Virtumonde

[Spiderware]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:52 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0D78A8CD-B095-446E-A803-F70E497BDB93} - C:\WINDOWS\system32\khfCroPf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {56d781cb-e06d-869a-6754-a513fa9bc4f8} - {8f4cb9af-315a-4576-a968-d60ebc187d65} - C:\WINDOWS\system32\wpqgkp.dll
O2 - BHO: (no name) - {A23CA8A9-47D8-4DB1-AE46-0AA018CC576E} - C:\WINDOWS\system32\iifebBtQ.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\kdfgj83ke.dll - {c5af49a2-94f3-42bd-f434-3604812c897d} - C:\WINDOWS\system32\kdfgj83ke.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Batman\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.asbury.edu
O15 - Trusted Zone: http://www.download3k.com
O15 - Trusted Zone: http://www.ecoresoftware.com
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.70.21.0_MEGAPANEL_USA.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: wpqgkp.dll
O20 - Winlogon Notify: iifebBtQ - iifebBtQ.dll (file missing)
O20 - Winlogon Notify: winwga32 - C:\WINDOWS\SYSTEM32\winwga32.dll
O22 - SharedTaskScheduler: werkjdnfi8wnkjmdfdfkefn - {C5AF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\kdfgj83ke.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS

--
End of file - 8764 bytes

 

[peku006]

Hi Spiderware

• It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:
  
  Sophos
  AVG7
  
  Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  
  Please remove one of them.

1 - Disable teatimer

• Please disable Teatimer as it may interfere with the fix.
  
  First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
  
  Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
    
  Don't forget to re-enable it, when your computer is clean.

2 - Scan With ComboFix

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Please visit this webpage for download links, and instructions for running ComboFix -

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says -

The Recovery Console was successfully installed.

Please continue as follows -

• Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

3 - uninstall list

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with

1. the the ComboFix log (C:\ComboFix.txt)
2. the uninstall list
3. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006

 

[Spiderware]

