Problem with Virtumonde

A

alphaj2

New member
Hello, I've had problems with Virtumonde for a week or so now, I've used various spyware and malware removal programs to try and get rid of it. Even though I think it has been removed, after a couple days or so Spybot's resident comes up with a browser helper object trying to add a registry key and when I run Spybot, it finds Virtumonde again. I attempted to run Kaspersky Online Scanner in Internet Explorer but after I allow ActiveX and click the accept button, nothing happens. I have run Hijack This and attached is the produced log in two separate files (too big for one attachment). Thank you in advance for your help.
 
Hello

Please don't attach the logs


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------​
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------​
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------​
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
 
The following is the Combofix log file:

ComboFix 08-04-08.7 - Justin Grubbs 2008-04-08 23:32:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2042 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Grubbs\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\gbRve12
C:\WINDOWS\BM57b8025e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\abadd.ini
C:\WINDOWS\SYSTEM32\abadd.ini2
C:\WINDOWS\SYSTEM32\adeeg.ini
C:\WINDOWS\SYSTEM32\adeeg.ini2
C:\WINDOWS\system32\aqVreo18
C:\WINDOWS\SYSTEM32\ddeeg.ini
C:\WINDOWS\SYSTEM32\ddeeg.ini2
C:\WINDOWS\system32\disk.exe
C:\WINDOWS\SYSTEM32\gjkkj.ini2
C:\WINDOWS\system32\nnnopqq.dll
C:\WINDOWS\system32\ssqpq.dll
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\SYSTEM32\utvwa.ini
C:\WINDOWS\SYSTEM32\utvwa.ini2
C:\WINDOWS\system32\vwadyqwd.dll
C:\WINDOWS\SYSTEM32\wybeg.ini
C:\WINDOWS\SYSTEM32\wybeg.ini2
C:\WINDOWS\SYSTEM32\ybeeg.ini
C:\WINDOWS\SYSTEM32\ybeeg.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTLOAD
-------\Legacy_WINDOWS_LOG


