Unknown infection, blocks executables

**chrisbattista03** · 2010-06-03, 16:59

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:55:00.39 on Thu 06/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.588 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\LocalService\Local Settings\Application Data\asam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATTToolbar\FDServer.exe
"C:\WINDOWS\System32\svchost.exe"
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.YOUR-92C8B56D4E\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: voguecash browser enhancer: {e94126a3-fbb7-b8ec-dbb3-8b7931dbdf01} - c:\windows\system32\swvyslcmvyx.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [pjpvyiqvfjo] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\swvyslcmvyx.dll"
mRun: [MChk] c:\windows\system32\ncrpuidj.exe
mRun: [yymdfwnc] c:\documents and settings\localservice\local settings\application data\gqaovxpvj\uptjycatssd.exe
mRun: [asam] c:\documents and settings\localservice\local settings\application data\asam.exe
dRun: [Power2GoExpress] NA
dRun: [yymdfwnc] c:\documents and settings\localservice\local settings\application data\gqaovxpvj\uptjycatssd.exe
dRun: [asam] c:\documents and settings\localservice\local settings\application data\asam.exe
StartupFolder: c:\docume~1\owner~1.you\startm~1\programs\startup\gmotes~1.lnk - c:\program files\gmoteserver\GmoteServer.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {7D2B746C-786A-4243-87F8-3531591BFDF4} = 93.188.163.6,93.188.166.241
TCP: {F223CDB5-C307-4D4C-ADA2-DE4C5F06E4A9} = 93.188.163.6,93.188.166.241
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.you\applic~1\mozilla\firefox\profiles\scmk6iki.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-5-7 11608]
R2 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-5-7 68865]
R2 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-5-7 151297]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-4-15 14976]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-5-7 52056]
S0 obomshz;obomshz;c:\windows\system32\drivers\wjindtf.sys --> c:\windows\system32\drivers\wjindtf.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-7-5 18432]

=============== Created Last 30 ================

2010-06-03 13:30:23 0 dc----w- c:\windows\system32\dllcache\cache
2010-06-03 13:22:24 98816 ----a-w- c:\windows\sed.exe
2010-06-03 13:22:24 230912 ----a-w- c:\windows\PEV.exe
2010-06-03 13:22:24 161792 ----a-w- c:\windows\SWREG.exe
2010-06-03 13:21:14 0 d-s---w- C:\ComboFix
2010-06-03 12:03:02 0 d-----w- C:\28342
2010-06-01 06:12:17 50981 ----a-w- c:\windows\system32\ejoyieghoqgp.exe
2010-06-01 06:11:28 823808 ----a-w- c:\windows\system32\drivers\peehmji.sys
2010-06-01 06:11:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-06-01 06:10:44 68608 ----a-w- c:\windows\system32\ernel32.dll
2010-05-27 11:57:10 169472 ----a-w- c:\windows\system32\swvyslcmvyx.dll
2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\ncrpuidj.exe
2010-05-22 05:01:40 0 d-----w- c:\program files\Video Converter
2010-05-10 05:01:04 0 d-----w- c:\program files\DebugMode

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-01-13 18:45:08 81920 ----a-w- c:\program files\common files\WIZ1x0SR_105SR_CFG.exe
2006-12-01 09:54:32 626688 ----a-w- c:\program files\common files\MSVCR80.dll

============= FINISH: 10:56:47.58 ===============
----------------------------------
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/5/2008 7:27:19 PM
System Uptime: 6/3/2010 10:48:53 AM (0 hours ago)

Motherboard: Winfast | | NF4(X)K8MC
Processor: AMD Athlon(tm) 64 Processor 4000+ | Socket 939 | 2412/194mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 182 GiB total, 35.371 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 1.435 GiB free.
E: is CDROM ()
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA(R) nForce(TM) Audio Codec Interface
Device ID: PCI\VEN_10DE&DEV_0059&SUBSYS_0CA4105B&REV_A2\3&2411E6FE&0&20
Manufacturer: NVIDIA Corporation
Name: NVIDIA(R) nForce(TM) Audio Codec Interface
PNP Device ID: PCI\VEN_10DE&DEV_0059&SUBSYS_0CA4105B&REV_A2\3&2411E6FE&0&20
Service: nvax

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel DLS Synthesizer
Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Manufacturer: Microsoft
Name: Microsoft Kernel DLS Synthesizer
PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC
Service: DMusic