Combo fix log, hjt uninstall list, hjt log file, and description of pc problems

Thanks for the help peku006,

Here are the items you requested


ComboFix 08-08-07.05 - Batman 2008-08-08 8:12:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.659 [GMT -4:00]
Running from: C:\Documents and Settings\Batman\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Secure Solutions
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080801222837942.log
C:\Documents and Settings\Batman\Application Data\macromedia\Flash Player\#SharedObjects\FGKNZ29N\interclick.com
C:\Documents and Settings\Batman\Application Data\macromedia\Flash Player\#SharedObjects\FGKNZ29N\interclick.com\ud.sol
C:\Documents and Settings\Batman\Application Data\macromedia\Flash Player\#SharedObjects\FGKNZ29N\www.broadcaster.com
C:\Documents and Settings\Batman\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Batman\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Batman\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Batman\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\J9F4NGQX\interclick.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\#SharedObjects\J9F4NGQX\interclick.com\ud.sol
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Guest\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\Need2Find
C:\Program Files\Need2Find\bar\1.bin\N2FFXTBR.JAR
C:\Program Files\Need2Find\bar\1.bin\N2NTSTBR.JAR
C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL
C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL
C:\Program Files\Need2Find\bar\1.bin\PARTNER.DAT
C:\Program Files\Need2Find\bar\Cache\17408A47
C:\Program Files\Need2Find\bar\Cache\17408D45
C:\Program Files\Need2Find\bar\Cache\files.ini
C:\Program Files\Need2Find\bar\History\search
C:\Program Files\Need2Find\bar\Settings\prevcfg.htm
C:\Program Files\PCHealthCenter
C:\Program Files\PCHealthCenter\0.exe
C:\Program Files\PCHealthCenter\0.gif
C:\Program Files\PCHealthCenter\1.exe
C:\Program Files\PCHealthCenter\1.gif
C:\Program Files\PCHealthCenter\2.exe
C:\Program Files\PCHealthCenter\2.gif
C:\Program Files\PCHealthCenter\3.exe
C:\Program Files\PCHealthCenter\3.gif
C:\Program Files\PCHealthCenter\7.exe
C:\Program Files\PCHealthCenter\sex1.ico
C:\Program Files\PCHealthCenter\sex2.ico
C:\WINDOWS\BMbb2de63e.txt
C:\WINDOWS\BMbb2de63e.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\atfhsjpr.ini
C:\WINDOWS\system32\dpfrdd.dll
C:\WINDOWS\system32\drvsuc.dll
C:\WINDOWS\system32\eucrlkeh.dll
C:\WINDOWS\system32\fPorCfhk.ini
C:\WINDOWS\system32\fPorCfhk.ini2
C:\WINDOWS\system32\heklrcue.ini
C:\WINDOWS\system32\hoxuhkeu.dll
C:\WINDOWS\system32\lbbd32.dll
C:\WINDOWS\system32\mvx.dat
C:\WINDOWS\system32\ndposx.dll
C:\WINDOWS\system32\oyohrrov.ini
C:\WINDOWS\system32\P2P Networking
C:\WINDOWS\system32\tilwtxxx.dll
C:\WINDOWS\system32\ttionsan.dll
C:\WINDOWS\system32\vorrhoyo.dll
C:\WINDOWS\system32\winwga32.dll
C:\WINDOWS\system32\wpqgkp.dll
C:\WINDOWS\system32\ywiydhkh.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-03 21:25 . 2008-08-03 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 12:33 . 2008-08-03 12:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-03 12:33 . 2008-08-03 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 18:58 . 2004-08-03 22:31 154,624 --a------ C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-08-02 18:57 . 2001-08-17 13:28 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2008-08-02 18:56 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-08-02 18:55 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-08-02 18:54 . 2004-08-04 06:00 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-08-02 18:53 . 2004-08-04 06:00 456,704 --a------ C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-08-02 18:52 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-08-02 18:51 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-08-02 18:50 . 2004-08-04 00:56 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-08-02 18:49 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-08-02 18:48 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-08-02 18:47 . 2001-08-17 12:50 198,144 --a------ C:\WINDOWS\system32\dllcache\nv3.sys
2008-08-02 18:46 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-08-02 18:45 . 2004-08-04 06:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-08-02 18:44 . 2004-08-04 06:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-08-02 18:43 . 2004-08-04 06:00 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-08-02 18:42 . 2004-08-04 06:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-02 18:41 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-08-02 18:40 . 2001-08-17 12:17 629,952 --a------ C:\WINDOWS\system32\dllcache\eqn.sys
2008-08-02 18:39 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-08-02 18:38 . 2004-08-04 06:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-02 18:37 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-08-02 18:36 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-08-02 18:35 . 2004-05-13 00:39 876,653 --a------ C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-08-01 22:42 . 2005-06-16 16:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-01 22:42 . 2005-06-16 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-08-01 22:42 . 2005-06-16 16:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-01 22:42 . 2008-08-01 22:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-01 22:28 . 2008-08-01 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-01 22:26 . 2008-08-02 00:54 <DIR> d-------- C:\WINDOWS\system32\349168
2008-08-01 22:26 . 2008-08-02 00:54 <DIR> d-------- C:\7f7f1
2008-08-01 22:26 . 2008-08-01 22:26 145 --a------ C:\WINDOWS\system32\winver.bat
2008-08-01 22:25 . 2008-08-02 00:54 <DIR> d-------- C:\4850c
2008-08-01 22:25 . 2008-08-01 22:25 45,568 --a------ C:\WINDOWS\system32\lbcd64.dll
2008-08-01 22:23 . 2008-08-02 00:53 <DIR> d-------- C:\1336c
2008-08-01 22:23 . 2008-08-01 22:26 2 --a------ C:\-1205938931
2008-08-01 22:23 . 2008-08-01 22:37 0 --a------ C:\WINDOWS\system32\drivers\716aff0d.sys
2008-07-16 12:46 . 2008-07-16 12:46 <DIR> d-------- C:\Program Files\Kye
2008-07-15 22:30 . 2008-07-15 22:41 <DIR> d-------- C:\Documents and Settings\Batman\Application Data\Wal-Mart Digital Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 11:55 --------- d-----w C:\Program Files\Sophos SWEEP for NT
2008-08-08 11:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-08-03 18:35 --------- d-----w C:\Documents and Settings\Batman\Application Data\AVG7
2008-08-01 12:00 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-07-04 04:42 --------- d-----w C:\Program Files\MSECache
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 16:38 --------- d-----w C:\Program Files\Monitor Calibration Wizard
2005-07-28 23:30 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 09:53 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:17 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wpqgkp.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 02:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2006-04-05 21:30 3284992 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 09:50 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-09-14 09:50 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2004-11-09 11:32 393216 C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 11:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 20:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 09:53 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-06-27 22:28 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-07-27 04:42 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_09\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

R1 nmconpid;nmconpid;C:\WINDOWS\system32\drivers\nmconpid.sys [2006-04-18 21:28]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
S1 716aff0d;716aff0d;C:\WINDOWS\system32\drivers\716aff0d.sys [2008-08-01 22:37]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-02 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0D78A8CD-B095-446E-A803-F70E497BDB93} - C:\WINDOWS\system32\khfCroPf.dll
BHO-{A23CA8A9-47D8-4DB1-AE46-0AA018CC576E} - C:\WINDOWS\system32\iifebBtQ.dll
ShellExecuteHooks-{A23CA8A9-47D8-4DB1-AE46-0AA018CC576E} - C:\WINDOWS\system32\iifebBtQ.dll
Notify-iifebBtQ - iifebBtQ.dll
Notify-winwga32 - winwga32.dll
MSConfigStartUp-b81ed5a2 - C:\WINDOWS\system32\vorrhoyo.dll
MSConfigStartUp-BMbb2de63e - C:\WINDOWS\system32\tilwtxxx.dll
MSConfigStartUp-MSDisp32 - C:\WINDOWS\system32\drvsuc.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Batman\Application Data\Mozilla\Firefox\Profiles\k6i2euwt.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 08:17:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-08 8:23:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 12:23:31