((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-06 22:36 . 2008-04-06 22:36 146 --a------ C:\WINDOWS\capture.INI
2008-04-05 18:59 . 2008-04-05 18:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 18:52 . 2008-04-05 18:52 <DIR> d-------- C:\Deckard
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Malwarebytes
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-31 00:51 . 2008-04-08 23:37 30,440 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-08 23:37 30,440 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-08 23:37 27,264 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-08 23:37 27,264 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-08 23:37 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-30 17:10 . 2008-03-30 17:10 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-30 15:00 . 2008-04-08 23:03 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-03-30 14:58 . 2008-04-06 02:07 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-06 02:07 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-06 02:07 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-06 02:07 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-06 02:07 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-08 23:37 2,064 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-03-30 14:58 . 2008-04-08 23:37 2,064 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-03-30 13:59 . 2008-03-30 13:59 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\scar5
2008-03-30 13:59 . 2008-03-30 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\scar5
2008-03-30 13:54 . 2008-03-30 15:00 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-03-30 13:19 . 2008-03-30 13:19 474 --ahs---- C:\WINDOWS\SYSTEM32\cilxfsxl.ini
2008-03-30 02:23 . 2008-03-30 13:14 414 --ahs---- C:\WINDOWS\SYSTEM32\iqngmfly.ini
2008-03-30 02:18 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-03-30 02:18 . 2008-03-30 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-30 02:13 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\SYSTEM32\d3dx9_35.dll
2008-03-30 02:11 . 2008-03-30 02:11 <DIR> d-------- C:\Program Files\MSBuild
2008-03-30 02:06 . 2008-03-30 02:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-03-30 02:04 . 2008-03-30 02:04 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-30 02:03 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-03-30 01:49 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-30 01:49 . 2008-03-30 01:49 <DIR> d-------- C:\Program Files\Autodesk
2008-03-30 01:49 . 2008-03-30 14:09 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Autodesk
2008-03-29 00:42 . 2008-03-29 01:14 294 --ahs---- C:\WINDOWS\SYSTEM32\nttdgfmh.ini
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-03-27 22:44 . 2008-03-27 22:44 294 --ahs---- C:\WINDOWS\SYSTEM32\disrvmsy.ini
2008-03-27 22:35 . 2008-03-27 22:38 <DIR> d-------- C:\Program Files\GRETECH
2008-03-27 12:18 . 2008-04-08 23:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-27 09:34 . 2008-03-27 11:40 354 --ahs---- C:\WINDOWS\SYSTEM32\tggkiqfv.ini
2008-03-27 06:52 . 2008-03-27 06:52 294 --ahs---- C:\WINDOWS\SYSTEM32\ymgoavaw.ini
2008-03-25 10:29 . 2008-03-27 09:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\SUPERAntiSpyware.com
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 02:26 . 2008-03-25 02:26 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-25 02:04 . 2008-02-09 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-03-25 02:04 . 2008-02-10 06:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-03-24 02:38 . 2008-03-24 02:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 02:38 . 2008-03-24 02:38 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-23 02:11 . 2008-01-10 12:40 74,608 --a------ C:\WINDOWS\TrueInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 05:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 03:43 --------- d-----w C:\Program Files\PSpice
2008-04-07 01:34 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\LimeWire
2008-04-06 22:39 --------- d-----w C:\Program Files\iTunes
2008-04-06 22:39 --------- d-----w C:\Program Files\iPod
2008-04-06 22:37 --------- d-----w C:\Program Files\QuickTime
2008-03-28 03:32 --------- d-----w C:\Program Files\DivX
2008-03-25 15:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 03:16 --------- d-----w C:\Program Files\LimeWire
2008-03-24 07:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-23 17:01 --------- d-----w C:\Program Files\Ares
2008-03-23 07:11 --------- d-----w C:\Program Files\TrueSwitchComcast
2008-03-23 07:11 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\TrueSwitch
2008-03-08 08:42 --------- d-----w C:\Program Files\Java
2008-03-07 07:12 --------- d-----w C:\Program Files\Creative
2008-03-07 07:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 07:00 --------- d-----w C:\Program Files\AIM6
2008-02-23 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-22 18:07 --------- d-----w C:\Program Files\Panicware
2008-02-22 18:00 --------- d-----w C:\Program Files\Common Files\aol
2008-02-22 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-22 17:56 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\AOL
2008-02-11 05:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-11 05:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-11 05:46 --------- d-----w C:\Program Files\Symantec
2008-02-10 04:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-10 04:23 --------- d--h--w C:\Documents and Settings\Justin Grubbs\Application Data\GTek
2008-02-10 04:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-11-12 06:09 40,224 -c--a-w C:\Documents and Settings\Justin Grubbs\Application Data\GDIPFONTCACHEV1.DAT
2005-03-11 03:57 32,968 -c--a-w C:\Documents and Settings\Justin Grubbs\apache.exe
2006-09-24 04:36 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13C2439E-4C6B-405B-838E-76B2D19D9955}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1AFE017A-2C89-4D9A-A372-80D5DD8A3FD3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{206BBDAF-D21C-4DB0-80D9-BEDA46AA2E22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{224CAA1B-E6F3-4C9E-9B77-08CBAF712C2D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BF3E33AD-405C-4B72-8FB3-0E924EC2521D}]
C:\WINDOWS\system32\geedd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc318c67-6661-4507-a22a-65b6da41345d}]
C:\WINDOWS\system32\vdiilesw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"NBJ"="C:\Program Files\ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17 1937408]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"EasyDVDMon"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 10:46 245760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"0b9126567f7c"="C:\WINDOWS\System32\BASESRV5.exe" [2004-08-24 00:32 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"Smiley District"="C:\Program Files\SmileyDistrict\plugin.exe" [2006-05-17 02:47 53248]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [ ]
"548b31c2"="C:\WINDOWS\system32\ylfmgnqi.dll" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-11-01 17:07:12 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnopqq]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3radius"= l3codecp.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
C:\WINDOWS\wupdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aim6.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 PEDRV;P&E Microcomputer System PCI Driver.;C:\WINDOWS\system32\drivers\PEDRV.sys [2000-08-03 19:25]
R2 VICHW11;P&E BDM Cable Driver II;C:\WINDOWS\system32\drivers\VICHW11.sys [1998-10-02 15:20]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 NTBOOT;NTBOOTMGR;C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe []
S2 svhost;svhosttest;C:\WINDOWS\system\svchost.exe []
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys [2004-03-05 03:51]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{536a27c8-67fd-11dc-a0e2-00038a000015}]
\Shell\Auto\command - G:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0e49feb-cb8a-11dc-a171-00038a000015}]
\Shell\Auto\command - F:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 16:33:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-07-29 19:50:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1144523391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 23:38:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2008-04-08 23:44:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 04:43:57
Pre-Run: 27,906,232,320 bytes free
Post-Run: 27,782,868,992 bytes free
.
2008-03-30 22:10:25 --- E O F ---
 
