Smitfraud-c, virtumonde, virtumonde.generic and virtumonde.sci problems

[jvanosda]

These 4 files wont clean up in my spybot, and I keep getting a popup window that brings me to a viruscan (viruscam...) site. I think something even deleted my file for windows update, because its not in the folder windows sent me to look. Here are my log files from HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:25 AM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\user\winlogon.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/...6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7546 bytes

Hopefully you can help me get rid of these annoying things :sad:

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

C:\Program Files\DNA\btdna.exe <<< to proceed, p2p programs must be uninstalled:
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

I don't see much but Virtumonde is often hidden and I do see this trojan:
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\user\winlogon.exe
http://www.systemlookup.com/Startup/18417.html <<< see here

If you still need help, and you have read and followed the "Before you Post" directions, post a new HJT log since it has been five days, and I will take a look, please describe any recent symptoms.

Thanks

 

[jvanosda]

Ok, I removed the p2p programs and went ahead and modified my startup to remove that entry. Spybot is still picking up the smitfraud-c, virtumonde files. I am posting another log here now.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:08 PM, on 1/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {4498ce5e-1602-48de-882a-f82b85e7e8fb} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {d65bed8e-9646-4650-a6e1-65e390ddaec3} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/...6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8309 bytes

 

[pskelley]

Let's have a look, follow the directions carefully.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

 

[jvanosda]

Here are all the logs. The Combofix is in german because the links you gave me were all for the german program.

ComboFix 09-01-17.04 - user 2009-01-18 22:23:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2855 [GMT 8:00]
Körs från: c:\documents and settings\user\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Skapade en ny återställningspunkt
.

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\a5e831.sys
c:\windows\system32\jhxsqgee.ini
c:\windows\system32\kwiyfdvv.ini
c:\windows\system32\lprvwjdb.ini
c:\windows\system32\mdm.exe
c:\windows\system32\oobtyrmh.ini
c:\windows\system32\pac.txt
c:\windows\system32\rgbpgmbc.ini
c:\windows\system32\uxrbgtdr.ini
c:\windows\Tasks\nwjmnjwy.job

----- BITS: Troligen infekterade webbplatser -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivrutiner/Tjänster )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_a5e831


(((((((((((((((((((((((( Filer Skapade från 2008-12-18 till 2009-01-18 ))))))))))))))))))))))))))))))
.