Pre-Run: 21,256,425,472 bytes free
Post-Run: 21,355,425,792 bytes free

273 --- E O F --- 2008-07-09 07:01:00





Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 6.0.1
Adobe Shockwave Player
Age of Empires III
American Greetings Scrapbooks and More!
AOLIcon
Apple Mobile Device Support
Apple Software Update
Armagetron Advanced 0.2.8.1-1.gcc
Army Men
Atomic Cannon Demo
AVG 7.5
AVS Disc Creator version 2.1
Azureus
Big Fish Games Client
Bink and Smacker
Bonjour
Cactus Bruce and the Corporate Monkeys v2.3
CCleaner (remove only)
CCScore
CDBurnerXP
Compatibility Pack for the 2007 Office system
Cosmo Virtual Makeover 2
CuteFTP 8 Home
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell Picture Studio v3.0
Dell Support 5.0.0 (630)
DivX Content Uploader
DivX Web Player
EA Network Play System
Easy Guitar Deluxe
EAX(tm) Unified (SHELL)
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
FINAL FANTASY VIII
Finale NotePad 2005a
Finale NotePad 2007
FLV Player 2.0, build 23
Frogger v3.0e
GLtron version 0.70
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
Halo Editing Kit
Halo Server
Heroes of Might and Magic IV: Winds of War
Heroes of Might and Magic V
Heroes of Might and Magic V Collector Edition
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hu-Go! 2.10
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
ISO Recorder
iTunes
iTunes Alarm Clock 2.0
Jasc Paint Shop Photo Album
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8 Dell Edition
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_09
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Karen's Alarm Clock
kgcbase
K-Meleon (remove only)
Kodak EasyShare software
KSU
Kye 3.0
Learn2 Player (Uninstall Only)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player
Magebane2
Master of Defense (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Halo
Microsoft Halo Custom Edition
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Outlook Web Access S/MIME
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Reader
Microsoft Web Publishing Wizard 1.52
Modem Event Monitor
Modem Helper
Modem On Hold
Monitor Calibration Wizard 1.0
Mozilla Firefox (2.0.0.16)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Music Alarm Clock
Musicmatch® Jukebox
MusicWrite
My Way Search Assistant
Need For Speed High Stakes
Need For Speed III
NeoDownloader 2.2
NetZeroInstallers
Nielsen//NetRatings
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Photo Click
Pocket Voice Recorder 3.4
PowerISO
Project64 1.6
QuickTime
RealPlayer
Remove KPK Data analysis
Rollcage Stage II
Scorched3D 38.1
SecondLife (remove only)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
SFR
SHASTA
SKIN0001
SKINXSDK
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Snood for Windows version 3.52-W
Snoodoku for Windows Version 1.1W
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sophos Remote Update
Spybot - Search & Destroy
staticcr
TI Connect 1.6
TigerGame PS/PS2 Game Controller Adapter
Ulead GIF Animator 5 TBYB
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
USB SmartMedia Reader
Viewpoint Media Player
VPRINTOL
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB893086
Windstream Broadband Check-up Center
WinRAR archiver
WireChanger (remove only)
WIRELESS
WordPerfect Office 12
Xvid 1.1.3 final uninstall
zMUD 7.20.0.1







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:26 AM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sophos\Remote Update\cachemgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Batman\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.asbury.edu
O15 - Trusted Zone: http://www.download3k.com
O15 - Trusted Zone: http://www.ecoresoftware.com
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.70.21.0_MEGAPANEL_USA.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: wpqgkp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - C:\Program Files\Sophos\Remote Update\cachemgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 6970 bytes



The Problems I have been experiencing:

When booting the computer, just after I attempt to log on with my username and password, it gives me a userinit.exe error. I click ok twice. I then cannot get the desktop to appear until I open the task manager and tell it to run "C:\Windows\explorer.scf".

When attempting to open programs in the control panel, such as add or remove programs, I get a rundll32.exe error and am unable to access said programs.

When connected to the internet, although I run firefox, internet explorer comes on with popups, even when I do not have any browser open.

When shutting down or restarting the computer, I get a blue screen which says the winlogon terminated unexpectedly and I am forced to turn off the computer manually.