==== System Restore Points ===================

RP1: 6/1/2010 2:14:38 AM - System Checkpoint
RP2: 6/3/2010 9:22:59 AM - ComboFix created restore point

==== Installed Programs ======================

Acrobat.com
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe AIR
Adobe Anchor Service CS4
Adobe Asset Services CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Design Premium
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe InDesign CS4
Adobe InDesign CS4 Application Feature Set Files (Roman)
Adobe InDesign CS4 Common Base Files
Adobe InDesign CS4 Icon Handler
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 7.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe SGM CS4
Adobe Shockwave Player
Adobe SING CS4
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe Version Cue CS4 Server
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Agere Systems PCI-SV92PP Soft Modem
Alesis io|2 ASIO Driver
Amazon MP3 Downloader 1.0.5
America Online (Choose which version to remove)
ANIO Service
ANIWZCS2 Service
Any Video Converter 3.0.5
Apple Mobile Device Support
Apple Software Update
AT&T Toolbar
AT&T Yahoo! Internet Mail
Athlon 64 Processor Driver
AVI DivX to DVD SVCD VCD Converter 4.0.0322
Avira AntiVir Personal - Free Antivirus
Bonjour
Browser Address Error Redirector
Connect
ConvertXtoDVD 3.5.1.135
Critical Update for Windows Media Player 11 (KB959772)
DebugMode Wax 2.0
Digital Media Reader
DVD Solution
EAX4 Unified Redist
GmoteServer
GTK+ Runtime 2.12.8 rev a (remove only)
gtw_logo
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB895953)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.0
HP Software Update
iTunes
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 13
Java(TM) 6 Update 7
kuler
LightScribe System Software 1.10.13.1
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.19)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Multimedia Keyboard Driver
Napster Burn Engine
Nero 7 Essentials
neroxml
NVIDIA Drivers
NVIDIA nView Desktop Manager
NvMixer
OpenOffice.org 3.0
Overland
PDF Settings CS4
Performance Platform Voguecash
Photoshop Camera Raw
Photosmart 320,370,7400,8100,8400 Series
Pidgin
Pixel Bender Toolkit
Power2Go 4.0
PowerDVD
PS8100
PSPrinters06
Pure Networks Port Magic
QFolder
QuickTime
Realtek High Definition Audio Driver
Recovery Software Suite Gateway
Secunia PSI
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Sky-Banners browser enhancer
Sonic Encoders
Steinberg Cubase LE 4
Street-Ads Browser Enhancer
Suite Shared Configuration CS4
Syncrosoft License Control
Tom Clancy's Splinter Cell Double Agent
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoCam Suite 2.0
WebFldrs XP
WebReg
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Wireless G WUA-1340
WIZ1x0_105SR Configtool
Yahoo! Install Manager

==== Event Viewer Messages From Past Week ========

6/3/2010 9:28:36 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
6/3/2010 9:00:21 AM, error: Service Control Manager [7034] - The B's Recorder GOLD Library General Service service terminated unexpectedly. It has done this 1 time(s).
6/3/2010 9:00:18 AM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
6/3/2010 9:00:04 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
6/3/2010 9:00:00 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
6/3/2010 8:59:41 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
6/3/2010 8:59:34 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
6/3/2010 8:59:26 AM, error: Service Control Manager [7034] - The ANIWZCSd Service service terminated unexpectedly. It has done this 1 time(s).
6/3/2010 8:59:13 AM, error: Service Control Manager [7034] - The PrismXL service terminated unexpectedly. It has done this 1 time(s).
6/3/2010 8:51:02 AM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
6/3/2010 8:04:14 AM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
6/3/2010 8:04:07 AM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
6/3/2010 10:49:33 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
6/1/2010 3:00:17 AM, error: Service Control Manager [7031] - The AOL TopSpeed Monitor service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
6/1/2010 2:56:30 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
6/1/2010 2:56:30 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
6/1/2010 2:15:27 AM, error: Dhcp [1002] - The IP address lease 192.168.2.7 for the Network Card with network address 00195B7E149F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
6/1/2010 2:11:34 AM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
5/29/2010 11:58:18 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00195B7E149F. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/29/2010 11:58:07 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)

==== End Of File ===========================

I meant to add that this thing disables executable files, and i had to shut down about 5 running processes so that I could produce this log.