and now the new Hijack This log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:02 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Justin Grubbs\Desktop\mplayerc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Justin Grubbs\Desktop\mplayerc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BF3E33AD-405C-4B72-8FB3-0E924EC2521D} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: {d54314ad-6b56-a22a-7054-166676c813cf} - {fc318c67-6661-4507-a22a-65b6da41345d} - C:\WINDOWS\system32\vdiilesw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsof.../en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnopqq - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JUSTIN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 11365 bytes


Thank you for your help.
 
Hello

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\cilxfsxl.ini
C:\WINDOWS\SYSTEM32\iqngmfly.ini
C:\WINDOWS\SYSTEM32\nttdgfmh.ini
C:\WINDOWS\SYSTEM32\disrvmsy.ini
C:\WINDOWS\SYSTEM32\tggkiqfv.ini
C:\WINDOWS\SYSTEM32\ymgoavaw.ini
C:\WINDOWS\wupdt.exe
G:\Start.exe
F:\Start.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{536a27c8-67fd-11dc-a0e2-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0e49feb-cb8a-11dc-a171-00038a000015}]

Driver::
svhost
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


Combo-Do.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log
 
Here is the new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:22 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206BBDAF-D21C-4DB0-80D9-BEDA46AA2E22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BF3E33AD-405C-4B72-8FB3-0E924EC2521D} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: {d54314ad-6b56-a22a-7054-166676c813cf} - {fc318c67-6661-4507-a22a-65b6da41345d} - C:\WINDOWS\system32\vdiilesw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsof.../en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnopqq - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JUSTIN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif

--
End of file - 11253 bytes
 
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\System32\BASESRV5.exe"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:

    • C:\WINDOWS\System32\BASESRV5.exe

  • Click Open.
  • Click Post.
Thank you!



1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {206BBDAF-D21C-4DB0-80D9-BEDA46AA2E22} - (no file)
O2 - BHO: (no name) - {BF3E33AD-405C-4B72-8FB3-0E924EC2521D} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: {d54314ad-6b56-a22a-7054-166676c813cf} - {fc318c67-6661-4507-a22a-65b6da41345d} - C:\WINDOWS\system32\vdiilesw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b
O20 - Winlogon Notify: nnnopqq - C:\WINDOWS\
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/JUSTIN~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log and the ComboFix log
 
I started the new thread under The Spykiller - Spyware and Malware Cleaning > Uploads > , the link is http://thespykiller.co.uk/index.php/topic,6357.new.html#new?PHPSESSID=e9f7f27b7ffd25854a85720ae6a08187

here is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:45 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsof.../en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10613 bytes
 
and the ComboFix log:

ComboFix 08-04-08.7 - Justin Grubbs 2008-04-09 21:37:39.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2035 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Grubbs\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-09 00:01 . 2008-04-09 00:03 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 22:36 . 2008-04-06 22:36 146 --a------ C:\WINDOWS\capture.INI
2008-04-05 18:59 . 2008-04-05 18:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 18:52 . 2008-04-05 18:52 <DIR> d-------- C:\Deckard
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Malwarebytes
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-31 00:51 . 2008-04-09 21:33 29,544 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-09 21:33 29,544 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-09 21:33 26,424 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-09 21:33 26,424 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-09 21:33 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-30 17:10 . 2008-03-30 17:10 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-30 15:00 . 2008-04-09 21:35 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-03-30 14:58 . 2008-04-09 11:42 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 11:42 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 11:42 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 11:42 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 11:42 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 21:33 2,064 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-03-30 14:58 . 2008-04-09 21:33 2,064 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-03-30 13:59 . 2008-03-30 13:59 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\scar5
2008-03-30 13:59 . 2008-03-30 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\scar5
2008-03-30 13:54 . 2008-03-30 15:00 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-03-30 02:18 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-03-30 02:18 . 2008-03-30 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-30 02:13 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\SYSTEM32\d3dx9_35.dll
2008-03-30 02:11 . 2008-03-30 02:11 <DIR> d-------- C:\Program Files\MSBuild
2008-03-30 02:06 . 2008-03-30 02:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-03-30 02:04 . 2008-03-30 02:04 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-30 02:03 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-03-30 01:49 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-30 01:49 . 2008-03-30 01:49 <DIR> d-------- C:\Program Files\Autodesk
2008-03-30 01:49 . 2008-03-30 14:09 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Autodesk
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-03-27 22:35 . 2008-03-27 22:38 <DIR> d-------- C:\Program Files\GRETECH
2008-03-27 12:18 . 2008-04-09 21:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-25 10:29 . 2008-03-27 09:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\SUPERAntiSpyware.com
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 02:26 . 2008-03-25 02:26 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-25 02:04 . 2008-02-09 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-03-25 02:04 . 2008-02-10 06:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-03-24 02:38 . 2008-03-24 02:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 02:38 . 2008-03-24 02:38 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-23 02:11 . 2008-01-10 12:40 74,608 --a------ C:\WINDOWS\TrueInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 03:43 --------- d-----w C:\Program Files\PSpice
2008-04-07 01:34 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\LimeWire
2008-04-06 22:39 --------- d-----w C:\Program Files\iTunes
2008-04-06 22:39 --------- d-----w C:\Program Files\iPod
2008-04-06 22:37 --------- d-----w C:\Program Files\QuickTime
2008-03-28 03:32 --------- d-----w C:\Program Files\DivX
2008-03-25 15:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 03:16 --------- d-----w C:\Program Files\LimeWire
2008-03-24 07:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-23 17:01 --------- d-----w C:\Program Files\Ares
2008-03-23 07:11 --------- d-----w C:\Program Files\TrueSwitchComcast
2008-03-23 07:11 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\TrueSwitch
2008-03-08 08:42 --------- d-----w C:\Program Files\Java
2008-03-07 07:12 --------- d-----w C:\Program Files\Creative
2008-03-07 07:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 07:00 --------- d-----w C:\Program Files\AIM6
2008-02-23 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-22 18:07 --------- d-----w C:\Program Files\Panicware
2008-02-22 18:00 --------- d-----w C:\Program Files\Common Files\aol
2008-02-22 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-22 17:56 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\AOL
2008-02-11 05:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-11 05:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-11 05:46 --------- d-----w C:\Program Files\Symantec
2008-02-10 04:23 --------- d--ha-w C:\Documents and Settings\All Users\Application Data\GTek
2008-02-10 04:23 --------- d--h--w C:\Documents and Settings\Justin Grubbs\Application Data\GTek
2008-02-10 04:23 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-11-12 06:09 40,224 -c--a-w C:\Documents and Settings\Justin Grubbs\Application Data\GDIPFONTCACHEV1.DAT
2005-03-11 03:57 32,968 -c--a-w C:\Documents and Settings\Justin Grubbs\apache.exe
2006-09-24 04:36 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-04-09_10.41.04.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-09 15:28:16 70,964 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-04-10 02:38:47 70,964 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-04-09 15:28:16 437,794 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-04-10 02:38:48 437,794 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"NBJ"="C:\Program Files\ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17 1937408]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"EasyDVDMon"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 10:46 245760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"0b9126567f7c"="C:\WINDOWS\System32\BASESRV5.exe" [2004-08-24 00:32 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"Smiley District"="C:\Program Files\SmileyDistrict\plugin.exe" [2006-05-17 02:47 53248]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [ ]
"548b31c2"="C:\WINDOWS\system32\ylfmgnqi.dll" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-11-01 17:07:12 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3radius"= l3codecp.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aim6.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 PEDRV;P&E Microcomputer System PCI Driver.;C:\WINDOWS\system32\drivers\PEDRV.sys [2000-08-03 19:25]
R2 VICHW11;P&E BDM Cable Driver II;C:\WINDOWS\system32\drivers\VICHW11.sys [1998-10-02 15:20]
S2 svhost;svhosttest;C:\WINDOWS\system\svchost.exe []
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys [2004-03-05 03:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 16:33:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-07-29 19:50:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1144523391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 21:42:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-09 21:44:08
ComboFix-quarantined-files.txt 2008-04-10 02:43:41
ComboFix2.txt 2008-04-09 15:41:40
ComboFix3.txt 2008-04-09 04:44:01
Pre-Run: 27,650,412,544 bytes free
Post-Run: 27,624,480,768 bytes free
.
2008-04-09 05:03:17 --- E O F ---