2009-01-18 22:18 . 2009-01-18 22:18 0 --a------ c:\windows\LCDMedia.INI
2009-01-18 22:13 . 2009-01-18 22:13 <DIR> d-------- c:\program files\ERUNT
2009-01-14 01:23 . 2009-01-14 01:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 15:00 . 2009-01-13 15:00 <DIR> d-------- c:\program files\Notepad++
2009-01-13 15:00 . 2009-01-13 15:00 <DIR> d-------- c:\documents and settings\user\Application Data\Notepad++
2009-01-13 00:43 . 2009-01-13 00:43 <DIR> d-------- c:\program files\Google
2009-01-12 23:25 . 2009-01-12 23:25 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-12 23:24 . 2009-01-12 23:24 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-12 23:23 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-12 23:19 . 2009-01-12 23:19 <DIR> d-------- c:\program files\MSECache
2009-01-12 22:20 . 2009-01-14 01:58 140 --a------ c:\windows\wininit.ini
2009-01-12 22:19 . 2009-01-12 22:19 <DIR> d-------- c:\program files\PowerISO
2009-01-12 21:53 . 2009-01-12 21:53 <DIR> d-------- c:\documents and settings\user\WINDOWS
2009-01-12 21:46 . 2009-01-12 21:46 288 --a------ c:\windows\ODBC.INI
2009-01-12 21:46 . 2009-01-12 21:46 126 --a------ c:\windows\mdm.ini
2009-01-12 21:44 . 2009-01-12 21:44 <DIR> d-------- c:\windows\LastGood
2009-01-12 21:43 . 2009-01-12 21:43 <DIR> d-------- c:\program files\Web Publish
2009-01-12 10:49 . 1998-06-02 11:56 313,856 --a------ c:\windows\system32\dx3j.dll
2009-01-12 10:49 . 1998-06-02 14:45 140,048 --a------ c:\windows\system32\jit.dll
2009-01-12 10:49 . 1998-06-02 12:29 135,168 --a------ c:\windows\system32\javaee.dll
2009-01-12 10:49 . 1998-06-02 12:41 42,496 --a------ c:\windows\setdebug.exe
2009-01-12 10:49 . 1998-06-02 12:28 7,356 --a------ c:\windows\system32\javasup.vxd
2009-01-12 10:49 . 1998-06-02 11:57 6,550 --a------ c:\windows\jautoexp.dat
2009-01-12 02:17 . 2009-01-12 02:17 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-12 02:16 . 2009-01-12 02:17 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-12 02:06 . 2009-01-12 11:20 <DIR> d-------- c:\program files\NOS
2009-01-12 02:06 . 2009-01-12 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-09 22:17 . 2009-01-09 22:17 <DIR> d-------- c:\program files\CDisplay
2009-01-09 21:48 . 2009-01-09 21:58 <DIR> d-------- c:\windows\system32\m3V02
2009-01-09 21:48 . 2009-01-09 21:48 <DIR> d-------- c:\temp\tmp90
2009-01-09 11:08 . 2009-01-09 11:08 <DIR> d-------- c:\windows\Sun
2009-01-09 11:08 . 2009-01-16 11:04 <DIR> d-------- c:\documents and settings\user\Application Data\LimeWire
2009-01-09 11:07 . 2009-01-09 11:07 <DIR> d-------- c:\program files\Java
2009-01-09 11:07 . 2009-01-09 11:07 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-09 11:07 . 2009-01-09 11:07 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-08 01:32 . 2009-01-08 01:35 <DIR> d-------- c:\program files\Project64 1.6
2009-01-08 00:55 . 2009-01-08 01:03 <DIR> d-------- c:\program files\MagicDVDRipper
2009-01-07 23:14 . 2009-01-07 23:14 <DIR> d-------- c:\program files\Karen's Power Tools
2009-01-07 23:14 . 2009-01-07 23:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-01-07 22:15 . 2009-01-09 21:48 <DIR> d-------- C:\temp
2009-01-07 22:12 . 2009-01-07 22:12 <DIR> d-------- c:\program files\Nidesoft Studio
2009-01-07 22:12 . 1999-09-10 12:06 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2009-01-07 22:12 . 1999-09-10 12:06 25,244 --a------ c:\windows\system32\drivers\ASPI32.SYS
2009-01-07 22:12 . 1999-09-10 12:06 5,600 --a------ c:\windows\system\WINASPI.DLL
2009-01-07 22:12 . 1999-09-10 12:06 4,672 --a------ c:\windows\system\WOWPOST.EXE
2009-01-07 21:56 . 2009-01-07 21:56 <DIR> d-------- C:\Output
2009-01-07 21:54 . 2009-01-07 21:54 34 --ah----- c:\windows\system32\DVDRipperDiamond_sysquict.dat
2009-01-07 10:40 . 2009-01-07 21:58 <DIR> d-------- c:\program files\Aglare DVD to AVI WMV MP4 MPEG Converter
2009-01-07 10:12 . 2009-01-07 10:12 <DIR> d-------- c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-01-07 10:12 . 2009-01-07 10:12 67 --a------ c:\windows\Easy Video to DVD.INI
2009-01-02 19:26 . 2009-01-09 10:54 <DIR> d-------- c:\documents and settings\user\Application Data\CyberLink
2009-01-02 19:26 . 2009-01-09 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2009-01-01 16:19 . 2009-01-01 16:19 <DIR> d-------- c:\program files\FFXiBench3
2008-12-31 10:15 . 2007-01-03 17:36 1,875,110 --a------ c:\windows\system\cygwin1.dll
2008-12-31 10:15 . 2007-01-03 17:46 66,048 --a------ c:\windows\system\cygz.dll
2008-12-31 07:10 . 2008-12-31 07:10 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-29 14:00 . 2008-12-29 14:00 <DIR> d-------- c:\program files\Transparent
2008-12-29 13:27 . 2009-01-14 22:30 69 --a------ c:\windows\NeroDigital.ini
2008-12-29 12:48 . 2008-12-29 12:48 4,096 --a------ c:\windows\d3dx.dat
2008-12-29 12:36 . 2008-12-29 12:36 <DIR> d-------- c:\documents and settings\user\Application Data\DivX
2008-12-29 11:53 . 2008-12-29 11:53 <DIR> d-------- c:\program files\Common Files\LightScribe
2008-12-29 11:51 . 2008-12-29 11:51 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-29 11:50 . 2008-12-29 11:50 <DIR> d-------- c:\windows\InCD
2008-12-29 11:50 . 2008-12-29 11:51 <DIR> d-------- c:\program files\Ahead
2008-12-29 11:49 . 2008-12-29 11:49 <DIR> d-------- c:\program files\CyberLink
2008-12-29 11:48 . 2008-12-29 11:50 <DIR> d-------- c:\program files\CyberLink DVD Solution
2008-12-29 11:48 . 2004-10-02 07:00 40,960 --a------ c:\program files\Uninstall_CDS.exe
2008-12-29 11:18 . 2008-12-29 11:18 <DIR> d-------- c:\program files\MSBuild
2008-12-29 11:18 . 2008-12-29 11:18 <DIR> d-------- c:\program files\Microsoft Works
2008-12-29 11:16 . 2008-12-29 11:18 <DIR> d-------- c:\windows\SHELLNEW