Thank you
-----------------------

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

**JonTom** · 2010-06-06, 12:05

Hello chrisbattista03 and

My name is JonTom.

Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice.
This may cause a delay in response time, but I will do my best to keep it as short as possible.
I will reply back shortly with instructions.

**chrisbattista03** · 2010-06-06, 16:58

Thanks JonTom, I will await your reply.

**JonTom** · 2010-06-07, 00:25

Hello chrisbattista03

Thank you for the log.

Please only reply to this thread and do not start another topic otherwise I will not be able to keep track of you.

You machine is heavily infected.

IMPORTANT!!!
- It is very likely that the malware we are dealing with has password stealing capabilities. For this reason you are STRONGLY ADVISED to disconnect the infected computer from the internet and from any networked computers until it can be cleaned. If you have networked compters, these must be checked, as they may also be infected.
- Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft. It may also be prudent to ask your banks to freeze/disable online access to your accounts until you are certain that your computer is free of the infecting malware.
- It is ESSENTIAL that you use a CLEAN (uninfected) computer to change ALL of your passwords for the online services (banking etc) that you use. DO NOT USE THE INFECTED COMPUTER TO CHANGE YOUR PASSWORDS OR TO PERFORM ANY FINANCIAL TRANSACTIONS, as doing so will give the attacker access to the new password that you create.
ComboFix
- I can see that you have recently had ComboFix on your system.
- If ComboFix is still installed, please delete the copy you have and work your way through the steps listed below.
this thing disables executable files
exeHelper
- Please download exeHelper by clicking here and save the file (called exeHelper.com) to your desktop.
- Double click on exeHelper.com to run the fix.
- A black window should pop up. Press any key to close once the fix is completed.
- Post the contents of log.txt (it Will be created in the directory where you ran exeHelper.com).
- NOTE: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
In the (unlikely) event that exeHelper does not enable you to open programs more easily, try rkill:
rkill
- Please download and run rkill (Courtesy of Bleepingcomputer.com).
- There are 6 different versions of this tool. If one of them will not run, please try the next one in the list.
- Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
- Note: You only need to get one of the tools to run, not all of them.
- 1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif
  5. WiNlOgOn.exe
  6. uSeRiNiT.exe
Download Combofix and RE-NAME it BEFORE saving
- Download Combofix from either of the links below. You must rename it to chrisbatista.exe before saving it.
- Save it to your desktop. Change the "save as file type" to "all files".
- Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
- If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
- Link 1
  Link 2
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.
- Double click on the renamed ComboFix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
Please provide the exeHelper log and the ComboFix log in your next reply.

**chrisbattista03** · 2010-06-09, 21:15

combofix had to reboot the machine, and my antivirus restarts on bootup, so while combofix was running i was getting warnings from Avira. I chose "deny access" for every warning it gave me.

exeHelper by Raktor
Build 20100414
Run at 14:29:17 on 06/09/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

=========================================================

ComboFix 10-06-09.01 - Owner 06/09/2010 14:49:13.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.676 [GMT -4:00]
Running from: c:\documents and settings\Owner.YOUR-92C8B56D4E\Desktop\chrisbatista.exe
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\Cubase LE\Application Data\2FC198D417B474CA92ED624A385F93BB
c:\documents and settings\Cubase LE\Application Data\2FC198D417B474CA92ED624A385F93BB\enemies-names.txt
c:\documents and settings\Cubase LE\Application Data\2FC198D417B474CA92ED624A385F93BB\gotnewupdate000.exe
c:\documents and settings\Cubase LE\Application Data\2FC198D417B474CA92ED624A385F93BB\local.ini
c:\documents and settings\Cubase LE\Application Data\2FC198D417B474CA92ED624A385F93BB\lsrslt.ini
c:\documents and settings\Cubase LE\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
c:\documents and settings\Cubase LE\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Cubase LE\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Cubase LE\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\documents and settings\Cubase LE\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\documents and settings\LocalService\Local Settings\Application Data\asam.exe
c:\documents and settings\LocalService\Local Settings\Application Data\gqaovxpvj
c:\documents and settings\LocalService\Local Settings\Application Data\gqaovxpvj\uptjycatssd.exe
c:\documents and settings\LocalService\Local Settings\Application Data\syssvc.exe
c:\windows\system32\ernel32.dll