Thank you for all of your time and help.
 
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [0b9126567f7c] C:\WINDOWS\System32\BASESRV5.exe
O4 - HKLM\..\Run: [548b31c2] rundll32.exe "C:\WINDOWS\system32\ylfmgnqi.dll",b

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\System32\BASESRV5.exe

Driver::
svhost
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


Combo-Do.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Reboot and post a new HijackThis log
 
The new Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:45 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Smiley District] C:\Program Files\SmileyDistrict\plugin.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://test.catalog.update.microsof.../en/x86/MuCatalogWebControl.cab?1185785550250
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120365521515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195539745562
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe (file missing)
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10389 bytes


While I have your assistance, is there any way to keep Windows Explorer from opening the System32 folder when Windows starts? Thank you.
 
Yes hopefully

Can you post the ComboFix log and do this


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
 
ComboFix log:

ComboFix 08-04-08.7 - Justin Grubbs 2008-04-10 19:42:12.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2022 [GMT -5:00]
Running from: C:\Documents and Settings\Justin Grubbs\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Justin Grubbs\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\BASESRV5.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\System32\BASESRV5.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-09 00:01 . 2008-04-09 00:03 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-04-06 22:36 . 2008-04-06 22:36 146 --a------ C:\WINDOWS\capture.INI
2008-04-05 18:59 . 2008-04-05 18:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-05 18:52 . 2008-04-05 18:52 <DIR> d-------- C:\Deckard
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Malwarebytes
2008-04-05 16:48 . 2008-04-05 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-31 00:51 . 2008-04-10 19:34 29,544 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-10 19:34 29,544 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-10 19:34 26,424 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-10 19:34 26,424 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-31 00:51 . 2008-04-10 19:34 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10001102}.rfx
2008-03-30 17:10 . 2008-03-30 17:10 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-03-30 15:00 . 2008-04-10 19:36 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-03-30 14:58 . 2008-04-09 22:15 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 22:15 31,856 --a------ C:\WINDOWS\SYSTEM32\BMXState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 22:15 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 22:15 30,960 --a------ C:\WINDOWS\SYSTEM32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-09 22:15 11,564 --a------ C:\WINDOWS\SYSTEM32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.rfx
2008-03-30 14:58 . 2008-04-10 19:34 2,064 --a------ C:\WINDOWS\SYSTEM32\settingsbkup.sfm
2008-03-30 14:58 . 2008-04-10 19:34 2,064 --a------ C:\WINDOWS\SYSTEM32\settings.sfm
2008-03-30 13:59 . 2008-03-30 13:59 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\scar5
2008-03-30 13:59 . 2008-03-30 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\scar5
2008-03-30 13:54 . 2008-03-30 15:00 <DIR> d-------- C:\Program Files\Bazooka Scanner
2008-03-30 02:18 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-03-30 02:18 . 2008-03-30 02:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-03-30 02:13 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\SYSTEM32\d3dx9_35.dll
2008-03-30 02:11 . 2008-03-30 02:11 <DIR> d-------- C:\Program Files\MSBuild
2008-03-30 02:06 . 2008-03-30 02:06 <DIR> d-------- C:\WINDOWS\SYSTEM32\XPSViewer
2008-03-30 02:04 . 2008-03-30 02:04 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-03-30 02:03 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\SYSTEM32\spmsg2.dll
2008-03-30 01:49 . 2008-03-30 02:26 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-03-30 01:49 . 2008-03-30 01:49 <DIR> d-------- C:\Program Files\Autodesk
2008-03-30 01:49 . 2008-03-30 14:09 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\Autodesk
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-03-27 22:35 . 2008-03-27 22:38 <DIR> d-------- C:\Program Files\GRETECH
2008-03-27 12:18 . 2008-04-10 19:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-25 10:29 . 2008-03-27 09:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\Justin Grubbs\Application Data\SUPERAntiSpyware.com