2008-12-29 11:16 . 2009-01-12 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-29 11:15 . 2008-12-29 11:15 <DIR> dr-h----- C:\MSOCache
2008-12-29 11:08 . 2008-12-29 11:08 <DIR> d-------- c:\program files\Alcohol Soft
2008-12-29 11:04 . 2009-01-09 21:58 2 --a------ C:\1088846826
2008-12-29 10:49 . 2008-12-29 10:49 <DIR> d-------- c:\program files\PlayOnline
2008-12-29 10:27 . 2008-03-06 07:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2008-12-29 09:51 . 2008-12-29 09:51 <DIR> d-------- c:\windows\Logs
2008-12-28 14:48 . 2009-01-18 21:30 <DIR> d-------- c:\program files\BitLord
2008-12-28 14:47 . 2008-12-28 14:47 <DIR> d-------- c:\program files\Winamp Toolbar
2008-12-28 14:47 . 2008-12-28 14:47 <DIR> d-------- c:\program files\Winamp Remote
2008-12-28 14:47 . 2008-12-28 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-12-28 14:47 . 2008-12-28 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-28 14:46 . 2008-12-28 14:47 <DIR> d-------- c:\program files\Winamp
2008-12-28 14:46 . 2008-12-29 13:47 <DIR> d-------- c:\documents and settings\user\Application Data\Winamp
2008-12-28 14:42 . 2008-12-28 14:42 <DIR> d-------- c:\program files\DivX
2008-12-28 14:37 . 2008-12-28 14:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-28 14:37 . 2008-12-28 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 14:34 . 2009-01-18 22:28 12,389 --a------ c:\windows\system32\Config.MPF
2008-12-28 14:33 . 2008-12-30 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-28 14:32 . 2008-12-28 14:32 <DIR> d-------- c:\program files\McAfee.com
2008-12-28 14:32 . 2009-01-01 16:23 <DIR> d-------- c:\program files\McAfee
2008-12-28 14:32 . 2008-12-28 14:57 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-28 14:32 . 2008-06-27 22:08 207,656 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-28 14:32 . 2008-06-03 06:55 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-28 14:32 . 2008-06-27 22:08 79,240 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-28 14:32 . 2008-06-27 22:08 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-28 14:32 . 2008-06-27 22:08 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-28 14:32 . 2008-06-20 21:41 34,152 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-28 14:31 . 2008-12-30 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-28 14:30 . 2008-10-24 19:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-28 14:29 . 2008-09-05 01:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-28 14:28 . 2008-08-14 18:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-28 14:28 . 2008-08-14 18:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-28 14:28 . 2008-08-14 17:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-28 14:28 . 2008-08-14 17:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-28 14:28 . 2008-10-16 00:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-28 14:28 . 2008-09-08 18:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-28 14:26 . 2008-09-15 20:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-28 14:26 . 2008-08-14 18:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-28 14:25 . 2008-05-01 22:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-12-28 14:24 . 2008-04-12 03:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-28 14:23 . 2008-06-13 19:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-28 14:22 . 2008-05-08 22:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-28 14:09 . 2008-12-28 14:09 2,422 --a------ c:\windows\system32\wpa.bak
2008-12-28 13:57 . 2009-01-01 15:54 <DIR> d-------- c:\documents and settings\user\Application Data\mjusbsp
2008-12-28 13:57 . 2008-04-14 16:15 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-12-28 13:57 . 2008-04-14 16:15 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-12-28 13:54 . 2008-12-28 13:54 <DIR> d-------- c:\program files\Logitech
2008-12-28 13:54 . 2008-12-28 13:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-12-28 13:53 . 2008-04-14 16:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-28 13:53 . 2008-04-14 16:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-28 13:53 . 2008-04-14 21:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-28 13:53 . 2008-04-14 21:41 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-28 13:53 . 2008-04-14 16:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-28 13:53 . 2008-04-14 16:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-29 03:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-28 03:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-28 03:36 --------- d-----w c:\program files\AGEIA Technologies
2008-12-28 03:31 --------- d-----w c:\program files\Intel
2008-12-28 03:30 --------- d-----w c:\program files\Realtek
2008-12-28 03:29 315,392 ----a-w c:\windows\HideWin.exe
2008-12-28 03:24 --------- d-----w c:\program files\microsoft frontpage
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Not* tomma poster & legitima standardposter visas inte
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\user\Application Data\mjusbsp\cdloader2.exe" [2008-12-18 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-13 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-13 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-12 641208]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-15 233472]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"nwiz"="nwiz.exe" [2008-11-13 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4vcxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6fmxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcmtr]
-r------- 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl]
-r------- 2008-05-16 14:39 16862720 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\user\\Application Data\\mjusbsp\\magicJack.exe"=