Infected copy of c:\windows\system32\drivers\ql10wnt.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-06-03 13:21 . 2010-06-03 13:33 -------- d-----w- C:\ComboFix
2010-06-03 12:03 . 2010-06-03 12:03 -------- d-----w- C:\28342
2010-06-03 12:01 . 2010-06-01 06:10 68608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\uO931i.dll
2010-06-01 06:58 . 2010-06-01 06:58 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-01 06:58 . 2010-06-01 06:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\ATTTOOLBAR
2010-06-01 06:56 . 2010-06-01 06:10 68608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\93179w179.dll
2010-06-01 06:15 . 2010-06-01 06:10 68608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17u3m7.dll
2010-06-01 06:12 . 2010-06-01 06:12 50981 ----a-w- c:\windows\system32\ejoyieghoqgp.exe
2010-06-01 06:12 . 2010-06-01 06:12 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-06-01 06:11 . 2010-06-09 18:56 823808 ----a-w- c:\windows\system32\drivers\peehmji.sys
2010-06-01 06:11 . 2010-06-09 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-06-01 06:10 . 2010-06-01 06:10 68608 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oCE7.dll
2010-05-27 11:57 . 2010-05-27 11:57 169472 ----a-w- c:\windows\system32\swvyslcmvyx.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\ncrpuidj.exe
2010-05-24 01:17 . 2010-05-24 01:17 -------- d-----w- c:\documents and settings\Cubase LE\Application Data\VST3 Presets
2010-05-22 05:01 . 2010-05-22 05:01 -------- d-----w- c:\documents and settings\Cubase LE\Application Data\AnvSoft
2010-05-22 05:01 . 2010-05-22 05:01 -------- d-----w- c:\program files\Video Converter
2010-05-22 01:32 . 2010-05-28 22:51 1 ----a-w- c:\documents and settings\Cubase LE\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-22 01:31 . 2010-05-22 01:31 -------- d-----w- c:\documents and settings\Cubase LE\Application Data\OpenOffice.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-09 18:42 . 2009-02-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2010-06-09 18:18 . 2009-10-07 04:12 -------- d-----w- c:\documents and settings\Owner.YOUR-92C8B56D4E\Application Data\Gmote
2010-05-10 05:01 . 2010-05-10 05:01 -------- d-----w- c:\program files\DebugMode
2009-01-13 18:45 . 2009-07-15 01:19 81920 ----a-w- c:\program files\Common Files\WIZ1x0SR_105SR_CFG.exe
2006-12-01 09:54 . 2009-07-15 01:19 626688 ----a-w- c:\program files\Common Files\MSVCR80.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-03_13.28.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-09 18:44 . 2010-06-09 18:44 16384 c:\windows\temp\Perflib_Perfdata_e0.dat
+ 2010-06-03 13:30 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2010-06-03 13:30 . 2004-08-10 19:00 13824 c:\windows\system32\dllcache\cache\wscntfy.exe
+ 2010-06-03 13:30 . 2004-08-10 19:00 82944 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 24576 c:\windows\system32\dllcache\cache\userinit.exe
+ 2010-06-03 13:30 . 2004-08-10 19:00 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2010-06-03 13:30 . 2004-08-10 19:00 71680 c:\windows\system32\dllcache\cache\ssdpsrv.dll
+ 2010-06-03 13:30 . 2005-06-10 23:53 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2010-06-03 13:30 . 2004-08-10 19:00 59904 c:\windows\system32\dllcache\cache\regsvc.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 89088 c:\windows\system32\dllcache\cache\rasauto.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2010-06-03 13:30 . 2006-10-19 01:47 27136 c:\windows\system32\dllcache\cache\mspmsnsv.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 33792 c:\windows\system32\dllcache\cache\msgsvc.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2010-06-03 13:30 . 2004-08-10 19:00 22016 c:\windows\system32\dllcache\cache\lpk.dll
+ 2010-06-03 13:30 . 2005-09-01 01:41 19968 c:\windows\system32\dllcache\cache\linkinfo.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2010-06-03 13:30 . 2004-08-10 19:00 29056 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2010-06-03 13:30 . 2004-08-10 19:00 55808 c:\windows\system32\dllcache\cache\eventlog.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2010-06-03 13:30 . 2004-08-10 19:00 60416 c:\windows\system32\dllcache\cache\cryptsvc.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 77312 c:\windows\system32\dllcache\cache\browser.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 14336 c:\windows\system32\dllcache\cache\asyncmac.sys
