virtumonde won't go away

Status
Not open for further replies.
P

purpletrekkie

New member
I've read through several posts, and I see I'm not the only one having trouble with this trojan. I've never posted on a forum before, so I apologize in advance if I say or do something annoying. Just realize that I don't know any better at this point. Windows update won't work, getting lots of pop up ads. I've run SpyBot several times, and it keeps coming back. I read somewhere about the dangers of P2P programs, and have removed Limewire. This is my daughter's computer, and she has agreed that P2P programs should be removed. If you can see any others from the logfiles, please let me know so they can be removed. Here is the logfile from hijackthis. Please Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:28 PM, on 9/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\System32\drivers\PhiBtn.exe
C:\WINDOWS\System32\drivers\Tray900.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [70a605f9] rundll32.exe "C:\WINDOWS\system32\bslgchpe.dll",b
O4 - HKLM\..\Run: [BM73953665] Rundll32.exe "C:\WINDOWS\system32\mptptvfa.dll",s
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm028YYUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181600828421
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: vijqdj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10327 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time.
I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. The junk can be tough to remove, so do not expect fast or easy.

If you have not read this information, please do so.
http://forums.spybot.info/showthread.php?t=282

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
 
here is the combofix log

ComboFix 08-09-13.05 - Owner 2008-09-14 11:41:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.563 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Upstairs07\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.

2008-09-08 22:46 . 2008-09-08 22:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 21:41 . 2008-09-08 21:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-08 21:41 . 2008-09-08 21:41 <DIR> d-------- C:\Documents and Settings\Owner.Upstairs07\Application Data\PC Tools
2008-09-08 21:41 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-08 21:41 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-08 21:41 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-08 21:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-07 23:26 . 2008-09-08 07:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hazard Shield
2008-09-07 23:25 . 2008-09-07 23:26 <DIR> d-------- C:\Program Files\Hazard Shield
2008-09-07 13:38 . 2008-09-07 19:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-06 10:43 . 2008-09-06 10:43 <DIR> d-------- C:\Program Files\Safari
2008-09-06 10:43 . 2008-09-06 10:44 <DIR> d-------- C:\Program Files\RegCure
2008-09-04 07:17 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-02 20:58 . 2008-09-02 20:58 <DIR> d-------- C:\WINDOWS\system32\wTR02
2008-09-02 20:58 . 2008-09-02 20:58 <DIR> d-------- C:\Temp\dax41
2008-09-02 20:58 . 2008-09-02 20:58 <DIR> d-------- C:\Temp
2008-09-02 20:56 . 2008-09-02 20:56 <DIR> d-------- C:\Documents and Settings\Owner.Upstairs07\Application Data\Screenshot Sender
2008-08-15 14:27 . 2008-08-15 14:46 <DIR> d-------- C:\Program Files\ManyCam 2.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-13 19:25 --------- d-----w C:\Program Files\McAfee
2008-09-09 03:54 --------- d-----w C:\Program Files\LimeWire
2008-09-09 03:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-08 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 00:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-07 15:57 --------- d-----w C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire
2008-09-06 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-03 01:41 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-08-22 19:12 --------- d-----w C:\Documents and Settings\Owner.Upstairs07\Application Data\Apple Computer
2008-08-15 19:46 --------- d-----w C:\Program Files\ManyCam 2.2
2008-08-10 17:28 --------- d-----w C:\Program Files\Oberon Media
2008-08-10 04:35 --------- d-----w C:\Program Files\Apple Software Update
2008-08-05 13:15 --------- d-----w C:\Program Files\Java
2008-08-05 02:29 --------- d-----w C:\Documents and Settings\Owner.Upstairs07\Application Data\SiteAdvisor
2008-08-03 23:45 --------- d-----w C:\Program Files\iTunes
2008-08-03 23:45 --------- d-----w C:\Program Files\iPod
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2007-02-12 253000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-30 7311360]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-03-30 36904]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 505368]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 780312]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-30 86016]
"PhiBtn"="C:\WINDOWS\System32\drivers\PhiBtn.exe" [2005-08-25 155648]
"Traymin900"="C:\WINDOWS\System32\drivers\Tray900.exe" [2005-08-25 266240]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 C:\WINDOWS\arpwrmsg.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 C:\WINDOWS\zHotkey.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-09 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2005-11-30 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2007-02-07 2348584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vijqdj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicBoard.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 camvid40;Philips SPC 900NC PC Camera;C:\WINDOWS\system32\DRIVERS\camdrv41.sys [2005-08-25 1240576]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 361728]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 39680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12aa1c33-b6e3-11db-af3e-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: &Search - ?p=ZJxdm028YYUS
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 11:43:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
.
Completion time: 2008-09-14 11:45:12
ComboFix-quarantined-files.txt 2008-09-14 16:45:01
ComboFix2.txt 2008-09-14 16:36:10