R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-12-28 36864]
R4 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-30 206096]
S0 ati4vcxx;ati4vcxx;c:\windows\system32\Drivers\ati4vcxx.sys --> c:\windows\system32\Drivers\ati4vcxx.sys [?]
S0 ati6fmxx;ati6fmxx;c:\windows\system32\Drivers\ati6fmxx.sys --> c:\windows\system32\Drivers\ati6fmxx.sys [?]
S3 getplus(r) helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]

--- Övriga tjänster/drivrutiner i minnet ---

*Deregistered* - incdrec

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{139971f3-d4a4-11dd-9213-0023540d2de6}]
\shell\autorun\command - G:\autorun.exe
\shell\phone\command - G:\autorun.exe
.
Innehållet i mappen 'Schemalagda aktiviteter'

2008-12-28 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]

2008-12-31 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]
.
- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

BHO-{4498ce5e-1602-48de-882a-f82b85e7e8fb} - (no file)
BHO-{d65bed8e-9646-4650-a6e1-65e390ddaec3} - (no file)
MSConfigStartUp-windows logon applicationedc - c:\documents and settings\user\winlogon.exe


.
------- Extra genomsökning -------
.
uStart Page = hxxp://www.google.com/
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 22:28:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

genomsökningen avslutades lyckosamt
dolda filer: 0

**************************************************************************
.
------------------------ Andra processer som körs ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\McAfee\MSC\mcshell.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Sluttid: 2009-01-18 22:30:17 - datorn startades om [user]
ComboFix-quarantined-files.txt 2009-01-18 14:30:14

Före genomsökningen: 77,629,239,296 bytes free
Efter genomsökningen: 77,902,094,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-SVE.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

287 --- E O F --- 2008-12-29 01:40:23



Hew HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:22 PM, on 1/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/...6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D3657C-3AB2-4B4B-9116-79D53A357EEF}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8275 bytes


The uninstall log you asked for from HJT

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
CDisplay 1.8
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Solution
DVD to VCD AVI DivX Converter v3.2 (build 069)
Easy MPEG/AVI/DIVX/WMV/RM to DVD 1.6.10
ERUNT 1.1j
FINAL FANTASY XI
FINAL FANTASY XI for Windows - Official Benchmark Program 3
FINAL FANTASY XI: Chains of Promathia
FINAL FANTASY XI: Rise of the Zilart
FINAL FANTASY XI: Treasures of Aht Urhgan
FINAL FANTASY XI: Wings of the Goddess
Google Pinyin IME
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
InCD
Java(TM) 6 Update 11
Karen's Alarm Clock
Logitech G-series Keyboard Software
McAfee SecurityCenter
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft VM for Java
Microsoft Web Publishing Wizard 1.53
MSXML 6.0 Parser (KB925673)
Multimedia Launcher
Nero OEM
Nidesoft DVD to AVI Converter Platinum v5.0
Notepad++
NVIDIA Drivers
NVIDIA PhysX v8.10.13
PlayOnline Viewer and Tetra Master
PowerDVD
PowerISO
PowerProducer
Project64 1.6
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Winamp
Winamp Remote
Winamp Toolbar for Firefox
Winamp Toolbar for Internet Explorer
Windows Communication Foundation
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver


Hope this is everything you need.

 

[jvanosda]

A new run of spybot shows no sign of Smitfraud, or any virtumonde files. Thank you for all your assistance, and let me know if I need to do anything else based on the log files.

 

[pskelley]

Here are all the logs. The Combofix is in german because the links you gave me were all for the german program.

I assure you the links I provided are the links I use all of the time, no one else reports them being in German?

Please follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{139971f3-d4a4-11dd-9213-0023540d2de6}]

Folder::
c:\program files\BitLord
c:\documents and settings\user\Application Data\LimeWire

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript and the log from MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks

As far as I can see, there are no problems in your uninstall items, but I do not know them all. If you are interested, this tool will do that job for you free.
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

 

[jvanosda]

Here are the final log files. It caught one more trojan using the malware program.

The combofix new log files.