+ 2010-06-03 13:30 . 2004-08-10 19:00 11648 c:\windows\system32\dllcache\cache\acpiec.sys
+ 2010-06-03 13:30 . 2004-08-10 19:00 5120 c:\windows\system32\dllcache\cache\sfc.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 2944 c:\windows\system32\dllcache\cache\null.sys
+ 2010-06-03 13:30 . 2004-08-10 19:00 4224 c:\windows\system32\dllcache\cache\beep.sys
+ 2010-06-03 13:30 . 2004-08-10 19:00 129536 c:\windows\system32\dllcache\cache\xmlprov.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 502272 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2010-06-03 13:30 . 2010-02-25 06:24 916480 c:\windows\system32\dllcache\cache\wininet.dll
+ 2010-06-03 13:30 . 2007-03-08 15:36 577536 c:\windows\system32\dllcache\cache\user32.dll
+ 2010-06-03 13:30 . 2007-02-05 20:17 185344 c:\windows\system32\dllcache\cache\upnphost.dll
+ 2010-06-03 13:30 . 2005-03-10 14:49 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2010-06-03 13:30 . 2008-06-20 10:45 360320 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2010-06-03 13:30 . 2005-07-08 16:27 249344 c:\windows\system32\dllcache\cache\tapisrv.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 170496 c:\windows\system32\dllcache\cache\srsvc.dll
+ 2010-06-03 13:30 . 2006-12-19 21:52 134656 c:\windows\system32\dllcache\cache\shsvcs.dll
+ 2010-06-03 13:30 . 2009-02-06 10:22 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2010-06-03 13:30 . 2004-08-10 19:00 190976 c:\windows\system32\dllcache\cache\schedsvc.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 180224 c:\windows\system32\dllcache\cache\scecli.dll
+ 2010-06-03 13:30 . 2009-02-09 10:01 401408 c:\windows\system32\dllcache\cache\rpcss.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 382464 c:\windows\system32\dllcache\cache\qmgr.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 435200 c:\windows\system32\dllcache\cache\ntmssvc.dll
+ 2010-06-03 13:30 . 2007-02-09 11:10 574464 c:\windows\system32\dllcache\cache\ntfs.sys
+ 2010-06-03 13:30 . 2005-08-22 18:29 197632 c:\windows\system32\dllcache\cache\netman.dll
+ 2010-06-03 13:30 . 2009-02-06 18:46 408064 c:\windows\system32\dllcache\cache\netlogon.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 182912 c:\windows\system32\dllcache\cache\ndis.sys
+ 2010-06-03 13:30 . 2008-06-20 17:41 245248 c:\windows\system32\dllcache\cache\mswsock.dll
+ 2010-06-03 13:30 . 2006-11-01 19:17 927504 c:\windows\system32\dllcache\cache\mfc40u.dll
+ 2010-06-03 13:30 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2010-06-03 13:30 . 2008-07-07 20:32 253952 c:\windows\system32\dllcache\cache\es.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 792064 c:\windows\system32\dllcache\cache\comres.dll
+ 2010-06-03 13:30 . 2006-08-25 15:45 617472 c:\windows\system32\dllcache\cache\comctl32.dll
+ 2010-06-03 13:30 . 2004-08-10 19:00 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2010-06-03 13:30 . 2006-02-15 00:22 142464 c:\windows\system32\dllcache\cache\aec.sys
+ 2010-06-03 13:30 . 2004-08-10 19:00 1580544 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2010-06-03 13:30 . 2010-02-16 17:37 2186880 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2010-06-03 13:30 . 2010-02-17 15:57 2063744 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2010-06-03 13:30 . 2010-02-25 06:24 5944832 c:\windows\system32\dllcache\cache\mshtml.dll
+ 2010-06-03 13:30 . 2007-06-13 10:23 1033216 c:\windows\system32\dllcache\cache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E94126A3-FBB7-B8EC-DBB3-8B7931DBDF01}]
2010-05-27 11:57 169472 ----a-w- c:\windows\system32\swvyslcmvyx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"pjpvyiqvfjo"="c:\windows\system32\swvyslcmvyx.dll" [2010-05-27 169472]
"MChk"="c:\windows\system32\ncrpuidj.exe" [2010-05-24 40633]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner.YOUR-92C8B56D4E\Start Menu\Programs\Startup\
GmoteServer.lnk - c:\program files\GmoteServer\GmoteServer.exe [2009-10-7 451584]