Pre-Run: 185,151,049,728 bytes free
Post-Run: 185,130,418,176 bytes free

153 --- E O F --- 2008-08-15 20:17:36
 
here's hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:37 AM, on 9/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\drivers\PhiBtn.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm028YYUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181600828421
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs: vijqdj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10004 bytes
 
Thanks for returning your information, please read the instructions and proceed carefully and in the number ed order.

I need to say first that items showing in the first HJT log are not in the second HJT log and they are not showing as having been removed by combofix:

O4 - HKLM\..\Run: [70a605f9] rundll32.exe "C:\WINDOWS\system32\bslgchpe.dll",b
O4 - HKLM\..\Run: [BM73953665] Rundll32.exe "C:\WINDOWS\system32\mptptvfa.dll",s

These are markers for the infection and something removed them, could you mention if you ran any tools after you posted the first HJT log. We will continue cleaning and make sure the junk is gone.

C:\Program Files\Messenger Plus! Live <<< please read about this junk
http://inetexplorer.mvps.org/answers/43.html
I would not have it on a computer I own...your call


1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code: 
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Folder::
C:\Program Files\LimeWire
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O20 - AppInit_DLLs: vijqdj.dll <<< may be gone

Close all programs but HJT and all browser windows, then click on "Fix Checked"


5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running now?

Thanks
 
Questions before I proceed:

In response to your question about running any tools after posting the first HJT log, I had shut down the computer for the night, and then restarted in the morning when I saw the reply. Then I had added the recovery console file to combofix, and started running combofix. During that run, I realized I had forgotton to disable McAfee, so I let combofix finish (which at some point restarted the computer), disabled McAfee, and then re-ran combofix.
Another point I feel compelled to convey (I don't know if it matters, but it might) I have disconnected the infected computer from the internet, and have been downloading the files indicated on my computer and transferring them to the infected machine.
I am still working on the fixes mentioned, and I noticed you asked how the computer is running. Should I wait until you have anaylized the logs I post after the listed steps before doing anything else? Also, we want to remove AOL messenger completely, but would like to replace Messenger Plus with the regular version of Messenger. Should I remove the programs before or after running the fixes mentioned? (I can add regular Messenger whenever, she's not using the computer until it's fixed anyway.)
 
Thanks for the feedback, possible that combofix remove the junk in the first run. Finish those instructions and when we are sure the computer is clean of malware, if you have any other questions I will be glad to try to answer them.
 
appears to be fixed

I ran all the steps listed. I needed to hook up the internet to get updates for mbam, and then I forgot to unhook it. After all the scan got done, I noticed that Windows had found an update, so apparently that problem is solved. (I didn't install the update yet) Below are the scan logs requested. Please let me know if you find anything. Otherwise I will assume things are running well, and I will install the windows updates and the regular Messenger. Please let me know if there are other steps I should take first.
Both us of thank you greatly for your assistance!