2008-03-25 10:29 . 2008-03-25 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 02:26 . 2008-03-25 02:26 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-03-25 02:04 . 2008-02-09 23:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-03-25 02:04 . 2003-10-03 15:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-03-25 02:04 . 2008-02-10 06:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-03-24 02:38 . 2008-03-24 02:36 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-24 02:38 . 2008-03-24 02:38 2,549 --a------ C:\WINDOWS\unins000.dat
2008-03-23 02:11 . 2008-01-10 12:40 74,608 --a------ C:\WINDOWS\TrueInstall.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 03:43 --------- d-----w C:\Program Files\PSpice
2008-04-07 01:34 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\LimeWire
2008-04-06 22:39 --------- d-----w C:\Program Files\iTunes
2008-04-06 22:39 --------- d-----w C:\Program Files\iPod
2008-04-06 22:37 --------- d-----w C:\Program Files\QuickTime
2008-03-28 03:32 --------- d-----w C:\Program Files\DivX
2008-03-25 15:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 03:16 --------- d-----w C:\Program Files\LimeWire
2008-03-24 07:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-23 17:01 --------- d-----w C:\Program Files\Ares
2008-03-23 07:11 --------- d-----w C:\Program Files\TrueSwitchComcast
2008-03-23 07:11 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\TrueSwitch
2008-03-08 08:42 --------- d-----w C:\Program Files\Java
2008-03-07 07:12 --------- d-----w C:\Program Files\Creative
2008-03-07 07:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-23 07:00 --------- d-----w C:\Program Files\AIM6
2008-02-23 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-23 06:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-02-22 18:07 --------- d-----w C:\Program Files\Panicware
2008-02-22 18:00 --------- d-----w C:\Program Files\Common Files\aol
2008-02-22 17:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-22 17:56 --------- d-----w C:\Documents and Settings\Justin Grubbs\Application Data\AOL
2008-02-11 05:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-11 05:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-11 05:46 --------- d-----w C:\Program Files\Symantec
2007-11-12 06:09 40,224 -c--a-w C:\Documents and Settings\Justin Grubbs\Application Data\GDIPFONTCACHEV1.DAT
2005-03-11 03:57 32,968 -c--a-w C:\Documents and Settings\Justin Grubbs\apache.exe
2006-09-24 04:36 2,516 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-04-09_10.41.04.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-09 15:28:16 70,964 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-04-11 00:39:47 70,964 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-04-09 15:28:16 437,794 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-04-11 00:39:47 437,794 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"NBJ"="C:\Program Files\ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17 1937408]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"EasyDVDMon"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 19:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"DwlClient"="C:\Program Files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 10:46 245760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"Smiley District"="C:\Program Files\SmileyDistrict\plugin.exe" [2006-05-17 02:47 53248]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDET.EXE" [2003-06-18 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\SYSTEM32\CTXFIHLP.EXE]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-06 00:37:10 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2006-11-01 17:07:12 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3radius"= l3codecp.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\aim6.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=
"C:\\Program Files\\Common Files\\aol\\1127361846\\ee\\AOLServiceHost.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 PEDRV;P&E Microcomputer System PCI Driver.;C:\WINDOWS\system32\drivers\PEDRV.sys [2000-08-03 19:25]
R2 VICHW11;P&E BDM Cable Driver II;C:\WINDOWS\system32\drivers\VICHW11.sys [1998-10-02 15:20]
S2 svhost;svhosttest;C:\WINDOWS\system\svchost.exe []
S3 RIOXDRV;SONICblue Rio generic driver XP+;C:\WINDOWS\system32\Drivers\RIOXDRV.sys [2004-03-05 03:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 16:33:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2006-07-29 19:50:23 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1144523391.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 19:47:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-10 19:48:09
ComboFix-quarantined-files.txt 2008-04-11 00:47:46
ComboFix2.txt 2008-04-10 02:44:09
ComboFix3.txt 2008-04-09 15:41:40
ComboFix4.txt 2008-04-09 04:44:01
Pre-Run: 27,572,666,368 bytes free
Post-Run: 27,548,401,664 bytes free
.
2008-04-09 05:03:17 --- E O F ---
 
Hello

Post the Kaspersky report and do this

Please download RUNSCANNER to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
  • Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file

Then upload that as an attachment in your next post.
 