c:\documents and settings\Cubase LE\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VideoCam Suite 2.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VideoCam Suite 2.0.lnk
backup=c:\windows\pss\VideoCam Suite 2.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-92C8B56D4E^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Owner.YOUR-92C8B56D4E\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-92C8B56D4E^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\Owner.YOUR-92C8B56D4E\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 02:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 06:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 22:43 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2005-11-30 14:35 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2008-07-19 07:02 266497 ----a-w- c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 23:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 19:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link Wireless G WUA-1340]
2005-12-15 16:19 2715648 ----a-w- c:\program files\D-Link\Wireless G WUA-1340\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 00:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1210028400\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 17:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-07 05:09 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2006-01-07 05:09 659456 ----a-w- c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2006-01-07 05:09 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-06-25 12:47 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 20:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-23 21:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-12 03:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-12 03:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
2004-10-07 22:53 131072 ----a-w- c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-09-22 17:36 14854144 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-06-25 12:47 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-27 15:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1210028400\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\GmoteServer\\GmoteServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"8889:TCP"= 8889:TCP:gmote

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [4/15/2009 12:29 PM 14976]
S0 obomshz;obomshz;c:\windows\system32\drivers\wjindtf.sys --> c:\windows\system32\drivers\wjindtf.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 7:03 AM 7808]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [7/5/2009 10:05 PM 18432]

--- Other Services/Drivers In Memory ---

*Deregistered* - peehmji

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-08 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2009-09-21 05:09]

2010-06-09 c:\windows\Tasks\User_Feed_Synchronization-{E34E5590-8C9C-42F3-BC91-59BF3E840393}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-92C8B56D4E\Application Data\Mozilla\Firefox\Profiles\scmk6iki.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-09 14:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\peehmji]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3171649797-3824822186-616433660-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:12,88,2d,03,2f,8a,15,1b,76,b4,15,18,ff,c0,64,ff,1a,bc,ec,cd,ed,0b,c1,
f5,bd,4f,8a,bb,3a,38,30,2e,e7,ef,17,e8,21,c4,c6,14,53,07,06,6b,4a,2a,c7,76,\
"??"=hex:1d,14,7d,cb,f4,2d,95,98,8e,a0,bb,e4,ae,71,f6,6b
.
Completion time: 2010-06-09 15:00:24
ComboFix-quarantined-files.txt 2010-06-09 19:00
ComboFix2.txt 2010-06-03 13:33
ComboFix3.txt 2009-05-01 15:15

Pre-Run: 37,914,316,800 bytes free
Post-Run: 37,863,559,168 bytes free

- - End Of File - - B0B61B29ADE77805B985DBD362C84700

**JonTom** · 2010-06-10, 00:54

Hello chrisbattista03

Thank you for the log.

We need to run ComboFix again, but this time, we will be running it in a different way.

Please work through the following steps
- Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
- NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
- Copy and Paste the text in the codebox below (including the link) into the open Notepad window:
  Code:
```
http://forums.spybot.info/showthread.php?t=57783

Collect::
c:\windows\system32\Spool\prtprocs\w32x86\uO931i.dll
c:\windows\system32\Spool\prtprocs\w32x86\93179w179.dll
c:\windows\system32\Spool\prtprocs\w32x86\17u3m7.dll
c:\windows\system32\Spool\prtprocs\w32x86\17oCE7.dll
c:\windows\system32\ejoyieghoqgp.exe
c:\windows\system32\swvyslcmvyx.dll
c:\windows\system32\ncrpuidj.exe
c:\windows\system32\swvyslcmvyx.dll
c:\windows\system32\swvyslcmvyx.dll
c:\windows\system32\ncrpuidj.exe
c:\windows\system32\drivers\wjindtf.sys
c:\windows\system32\drivers\peehmji.sys

Driver::
obomshz

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E94126A3-FBB7-B8EC-DBB3-8B7931DBDF01}]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\peehmji]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pjpvyiqvfjo"=-
"MChk"=-

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
```
- Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
- Close any open browsers.
- Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Refering to the picture below, drag CFScript.txt into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Once the log is produced, re-engage your resident anti virus.
- Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Please post the ComboFix log in your next reply.