Here is the combofix log:
ComboFix 08-09-13.05 - Owner 2008-09-14 15:48:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.533 [GMT -5:00]
Running from: C:\Documents and Settings\Owner.Upstairs07\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.Upstairs07\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\412splashfree.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\414splashfree.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\certificate\limewire.keystore
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\data.ser
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\downloads.dat
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\filters.props
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\installation.props
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\library.dat
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\mojito.props
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\promotion\promodb.backup
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\promotion\promodb.data
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\promotion\promodb.lck
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\promotion\promodb.log
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\promotion\promodb.properties
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\promotion\promodb.script
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\pub1.key
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\public.key
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\questions.props
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\secureMessage.key
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\tables.props
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme.lwtp
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\01_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\02_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\03_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\04_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\05_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\chat.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\dir_closed.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\dir_open.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\forward_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\forward_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\kill.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\kill_on.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\lime.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\logo.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\notsearching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\pause_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\pause_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\play_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\play_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\question.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\rewind_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\rewind_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\searching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\splash.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\splashpro.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\stop_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\stop_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\theme.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\version.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\black_theme\warning.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme.lwtp
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\01_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\02_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\03_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\04_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\05_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\chat.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\dir_closed.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\dir_open.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\forward_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\forward_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\kill.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\logo.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\notsearching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\pause_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\pause_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\play_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\play_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\question.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\rewind_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\rewind_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\search.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\searching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\splash.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\splashpro.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\stop_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\stop_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\theme.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\classic_theme\warning.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme.lwtp
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\01_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\02_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\03_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\04_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\05_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\chat.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\dir_closed.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\dir_open.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\forward_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\forward_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\kill.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\kill_on.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\lime.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\logo.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\notsearching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\pause_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\pause_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\play_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\play_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\question.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\rewind_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\rewind_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\searching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\splash.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\splashpro.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\stop_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\stop_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\theme.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\limewire_theme\warning.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme.lwtp
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\01_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\02_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\03_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\04_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\05_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\chat.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\forward_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\forward_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\kill.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\kill_on.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\logo.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\name.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\notsearching.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\pause_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\pause_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\play_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\play_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\question.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\rewind_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\rewind_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\searching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\splash.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\splashpro.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\stop_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\stop_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\theme.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\other_theme\warning.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme.lwtp
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\01_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\02_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\03_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\04_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\05_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\author.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button1.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button1_press.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button2.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button2_press.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button3.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button3_press.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button4.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button4_press.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button5.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\button5_press.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\chat.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\connections.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\dir_closed.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\dir_open.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\forward_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\forward_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\kill.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\kill_on.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\library.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\logo.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\monitor.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\notsearching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\pause_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\pause_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\play_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\play_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\plug.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\question.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\rewind_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\rewind_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\search.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\searching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\shopping.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\splash.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\stop_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\stop_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\theme.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\version.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\pink_and_black_theme\warning.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\splashpro.png
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\ttrees.cache
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\ttroot.cache
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\update.xml
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\version.key
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\version.xml
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\versions.props
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\data\audio.sxml2
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\data\video.sxml2
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Owner.Upstairs07\Application Data\LimeWire\xml\schemas\video.xsd
C:\Program Files\LimeWire
C:\Program Files\LimeWire\donotremove.htm
C:\Program Files\LimeWire\GenericWindowsUtils.dll
C:\Program Files\LimeWire\hashes
C:\Program Files\LimeWire\i18n.jar
C:\Program Files\LimeWire\LimeWire20.dll
C:\Program Files\LimeWire\log4j.properties
C:\Program Files\LimeWire\MessagesBundle.properties
C:\Program Files\LimeWire\update.ver
C:\Program Files\LimeWire\WindowsFirewall.dll
C:\Program Files\LimeWire\WindowsV5PlusUtils.dll
C:\Program Files\LimeWire\xerces.jar
C:\Program Files\LimeWire\xml-apis.jar

.
((((((((((((((((((((((((( Files Created from 2008-08-14 to 2008-09-14 )))))))))))))))))))))))))))))))
.