ComboFix 09-01-19.03 - user 2009-01-20 13:03:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2876 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\LimeWire
c:\documents and settings\user\Application Data\LimeWire\.AppSpecialShare\3-4.torrent
c:\documents and settings\user\Application Data\LimeWire\active.mojito
c:\documents and settings\user\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\user\Application Data\LimeWire\createtimes.cache
c:\documents and settings\user\Application Data\LimeWire\downloads.dat
c:\documents and settings\user\Application Data\LimeWire\fileurns.bak
c:\documents and settings\user\Application Data\LimeWire\fileurns.cache
c:\documents and settings\user\Application Data\LimeWire\filters.props
c:\documents and settings\user\Application Data\LimeWire\gnutella.net
c:\documents and settings\user\Application Data\LimeWire\installation.props
c:\documents and settings\user\Application Data\LimeWire\library.dat
c:\documents and settings\user\Application Data\LimeWire\limewire.props
c:\documents and settings\user\Application Data\LimeWire\mojito.props
c:\documents and settings\user\Application Data\LimeWire\passive.mojito
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.lck
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.log
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\user\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\user\Application Data\LimeWire\questions.props
c:\documents and settings\user\Application Data\LimeWire\responses.cache
c:\documents and settings\user\Application Data\LimeWire\simpp.xml
c:\documents and settings\user\Application Data\LimeWire\spam.dat
c:\documents and settings\user\Application Data\LimeWire\tables.props
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\user\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\user\Application Data\LimeWire\ttrees.cache
c:\documents and settings\user\Application Data\LimeWire\ttroot.cache
c:\documents and settings\user\Application Data\LimeWire\version.xml
c:\documents and settings\user\Application Data\LimeWire\versions.props
c:\documents and settings\user\Application Data\LimeWire\xml\data\document.sxml2
c:\documents and settings\user\Application Data\LimeWire\xml\data\video.sxml2
c:\program files\BitLord
c:\program files\BitLord\BitLord.xml
c:\program files\BitLord\Downloads.xml
c:\program files\BitLord\lang\lang_ar_ae.xml
c:\program files\BitLord\lang\lang_bg_bg.xml
c:\program files\BitLord\lang\lang_ca_es.xml
c:\program files\BitLord\lang\lang_cz_cz.xml
c:\program files\BitLord\lang\lang_da_dk.xml
c:\program files\BitLord\lang\lang_de_de.xml
c:\program files\BitLord\lang\lang_el_gr.xml
c:\program files\BitLord\lang\lang_en_us.xml
c:\program files\BitLord\lang\lang_es_ar.xml
c:\program files\BitLord\lang\lang_es_es.xml
c:\program files\BitLord\lang\lang_et_ee.xml
c:\program files\BitLord\lang\lang_fi_fi.xml
c:\program files\BitLord\lang\lang_fr_fr.xml
c:\program files\BitLord\lang\lang_gl_es.xml
c:\program files\BitLord\lang\lang_he_il.xml
c:\program files\BitLord\lang\lang_hu_hu.xml
c:\program files\BitLord\lang\lang_it_it.xml
c:\program files\BitLord\lang\lang_jp_jp.xml
c:\program files\BitLord\lang\lang_ko_kr.xml
c:\program files\BitLord\lang\lang_nb_no.xml
c:\program files\BitLord\lang\lang_nl_nl.xml
c:\program files\BitLord\lang\lang_pl_pl.xml
c:\program files\BitLord\lang\lang_pt_br.xml
c:\program files\BitLord\lang\lang_pt_pt.xml
c:\program files\BitLord\lang\lang_ro_ro.xml
c:\program files\BitLord\lang\lang_ru_ru.xml
c:\program files\BitLord\lang\lang_sk_sk.xml
c:\program files\BitLord\lang\lang_sl_si.xml
c:\program files\BitLord\lang\lang_sr_sr.xml
c:\program files\BitLord\lang\lang_sv_se.xml
c:\program files\BitLord\lang\lang_th_th.xml
c:\program files\BitLord\lang\lang_tr_tr.xml
c:\program files\BitLord\lang\lang_va_es.xml
c:\program files\BitLord\lang\lang_zh_tw.xml
c:\program files\BitLord\rules\ipfilter.dat