Here is the Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 9:01:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/04/2008
Kaspersky Anti-Virus database records: 698660
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 121794
Number of viruses found: 13
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 03:35:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_GRUBBS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_GRUBBS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-11_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\gdql_lsa_LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.24504 Infected: Trojan.Win32.VB.cng skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\cert8.db Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\history.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\key3.db Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\parent.lock Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Application Data\Mozilla\Firefox\Profiles\eb4xfr1u.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\History\History.IE5\MSHist012008041120080412\index.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Temp\Acr54F9.tmp Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Justin Grubbs\My Documents\ftNU-20030108.exe/data0002 Infected: not-a-virus:AdWare.Win32.FlashTrack.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\ftNU-20030108.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%\Nero-8.2.8.0_eng_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%\Nero-8.2.8.0_eng_update.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/v2.0.4b.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.g skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/v2.0.4b.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/v2.0.4b.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036/v2.0.4b.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0036 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe/data0037 Infected: not-a-virus:AdWare.Win32.NavExcel.i skipped
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Justin Grubbs\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Justin Grubbs\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\pedriver.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\BASESRV5.exe.vir Infected: not-a-virus:AdWare.Win32.IEDriver.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vwadyqwd.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0000598.dll Infected: not-a-virus:AdWare.Win32.BHO.v skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0001011.exe Infected: not-a-virus:AdWare.Win32.IEDriver.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\change.log Object is locked skipped
C:\WINDOWS\ast_2to3_bp.exe/WISE0006.BIN Infected: Trojan-Downloader.Win32.VB.ah skipped
C:\WINDOWS\ast_2to3_bp.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\ast_4_bp.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.VB.ah skipped
C:\WINDOWS\ast_4_bp.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\gsi.exe/data0002/data0136 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\gsi.exe/data0002 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\gsi.exe/data0003/data0115 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\gsi.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\WINDOWS\gsi.exe NSIS: infected - 4 skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\Xcite2.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.m skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10001102}.CDF Object is locked skipped

Scan process completed.


Thank you.
 
Just to let you know, the cracks you downloaded are responsible for your infection

You will need to host the run file at a site like mediafire.com



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    [kill explorer]
C:\Documents and Settings\Justin Grubbs\My Documents\ftNU-20030108.exe
C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe/data0013/NHInstall.exe
C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe
C:\WINDOWS\ast_2to3_bp.exe
C:\WINDOWS\ast_4_bp.exe
C:\WINDOWS\gsi.exe
C:\WINDOWS\SYSTEM32\Xcite2.exe
purity 
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
Here is the link to the RunScanner .zip file

http://www.mediafire.com/?tn9tx9mimjm

When I clicked the Moveit! button, OTMoveIt2 moved the first files but gave me an error saying "Invalid name flag [NHInstall.exe] Must be numerical" so I removed it from the list and continued with the move. Here is the resulting log file.

C:\Documents and Settings\Justin Grubbs\My Documents\setup.exe moved successfully.
C:\Documents and Settings\Justin Grubbs\My Documents\setup_ares.exe moved successfully.
C:\WINDOWS\ast_2to3_bp.exe moved successfully.
C:\WINDOWS\ast_4_bp.exe moved successfully.
C:\WINDOWS\gsi.exe moved successfully.
C:\WINDOWS\SYSTEM32\Xcite2.exe moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04122008_105445

Thank you.
 
You need to delete this keygen

C:\Documents and Settings\Justin Grubbs\My Documents\Nero 8 Ultra Edition 8.2.8.0+Keygens WORKS 100%
 
You must log in or register to reply here.
Back
Top