2008-09-08 22:46 . 2008-09-08 22:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-08 21:41 . 2008-09-08 21:42 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-09-08 21:41 . 2008-09-08 21:41 <DIR> d-------- C:\Documents and Settings\Owner.Upstairs07\Application Data\PC Tools
2008-09-08 21:41 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-08 21:41 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-08 21:41 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-08 21:41 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-09-07 23:26 . 2008-09-08 07:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hazard Shield
2008-09-07 23:25 . 2008-09-07 23:26 <DIR> d-------- C:\Program Files\Hazard Shield
2008-09-07 13:38 . 2008-09-07 19:07 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-06 10:43 . 2008-09-06 10:43 <DIR> d-------- C:\Program Files\Safari
2008-09-06 10:43 . 2008-09-06 10:44 <DIR> d-------- C:\Program Files\RegCure
2008-09-04 07:17 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-02 20:58 . 2008-09-02 20:58 <DIR> d-------- C:\WINDOWS\system32\wTR02
2008-09-02 20:58 . 2008-09-02 20:58 <DIR> d-------- C:\Temp\dax41
2008-09-02 20:58 . 2008-09-02 20:58 <DIR> d-------- C:\Temp
2008-09-02 20:56 . 2008-09-02 20:56 <DIR> d-------- C:\Documents and Settings\Owner.Upstairs07\Application Data\Screenshot Sender
2008-08-15 14:27 . 2008-08-15 14:46 <DIR> d-------- C:\Program Files\ManyCam 2.3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-14 20:41 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-09-14 20:41 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-13 19:25 --------- d-----w C:\Program Files\McAfee
2008-09-09 03:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-08 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 00:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-06 14:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-22 19:12 --------- d-----w C:\Documents and Settings\Owner.Upstairs07\Application Data\Apple Computer
2008-08-15 19:46 --------- d-----w C:\Program Files\ManyCam 2.2
2008-08-10 17:28 --------- d-----w C:\Program Files\Oberon Media
2008-08-10 04:35 --------- d-----w C:\Program Files\Apple Software Update
2008-08-05 13:15 --------- d-----w C:\Program Files\Java
2008-08-05 02:29 --------- d-----w C:\Documents and Settings\Owner.Upstairs07\Application Data\SiteAdvisor
2008-08-03 23:45 --------- d-----w C:\Program Files\iTunes
2008-08-03 23:45 --------- d-----w C:\Program Files\iPod
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"PMCRemote"="C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2007-02-12 253000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-30 7311360]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-03-30 36904]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-17 505368]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-05-17 780312]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-11-30 86016]
"PhiBtn"="C:\WINDOWS\System32\drivers\PhiBtn.exe" [2005-08-25 155648]
"Traymin900"="C:\WINDOWS\System32\drivers\Tray900.exe" [2005-08-25 266240]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 C:\WINDOWS\arpwrmsg.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 C:\WINDOWS\zHotkey.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-09 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2005-11-30 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2007-02-07 2348584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\Hasbro Interactive\\Classic Games\\ClassicBoard.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 camvid40;Philips SPC 900NC PC Camera;C:\WINDOWS\system32\DRIVERS\camdrv41.sys [2005-08-25 1240576]
S3 USB28xxBGA;PCTV 330e/800e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-01-29 361728]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-01-29 39680]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12aa1c33-b6e3-11db-af3e-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-14 15:51:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-14 15:53:39
ComboFix-quarantined-files.txt 2008-09-14 20:53:31
ComboFix2.txt 2008-09-14 16:45:13
ComboFix3.txt 2008-09-14 16:36:10

Pre-Run: 185,133,006,848 bytes free
Post-Run: 185,110,835,200 bytes free

395 --- E O F --- 2008-08-15 20:17:36



HERE IS THE MBAM LOG:
Malwarebytes' Anti-Malware 1.28
Database version: 1152
Windows 5.1.2600 Service Pack 3

9/14/2008 5:03:08 PM
mbam-log-2008-09-14 (17-03-08).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 175293
Time elapsed: 54 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\wTR02 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\aeghdhkt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bslgchpe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mlhkcd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rflrxhrv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vijqdj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP434\A0091472.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP434\A0091475.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP434\A0091481.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP434\A0091482.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP434\A0091509.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP434\A0091538.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP434\A0091539.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP434\A0091540.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP435\A0091976.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP435\A0091980.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP435\A0092071.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP436\A0094292.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP437\A0094362.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP438\A0094523.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP440\A0094584.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP440\A0094585.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP440\A0094588.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP440\A0094592.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP440\A0094593.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP382\A0071765.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.