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-18 22:18 . 2009-01-18 22:18 0 --a------ c:\windows\LCDMedia.INI
2009-01-18 22:13 . 2009-01-18 22:13 <DIR> d-------- c:\program files\ERUNT
2009-01-14 01:23 . 2009-01-14 01:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 15:00 . 2009-01-13 15:00 <DIR> d-------- c:\program files\Notepad++
2009-01-13 15:00 . 2009-01-13 15:00 <DIR> d-------- c:\documents and settings\user\Application Data\Notepad++
2009-01-13 00:43 . 2009-01-13 00:43 <DIR> d-------- c:\program files\Google
2009-01-12 23:25 . 2009-01-12 23:25 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-12 23:24 . 2009-01-12 23:24 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-12 23:23 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-12 23:19 . 2009-01-12 23:19 <DIR> d-------- c:\program files\MSECache
2009-01-12 22:20 . 2009-01-18 22:48 185 --a------ c:\windows\wininit.ini
2009-01-12 22:19 . 2009-01-12 22:19 <DIR> d-------- c:\program files\PowerISO
2009-01-12 21:53 . 2009-01-12 21:53 <DIR> d-------- c:\documents and settings\user\WINDOWS
2009-01-12 21:46 . 2009-01-12 21:46 288 --a------ c:\windows\ODBC.INI
2009-01-12 21:46 . 2009-01-12 21:46 126 --a------ c:\windows\mdm.ini
2009-01-12 21:43 . 2009-01-12 21:43 <DIR> d-------- c:\program files\Web Publish
2009-01-12 10:49 . 1998-06-02 11:56 313,856 --a------ c:\windows\system32\dx3j.dll
2009-01-12 10:49 . 1998-06-02 14:45 140,048 --a------ c:\windows\system32\jit.dll
2009-01-12 10:49 . 1998-06-02 12:29 135,168 --a------ c:\windows\system32\javaee.dll
2009-01-12 10:49 . 1998-06-02 12:41 42,496 --a------ c:\windows\setdebug.exe
2009-01-12 10:49 . 1998-06-02 12:28 7,356 --a------ c:\windows\system32\javasup.vxd
2009-01-12 10:49 . 1998-06-02 11:57 6,550 --a------ c:\windows\jautoexp.dat
2009-01-12 02:17 . 2009-01-12 02:17 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-12 02:16 . 2009-01-12 02:17 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-12 02:06 . 2009-01-12 11:20 <DIR> d-------- c:\program files\NOS
2009-01-12 02:06 . 2009-01-12 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-09 22:17 . 2009-01-09 22:17 <DIR> d-------- c:\program files\CDisplay
2009-01-09 21:48 . 2009-01-09 21:58 <DIR> d-------- c:\windows\system32\m3V02
2009-01-09 21:48 . 2009-01-09 21:48 <DIR> d-------- c:\temp\tmp90
2009-01-09 11:08 . 2009-01-09 11:08 <DIR> d-------- c:\windows\Sun
2009-01-09 11:07 . 2009-01-09 11:07 <DIR> d-------- c:\program files\Java
2009-01-09 11:07 . 2009-01-09 11:07 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-09 11:07 . 2009-01-09 11:07 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-08 01:32 . 2009-01-08 01:35 <DIR> d-------- c:\program files\Project64 1.6
2009-01-08 00:55 . 2009-01-08 01:03 <DIR> d-------- c:\program files\MagicDVDRipper
2009-01-07 23:14 . 2009-01-07 23:14 <DIR> d-------- c:\program files\Karen's Power Tools
2009-01-07 23:14 . 2009-01-07 23:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-01-07 22:15 . 2009-01-09 21:48 <DIR> d-------- C:\temp
2009-01-07 22:12 . 2009-01-07 22:12 <DIR> d-------- c:\program files\Nidesoft Studio
2009-01-07 22:12 . 1999-09-10 12:06 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2009-01-07 22:12 . 1999-09-10 12:06 25,244 --a------ c:\windows\system32\drivers\ASPI32.SYS
2009-01-07 22:12 . 1999-09-10 12:06 5,600 --a------ c:\windows\system\WINASPI.DLL
2009-01-07 22:12 . 1999-09-10 12:06 4,672 --a------ c:\windows\system\WOWPOST.EXE
2009-01-07 21:56 . 2009-01-07 21:56 <DIR> d-------- C:\Output
2009-01-07 21:54 . 2009-01-07 21:54 34 --ah----- c:\windows\system32\DVDRipperDiamond_sysquict.dat
2009-01-07 10:40 . 2009-01-07 21:58 <DIR> d-------- c:\program files\Aglare DVD to AVI WMV MP4 MPEG Converter
2009-01-07 10:12 . 2009-01-07 10:12 <DIR> d-------- c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-01-07 10:12 . 2009-01-07 10:12 67 --a------ c:\windows\Easy Video to DVD.INI
2009-01-02 19:26 . 2009-01-09 10:54 <DIR> d-------- c:\documents and settings\user\Application Data\CyberLink
2009-01-02 19:26 . 2009-01-09 10:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2009-01-01 16:19 . 2009-01-01 16:19 <DIR> d-------- c:\program files\FFXiBench3
2008-12-31 10:15 . 2007-01-03 17:36 1,875,110 --a------ c:\windows\system\cygwin1.dll
2008-12-31 10:15 . 2007-01-03 17:46 66,048 --a------ c:\windows\system\cygz.dll
2008-12-31 07:10 . 2008-12-31 07:10 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2008-12-29 14:00 . 2008-12-29 14:00 <DIR> d-------- c:\program files\Transparent
2008-12-29 13:27 . 2009-01-14 22:30 69 --a------ c:\windows\NeroDigital.ini
2008-12-29 12:48 . 2008-12-29 12:48 4,096 --a------ c:\windows\d3dx.dat
2008-12-29 12:36 . 2008-12-29 12:36 <DIR> d-------- c:\documents and settings\user\Application Data\DivX
2008-12-29 11:53 . 2008-12-29 11:53 <DIR> d-------- c:\program files\Common Files\LightScribe
2008-12-29 11:51 . 2008-12-29 11:51 <DIR> d-------- c:\program files\Common Files\Ahead
2008-12-29 11:50 . 2008-12-29 11:50 <DIR> d-------- c:\windows\InCD
2008-12-29 11:50 . 2008-12-29 11:51 <DIR> d-------- c:\program files\Ahead
2008-12-29 11:49 . 2008-12-29 11:49 <DIR> d-------- c:\program files\CyberLink
2008-12-29 11:48 . 2008-12-29 11:50 <DIR> d-------- c:\program files\CyberLink DVD Solution
2008-12-29 11:48 . 2004-10-02 07:00 40,960 --a------ c:\program files\Uninstall_CDS.exe
2008-12-29 11:18 . 2008-12-29 11:18 <DIR> d-------- c:\program files\MSBuild
2008-12-29 11:18 . 2008-12-29 11:18 <DIR> d-------- c:\program files\Microsoft Works
2008-12-29 11:16 . 2008-12-29 11:18 <DIR> d-------- c:\windows\SHELLNEW
2008-12-29 11:16 . 2009-01-12 00:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-29 11:15 . 2008-12-29 11:15 <DIR> dr-h----- C:\MSOCache
2008-12-29 11:08 . 2008-12-29 11:08 <DIR> d-------- c:\program files\Alcohol Soft
2008-12-29 11:04 . 2009-01-09 21:58 2 --a------ C:\1088846826
2008-12-29 10:49 . 2008-12-29 10:49 <DIR> d-------- c:\program files\PlayOnline
2008-12-29 10:27 . 2008-03-06 07:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2008-12-29 09:51 . 2008-12-29 09:51 <DIR> d-------- c:\windows\Logs
2008-12-28 14:47 . 2008-12-28 14:47 <DIR> d-------- c:\program files\Winamp Toolbar
2008-12-28 14:47 . 2008-12-28 14:47 <DIR> d-------- c:\program files\Winamp Remote
