s75.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.linkpopularity.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 17:20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = c:\documents and settings\lwilson.INTERNAL\Application Data\Microsoft\Windows\lsass.exe????????????????????????????????????????

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\c002FAE.mat
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe
c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-11-06 17:28:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-06 23:27:25

Pre-Run: 54,862,344,192 bytes free
Post-Run: 56,031,035,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

253 --- E O F --- 2008-10-25 06:19:00

_____________________________
Edit.

Links were given to "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
http://forums.spybot.info/showthread.php?t=36064
http://forums.spybot.info/showthread.php?t=36057


From the sticky topic:

ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.

Do NOT run 'fixes' before helpers have analyzed the HJT log

[golferman]

And when I used Combo fix it messed up the time on my computer and I can't get it to stop using military time. Like earlier it was showing it was 13:06.

Please help. I need to get this junk off my computer so I can work as fast as normal.

[golferman]

Ok, I read that. I just want/need help and was trying to do what assisters had told others to do in a similar situation.

Would someone please help me out at this point? As I said, I'm running Spybot and it finds stuff and "fixes" it but then it's right back within a little bit.

Please help.

Thanks.

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

If you have read the directions, then you understand these now:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.

If you want me to pick up in this mess already made, read and follow the directions and post the required HijackThis log described clearly in those directions. Take a moment to describe any malware symptoms and post any error messages word for word.

Thanks

[golferman]

Ok, I'm doing my best and appreciate the help. Symptoms include websites popping up, computer slow down, longer load time on upstart. When I run spybot it says that it fixes the problems but they come right back, it finds them again and fixes them again. Here's the Hijackthis thread. Again, if I do something wrong, it is unintentional. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21, on 2008-11-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gracecentered.com/christian_forums
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB004" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Epson printer Registration.lnk = D:\E_reg\EPSONREG.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.moove.com
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/...tiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1159806604051
O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} (ScanFile.FileScan) - http://www.contentpurity.net/xp/ScanFile.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\Software\..\Telephony: DomainName = internal.familydynamics.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O20 - AppInit_DLLs: mcggwt.dll
O20 - Winlogon Notify: c002FAE - C:\WINDOWS\SYSTEM32\c002FAE.mat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12085 bytes

[golferman]

An additional problem is that my computer's clock now shows military time and I can't get it to go back to normal time.

[pskelley]

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\Software\..\Telephony: DomainName = internal.familydynamics.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = internal.familydynamics.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = internal.familydynamics.net

This is not a company or corporate computer?
http://forums.spybot.info/showthread.php?t=288

Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.

--------------------------------------------
Malware removal forum volunteers are unable to assist users with infected Corporate, Government or Institutional machines. Please contact our office support so they may provide direct assistance for your needs. Thank you.

Spybot S&D Corporate-Small Business Editions
For more information, please send an email to licenses(at)spybot.info

Regards.

Thanks

[golferman]

It used to be, but I own it now. It was part of a severence package.

[pskelley]

Thanks for providing that feedback, and it appears you are still infected.
I want to run combofix again, but we need to run the most recent version. Please delete any version of combofix you have on the computer and follow the directions carefully and exactly. Please be aware, if combofix adjusts the time, it will be returned to your settingss when we remove the tool as we finish with it. If it does not, this information will fix the issue.

http://www.ehow.com/how_4483170_time...indows-xp.html


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks

[golferman]

Combofix says:

ComboFix 08-11-10.01 - lwilson 2008-11-11 14:25:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1411 [GMT -6:00]
Running from: c:\documents and settings\lwilson.INTERNAL\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-06 09:23 . 2008-11-06 09:23 20,992 --ahs---- c:\windows\system32\c007E93E.mat
2008-11-05 10:47 . 2008-11-05 10:47 20,992 --ahs---- c:\windows\system32\c00D94B4.mat
2008-11-04 17:35 . 2008-11-04 17:35 20,992 --ahs---- c:\windows\system32\c00FD544.mat
2008-11-04 16:40 . 2008-11-04 16:40 60,928 --ahs---- c:\windows\system32\efcBqNGy.dll
2008-11-04 16:08 . 2008-11-06 09:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 16:08 . 2008-11-04 16:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-04 15:21 . 2008-11-04 15:22 <DIR> d-------- c:\program files\NoAdware
2008-11-03 10:21 . 2008-11-03 10:21 20,992 --ahs---- c:\windows\system32\c00F9D63.mat
2008-11-02 23:11 . 2008-11-02 23:11 20,992 --ahs---- c:\windows\system32\c0015819.mat
2008-11-02 23:00 . 2008-11-02 23:00 20,992 --ahs---- c:\windows\system32\c008195E.mat
2008-11-02 11:25 . 2008-11-02 11:25 20,992 --ahs---- c:\windows\system32\c00E8919.mat
2008-11-01 09:45 . 2008-11-01 09:45 20,992 --ahs---- c:\windows\system32\c00F682D.mat
2008-10-31 17:49 . 2008-10-31 17:49 20,992 --ahs---- c:\windows\system32\c002FAE.mat
2008-10-31 17:46 . 2008-11-01 13:59 <DIR> d-------- c:\windows\system32\QI19
2008-10-31 17:46 . 2008-10-31 17:46 <DIR> d-------- c:\temp\NT32
2008-10-31 17:46 . 2008-10-31 17:46 60,928 --ahs---- c:\windows\system32\jkkHXPHy.dll
2008-10-31 17:46 . 2008-10-31 17:46 34,816 --a------ c:\windows\system32\prun.exe
2008-10-27 07:10 . 2008-10-27 07:10 <DIR> d-------- c:\program files\DVDx
2008-10-26 17:18 . 2008-11-10 13:57 54,156 --ah----- c:\windows\QTFont.qfn
2008-10-26 17:18 . 2008-10-26 17:18 1,409 --a------ c:\windows\QTFont.for
2008-10-25 10:09 . 2008-11-03 10:32 <DIR> d-------- C:\Temp
2008-10-25 10:09 . 2008-10-25 10:09 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\Sierra Wireless
2008-10-25 10:08 . 2004-07-21 10:40 17,920 --a------ c:\windows\system32\apintfnt.dll
2008-10-25 10:06 . 2008-10-25 10:06 <DIR> d-------- c:\windows\SierraWireless3.5.4.1
2008-10-24 12:46 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 15:25 . 2008-10-16 15:25 <DIR> d-------- c:\documents and settings\lwilson.INTERNAL\Application Data\HP
2008-10-16 15:25 . 2007-10-25 09:38 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-10-16 15:25 . 2007-10-25 09:38 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-10-16 15:24 . 2008-10-16 15:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-16 15:24 . 2007-10-25 09:38 675,840 -ra------ c:\windows\system32\hpowiax4.dll
2008-10-16 15:24 . 2007-10-25 09:38 569,344 -ra------ c:\windows\system32\hpotscl4.dll
2008-10-16 15:24 . 2007-10-25 09:38 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-10-16 15:24 . 2007-10-25 09:38 309,760 -ra------ c:\windows\system32\difxapi.dll
2008-10-16 15:24 . 2007-10-25 09:38 294,912 -ra------ c:\windows\system32\hpovst11.dll
2008-10-16 15:24 . 2007-10-25 09:35 258,048 -ra------ c:\windows\system32\hpzids01.dll
2008-10-16 15:24 . 2007-10-29 16:14 117,760 --a------ c:\windows\system32\hpzll4xl.dll
2008-10-16 15:24 . 2007-10-25 09:38 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\program files\Common Files\HP
2008-10-15 09:04 . 2008-10-15 09:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-15 09:03 . 2008-10-15 09:03 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\windows\zhenghe2
2008-10-15 08:55 . 2008-10-15 08:55 <DIR> d-------- c:\program files\HP
2008-10-15 08:53 . 2008-10-16 15:27 144,681 --a------ c:\windows\hpwins16.dat
2008-10-15 08:36 . 2008-09-15 06:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:36 . 2008-09-08 04:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:35 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:35 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:35 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 15:50 60,744 ----a-w c:\documents and settings\lwilson.INTERNAL\g2mdlhlpx.exe
2008-11-09 18:19 --------- d-----w c:\program files\Trend Micro
2008-11-09 17:43 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-09 00:43 --------- d-----w c:\program files\Celtx
2008-10-25 16:08 --------- d-----w c:\program files\Sierra Wireless
2008-10-20 00:10 --------- d-----w c:\program files\Norton Security Scan
2008-10-20 00:10 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-16 06:13 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Skype
2008-09-23 20:05 --------- d-----w c:\documents and settings\lwilson.INTERNAL\Application Data\Greyfirst
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-06 04:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-06 04:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w c:\windows\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-12-07 18:02 36,640 ----a-w c:\documents and settings\lwilson.INTERNAL\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-11-06_17.26.58.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-15 15:06:53 12,288 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-11-06 15:34:32 12,288 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-10-15 15:06:53 135,168 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-11-06 15:34:32 135,168 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-10-15 15:06:53 11,264 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-11-06 15:34:32 11,264 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-10-15 15:06:53 27,136 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-11-06 15:34:33 27,136 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-10-15 15:06:53 4,096 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-11-06 15:34:33 4,096 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-10-15 15:06:53 794,624 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-11-06 15:34:33 794,624 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-10-15 15:06:53 23,040 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-11-06 15:34:33 23,040 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-10-15 15:06:53 286,720 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-11-06 15:34:32 286,720 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-10-15 15:06:53 409,600 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-11-06 15:34:32 409,600 ----a-r c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-11-11 16:27:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 68856]
"Google Update"="c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-12 185896]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-11-08 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-14 24576]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-01 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c002FAE]
2008-10-31 17:49 20992 c:\windows\system32\c002FAE.mat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mcggwt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=PushPrinterConnections.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1120\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1145\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2000478354-630328440-725345543-1251\Scripts\Logon\0\0]
"Script"=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 swmsflt;swmsflt;c:\windows\system32\drivers\swmsflt.sys [2007-08-10 24456]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\Drivers\usbbc.sys [2001-01-07 15576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]

2008-11-06 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2008-11-11 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\lwilson.INTERNAL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-30 16:01]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\lwilson.INTERNAL\Application Data\Mozilla\Firefox\Profiles\wqxc4s75.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.linkpopularity.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 14:28:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\c002FAE.mat
.
Completion time: 2008-11-11 14:30:22
ComboFix-quarantined-files.txt 2008-11-11 20:29:39

Pre-Run: 55,619,895,296 bytes free
Post-Run: 55,766,368,256 bytes free

213 --- E O F --- 2008-10-25 06:19:00