HERE IS THE HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:31 PM, on 9/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\System32\drivers\PhiBtn.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe
O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm028YYUS
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181600828421
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9938 bytes
 
Thanks for returning your information and the feedback, stick with me a bit, we have more to accomplish before you are finished.

Did you miss the information about Viewpoint? I see it is still in the HJT log?

Here is the next bridge we must cross:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

RC1-4.gif


Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif



I would also like a look at your uninstall list like this:

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Thanks
 
here is the unistall list

I missed viewpoint when I uninstalled AIM and Messenger Plus. I have unistalled it now.
I think I got recovery console installed from the Operating System disk. (The option was there when I restarted the computer)
Here is the uninstall list from HJT:
Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
BigFix
Bonjour
Canon i900D
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Plus
Creative Jukebox Driver
Creatures
DAO 3.5
DivX
DivX Content Uploader
DivX Web Player
D-Link VGA Webcam
Express Burn
Express Rip
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
InterActual Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_16
Java 2 SDK, SE v1.4.2_16
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
ManyCam 2.2 (remove only)
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
Milton Bradley Classic Board Games
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Philips SPC 900NC PC Camera
Philips VLounge
Pinnacle TVCenter Pro
PitchPerfect Uninstall
Power2Go 4.0
Quicken Basic 2000
QuickTime
RegCure 1.5.0.1
Safari
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Spybot - Search & Destroy
Spyware Doctor 6.0
Switch
TeamViewer 3
The Sims Unleashed
Twelve Keys
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
VideoLAN VLC media player 0.8.6c
WavePad Uninstall
Windows Live installer
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows XP Service Pack 3
WinZip 11.2
Xvid 1.1.2 final uninstall
Yahoo! Internet Mail
Yahoo! Messenger
Zen Touch Media Explorer (for PlaysForSure devices)
 
Thanks for returning your information, please read the directions carefully:
I think I got recovery console installed from the Operating System disk
Click to expand...
"If you do not have access to Recovery Console via a Windows CD"

Uninstall list: I will look for security issues and malware only. You should look for stuff no longer used or needed which I am sure you are.

Adobe Acrobat 5.0 <<< as far as I can see this is an old Adobe Reader and hackers are exploiting those.
http://www.google.com/search?hl=en&q=Adobe+Acrobat+5.0&btnG=Search
I would update to the newest for security reason, here is a link:

Java 2 Runtime Environment, SE v1.4.2_16
Java 2 SDK, SE v1.4.2_16
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Delete all old versions of Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Folks are having issues uninstalling the very old version like are installed here, this tool will remove them:
http://raproducts.org/

RegCure 1.5.0.1 <<< looks like a registry cleaner, I would be very careful with such tools, see this:
http://forums.spybot.info/showthread.php?t=30113
If you do use a cleaner always make sure you backup the registry before doing so.

To continue with the cleaning:

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run MBAM again to make sure we missed none of the junk, no need to post a clean scan result.

Update McAfee and scan the system to make sure it is running right and scanning clean. If you have any problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/

Let me know that all is well at this point and I will close your topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Great Job! Computer is fixed, and safer than before!

I removed the extra acrobats and javas, removed RegCure (I think it got put there by one of those 'Your computer may be at risk' pop-ups) Thankfully, no license was purchased, so no registry files got changed.
I removed combofix, cleaned system restore, and then ran MBAM. MBAM found nothing, so I updated McAfee and windows.
I thank you greatly for the links to the articles, we were both reading them while all the other stuff was going on the infected computer. (It also helped to re-iterate to my daughter the importance of not clicking on popups or unknown links. That kind of information is absorbed better when it comes from someone other than Mom) I also learned quite a few things to help prevent infections on my other computers.
After all was done, I had her poke around to her usual programs and websites, everything seemed to be going smoothly. Again, we both thank you greatly for your patience and help (the rest of the family will appreciate steps and advice on avoiding infection, too!)
 
Status
Not open for further replies.
Back
Top