2008-12-28 14:47 . 2008-12-28 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-12-28 14:47 . 2008-12-28 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-28 14:46 . 2008-12-28 14:47 <DIR> d-------- c:\program files\Winamp
2008-12-28 14:46 . 2008-12-29 13:47 <DIR> d-------- c:\documents and settings\user\Application Data\Winamp
2008-12-28 14:42 . 2008-12-28 14:42 <DIR> d-------- c:\program files\DivX
2008-12-28 14:37 . 2008-12-28 14:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-28 14:37 . 2008-12-28 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 14:34 . 2009-01-20 13:01 12,531 --a------ c:\windows\system32\Config.MPF
2008-12-28 14:33 . 2008-12-30 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-28 14:32 . 2008-12-28 14:32 <DIR> d-------- c:\program files\McAfee.com
2008-12-28 14:32 . 2009-01-01 16:23 <DIR> d-------- c:\program files\McAfee
2008-12-28 14:32 . 2008-12-28 14:57 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-28 14:32 . 2008-06-27 22:08 207,656 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-28 14:32 . 2008-06-03 06:55 120,136 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-28 14:32 . 2008-06-27 22:08 79,240 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-28 14:32 . 2008-06-27 22:08 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-28 14:32 . 2008-06-27 22:08 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-28 14:32 . 2008-06-20 21:41 34,152 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-28 14:31 . 2008-12-30 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-28 14:30 . 2008-10-24 19:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-28 14:29 . 2008-09-05 01:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-28 14:28 . 2008-08-14 18:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-28 14:28 . 2008-08-14 18:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-28 14:28 . 2008-08-14 17:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-28 14:28 . 2008-08-14 17:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-28 14:28 . 2008-10-16 00:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-28 14:28 . 2008-09-08 18:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-28 14:26 . 2008-09-15 20:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-28 14:26 . 2008-08-14 18:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-28 14:25 . 2008-05-01 22:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-12-28 14:24 . 2008-04-12 03:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-28 14:23 . 2008-06-13 19:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-28 14:22 . 2008-05-08 22:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-28 14:09 . 2008-12-28 14:09 2,422 --a------ c:\windows\system32\wpa.bak
2008-12-28 13:57 . 2009-01-01 15:54 <DIR> d-------- c:\documents and settings\user\Application Data\mjusbsp
2008-12-28 13:57 . 2008-04-14 16:15 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2008-12-28 13:57 . 2008-04-14 16:15 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2008-12-28 13:54 . 2008-12-28 13:54 <DIR> d-------- c:\program files\Logitech
2008-12-28 13:54 . 2008-12-28 13:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-12-28 13:53 . 2008-04-14 16:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-28 13:53 . 2008-04-14 16:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-12-28 13:53 . 2008-04-14 21:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-12-28 13:53 . 2008-04-14 21:41 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-12-28 13:53 . 2008-04-14 16:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-12-28 13:53 . 2008-04-14 16:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-12-28 12:06 . 2004-08-04 20:00 180,770 --a--c--- c:\windows\system32\dllcache\c_20932.nls
2008-12-28 12:05 . 2001-08-18 14:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-28 12:05 . 2001-08-18 14:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 06:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-29 03:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-28 03:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-28 03:36 --------- d-----w c:\program files\AGEIA Technologies
2008-12-28 03:31 --------- d-----w c:\program files\Intel
2008-12-28 03:30 --------- d-----w c:\program files\Realtek
2008-12-28 03:29 315,392 ----a-w c:\windows\HideWin.exe
2008-12-28 03:24 --------- d-----w c:\program files\microsoft frontpage
2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-11-12 21:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-10-27 18:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 18:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 18:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 18:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( snapshot@2009-01-18_22.29.38.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-18 13:17:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-20 04:18:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-18 13:17:32 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-20 04:18:56 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-20 04:18:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-18 13:52:57 66,580 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-20 04:56:34 66,580 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-18 13:52:57 427,922 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-20 04:56:34 427,922 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-20 04:52:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_618.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\user\Application Data\mjusbsp\cdloader2.exe" [2008-12-18 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-13 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-13 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-12 641208]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-15 233472]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"nwiz"="nwiz.exe" [2008-11-13 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4vcxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6fmxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcmtr]
-r------- 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl]
-r------- 2008-05-16 14:39 16862720 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\user\\Application Data\\mjusbsp\\magicJack.exe"=