**chrisbattista03** · 2010-06-10, 18:31

ComboFix 10-06-09.04 - Owner 06/10/2010 12:03:07.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.639 [GMT -4:00]
Running from: c:\documents and settings\Owner.YOUR-92C8B56D4E\Desktop\chrisbatista.exe
Command switches used :: c:\documents and settings\Owner.YOUR-92C8B56D4E\Desktop\CFScript.txt
AV: *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

file zipped: c:\windows\system32\drivers\peehmji.sys
file zipped: c:\windows\system32\ejoyieghoqgp.exe
file zipped: c:\windows\system32\ncrpuidj.exe
file zipped: c:\windows\system32\Spool\prtprocs\w32x86\17oCE7.dll
file zipped: c:\windows\system32\Spool\prtprocs\w32x86\17u3m7.dll
file zipped: c:\windows\system32\Spool\prtprocs\w32x86\93179w179.dll
file zipped: c:\windows\system32\Spool\prtprocs\w32x86\uO931i.dll
file zipped: c:\windows\system32\swvyslcmvyx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\peehmji.sys
c:\windows\system32\ejoyieghoqgp.exe
c:\windows\system32\ncrpuidj.exe
c:\windows\system32\Spool\prtprocs\w32x86\17oCE7.dll
c:\windows\system32\Spool\prtprocs\w32x86\17u3m7.dll
c:\windows\system32\Spool\prtprocs\w32x86\93179w179.dll
c:\windows\system32\Spool\prtprocs\w32x86\uO931i.dll
c:\windows\system32\swvyslcmvyx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_obomshz
-------\Legacy_peehmji
-------\Service_peehmji

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))
.

2010-06-03 13:21 . 2010-06-03 13:33 -------- d-----w- C:\ComboFix
2010-06-03 12:03 . 2010-06-03 12:03 -------- d-----w- C:\28342
2010-06-01 06:58 . 2010-06-01 06:58 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-06-01 06:58 . 2010-06-01 06:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\ATTTOOLBAR
2010-06-01 06:12 . 2010-06-01 06:12 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-06-01 06:11 . 2010-06-09 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-05-22 05:01 . 2010-05-22 05:01 -------- d-----w- c:\program files\Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 16:12 . 2009-10-07 04:12 -------- d-----w- c:\documents and settings\Owner.YOUR-92C8B56D4E\Application Data\Gmote
2010-06-10 16:05 . 2009-02-10 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2010-05-10 05:01 . 2010-05-10 05:01 -------- d-----w- c:\program files\DebugMode
2009-01-13 18:45 . 2009-07-15 01:19 81920 ----a-w- c:\program files\Common Files\WIZ1x0SR_105SR_CFG.exe
2006-12-01 09:54 . 2009-07-15 01:19 626688 ----a-w- c:\program files\Common Files\MSVCR80.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner.YOUR-92C8B56D4E\Start Menu\Programs\Startup\
GmoteServer.lnk - c:\program files\GmoteServer\GmoteServer.exe [2009-10-7 451584]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VideoCam Suite 2.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VideoCam Suite 2.0.lnk
backup=c:\windows\pss\VideoCam Suite 2.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-92C8B56D4E^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Owner.YOUR-92C8B56D4E\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.YOUR-92C8B56D4E^Start Menu^Programs^Startup^Secunia PSI.lnk]
path=c:\documents and settings\Owner.YOUR-92C8B56D4E\Start Menu\Programs\Startup\Secunia PSI.lnk
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 02:43 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 06:25 37232 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 22:43 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2005-11-30 14:35 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2008-07-19 07:02 266497 ----a-w- c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-27 23:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2004-12-09 00:57 550912 ----a-w- c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-10 19:00 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link Wireless G WUA-1340]
2005-12-15 16:19 2715648 ----a-w- c:\program files\D-Link\Wireless G WUA-1340\AirGCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 00:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1210028400\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 17:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-07 05:09 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
2006-01-07 05:09 659456 ----a-w- c:\windows\system32\hphmon06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
2006-01-07 05:09 49152 ----a-w- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-06-25 12:47 1057064 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 20:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-23 21:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 23:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-12 03:17 13666408 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-12 03:17 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
2004-10-07 22:53 131072 ----a-w- c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-12-10 01:44 139264 ----a-w- c:\program files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 00:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2005-09-22 17:36 14854144 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
2007-06-25 12:47 1629480 ----a-w- c:\program files\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-27 15:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1210028400\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\GmoteServer\\GmoteServer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"8889:TCP"= 8889:TCP:gmote

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [4/15/2009 12:29 PM 14976]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 7:03 AM 7808]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [7/5/2009 10:05 PM 18432]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-08 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2009-09-21 05:09]

2010-06-10 c:\windows\Tasks\User_Feed_Synchronization-{E34E5590-8C9C-42F3-BC91-59BF3E840393}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-92C8B56D4E\Application Data\Mozilla\Firefox\Profiles\scmk6iki.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=.
- - - - ORPHANS REMOVED - - - -

AddRemove-ejoyieghoqgp - c:\windows\system32\ejoyieghoqgp.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 12:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3171649797-3824822186-616433660-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:12,88,2d,03,2f,8a,15,1b,76,b4,15,18,ff,c0,64,ff,1a,bc,ec,cd,ed,0b,c1,
f5,bd,4f,8a,bb,3a,38,30,2e,e7,ef,17,e8,21,c4,c6,14,53,07,06,6b,4a,2a,c7,76,\
"??"=hex:1d,14,7d,cb,f4,2d,95,98,8e,a0,bb,e4,ae,71,f6,6b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3080)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Java\jre6\bin\javaw.exe
.
**************************************************************************
.
Completion time: 2010-06-10 12:23:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-10 16:23
ComboFix2.txt 2010-06-09 19:00
ComboFix3.txt 2010-06-03 13:33
ComboFix4.txt 2009-05-01 15:15

Pre-Run: 37,827,383,296 bytes free
Post-Run: 37,672,095,744 bytes free

- - End Of File - - C27D061C415183D26E4E64D259116281

**JonTom** · 2010-06-10, 23:39

Hello chrisbattista03

Thank you for the log. Before we continue, please do the following:

Please manually upload the following files for analysis
- The CFScript I asked you to run was designed to upload the malware files on your system for analysis. Unfortunately the upload failed so I would like you to upload these files manually. Please do the following:
- Please click on the following LINK. A new window will open.
- In the box marked "Link to topic where this file was requested:" please paste in the following text:
Code:
```
http://forums.spybot.info/showthread.php?t=57783
```
- Click the "Browse" button and navigate to C:\Qoobox\Quarantine
- There should be a zip file there called [4]-Submit_****-**-**_**.**.**.zip (the * denotes the Date and Time stamp - it will be close to this: 2010-06-10 16:23).
- Select this file and click "Open".
- In the Largest box please put:
Code:
```
File Requested By JonTom
Failed Collect::
```
- Finally click "SendFile".
- Please let me know if the file was successfully uploaded.

**chrisbattista03** · 2010-06-12, 06:02

It says the file was successfully uploaded.

**JonTom** · 2010-06-12, 15:04

Hello chrisbattista03

It says the file was successfully uploaded.

Good job

Please perform the following scan:
- Please download MalwareBytes AntiMalware by clicking here and save the file (called mbam-setup.exe) to your desktop.
- Double click on the mbam-setup.exe icon to install the program.
- Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
- Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
- Click on the "Update" tab and then on "Check for Updates".
- The program will now install the latest Malware definition files.
- Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
- Once the program has scanned your computer, a log file will be created in Notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
- The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
- Come back here to this thread and Paste the log in your next reply.
Please update your Java
- To update your Java, Click on "Start" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
- In the window that opens, click on the "Update" tab, and then on "Update Now".
- Your Java should begin to update. Please follow any prompts that you receive.
Please perform the following scan:
- This is a very deep scan that can take many hours. In some instances you may need to let it run overnight. Please be patient.
- It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
- DO NOT surf the net while your resident protection is disabled!
- Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.
- Please perform a Kaspersky Online Scan of your computer by clicking here or here.
- Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run (at times it may appear to stall).
- Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
- Once the scan is complete, click on View scan report. To obtain the report:
- Click on: Save Report As
- Next, in the Save as prompt, Save in area, select: Desktop
- In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
- Then, click: Save
- Please post the Kaspersky Online Scanner Report in your reply.
- If you need help performing the above steps, an animated tutorial can be found here.
Please provide the MBAM log and the Kaspersky Online Scan log in your next reply.

Also, please describe how your machine is behaving now. Are you still experiencing problems?

Thread: Unknown infection, blocks executables

Thread Tools

Display

Unknown infection, blocks executables

Posting Permissions