R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-12-28 36864]
R4 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-30 206096]
S0 ati4vcxx;ati4vcxx;c:\windows\system32\Drivers\ati4vcxx.sys --> c:\windows\system32\Drivers\ati4vcxx.sys [?]
S0 ati6fmxx;ati6fmxx;c:\windows\system32\Drivers\ati6fmxx.sys --> c:\windows\system32\Drivers\ati6fmxx.sys [?]
S3 getplus(r) helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]

2008-12-31 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {06D3657C-3AB2-4B4B-9116-79D53A357EEF} = 168.95.192.1 168.95.1.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 13:04:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-20 13:05:39
ComboFix-quarantined-files.txt 2009-01-20 05:05:37
ComboFix2.txt 2009-01-18 14:30:18

Pre-Run: 77,779,767,296 bytes free
Post-Run: 77,758,865,408 bytes free

359 --- E O F --- 2009-01-18 14:37:13


The malware log file

Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

1/20/2009 6:13:53 PM
mbam-log-2009-01-20 (18-13-53).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 161819
Time elapsed: 46 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{F30D8395-9C1D-4BD4-A237-213872E0EF94}\RP39\A0008167.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:38 PM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\taskmgr.exe
E:\CDBrowser\Bin\demo32.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/...6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D3657C-3AB2-4B4B-9116-79D53A357EEF}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8665 bytes


The one trojan was removed by this, and it seems there is no more for spybot to catch. I will run a scan later and let you know.

 

[pskelley]

Thanks for returning your information and the feedback. That one item is an infected System Restore file which we will clean now.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

(optional since you just ran it, but it won't hurt to be sure)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update McAfee and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

 

[jvanosda]

Thank you for all your assistance. The programs, Malware, Spybot, Macfee, all are sowing the system as clean. As it says, thank the teacher. Thank you :laugh:

 

[pskelley]

Thanks for taking the time to let me know, safe surfing and Happy New Year