I think these are all the problems I have been experiencing. I have not attempted to restart the computer since running combofix, and I am currently using another computer and have the infected computer detached from the internet.

Thank you again for your help.

-Spiderware

 

[Spiderware]

oops

Sorry about that, I could have sworn that I had already installed the recovery console a while back. I hope its okay, I can install it now if need be.

 

[peku006]

Hi Spiderware
Have you tried the "Last Known Good Configuration" bootup option?

To load the last known good configuration:

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears.
• (If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.)
• Use your arrow keys to move to "Last Known Good Configuration" and press your Enter key.

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please let me know how your pc is now.

thanks
peku006

 

[Spiderware]

All Clear

Hi Peku006,

My computer appears to be functioning normally and spybot has returned a clean report. Thank you so much for your help. Also, would mind recommending a good free registry cleaner?

Thanks,

Spiderware

 

[peku006]

Hi Spiderware
we are not ready yet....

My computer appears to be functioning normally

I'm glad to hear that.

recommending a good free registry cleaner?

I'd like you to read the this "Registry Cleaners, not recommended".

1 - Remove bad HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  • 
    O8 - Extra context menu item: &Search - http://ka.bar.need2find.com/KA/menusearch.html?p=KA
    O20 - AppInit_DLLs: wpqgkp.dll
    
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

2 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

File::
C:\WINDOWS\system32\349168
C:\WINDOWS\system32\winver.bat
C:\WINDOWS\system32\lbcd64.dll
C:\WINDOWS\system32\drivers\716aff0d.sys

Folder::
C:\7f7f1
C:\4850c
C:\1336c
C:\-1205938931

Driver::
716aff0d

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

3 - Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

4 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

5 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log
2. the ComboFix log
4. a fresh HijackThis log

Thanks peku006

 

[Spiderware]

Here you are

Hi Peku006,

Thanks for the heads up on registry cleaners. Guess I just got suckered in on that one. Anyway, here are the logs you requested:



Malwarebytes' Anti-Malware 1.24
Database version: 1036
Windows 5.1.2600 Service Pack 2

9:47:37 PM 8/9/2008
mbam-log-8-9-2008 (21-47-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 96154
Time elapsed: 50 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winwga32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataDisp32 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\349168 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Adobe\Acrobat 6.0\Reader\PDF417Encoder.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\1.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\7.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\drvsuc.dll.vir (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP857\A0059330.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP858\A0061202.sys (Backdoor.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP859\A0062853.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP860\A0062871.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP860\A0062872.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP860\A0062874.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP860\A0062878.dll (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Dialer) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\services\services.dll (Trojan.Agent) -> Quarantined and deleted successfully.




Okay, so I just realized that I accidentally got rid of the combo fix log. What should I do?

-Spiderware

 

[peku006]

Hi Spiderware
Post Combofix log by doing following:

Click Start > Run > type notepad C:\combofix.txt > OK

When Notepad opens, click Edit > Select all then Edit > Copy

Reply to this post and press Ctrl+V to paste the log in your reply.

Thanks peku006

 

[Spiderware]

there you go

ComboFix 08-08-09.03 - Batman 2008-08-09 20:38:19.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.658 [GMT -4:00]
Running from: C:\Documents and Settings\Batman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Batman\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\349168
C:\WINDOWS\system32\drivers\716aff0d.sys
C:\WINDOWS\system32\lbcd64.dll
C:\WINDOWS\system32\winver.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1205938931\
C:\1336c
C:\4850c
C:\7f7f1
C:\WINDOWS\system32\drivers\716aff0d.sys
C:\WINDOWS\system32\lbcd64.dll
C:\WINDOWS\system32\winver.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_716aff0d


((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 08:25 . 2008-08-09 08:25 125 --a------ C:\ioSpecial.ini
2008-08-03 21:25 . 2008-08-03 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 12:33 . 2008-08-03 12:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-03 12:33 . 2008-08-03 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 18:57 . 2001-08-17 13:28 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2008-08-02 18:56 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-08-02 18:55 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-08-02 18:54 . 2004-08-04 06:00 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-08-02 18:53 . 2004-08-04 06:00 456,704 --a------ C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-08-02 18:52 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-08-02 18:51 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-08-02 18:50 . 2004-08-04 00:56 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-08-02 18:49 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-08-02 18:48 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-08-02 18:47 . 2001-08-17 12:50 198,144 --a------ C:\WINDOWS\system32\dllcache\nv3.sys
2008-08-02 18:46 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-08-02 18:45 . 2004-08-04 06:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-08-02 18:44 . 2004-08-04 06:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-08-02 18:43 . 2004-08-04 06:00 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-08-02 18:42 . 2004-08-04 06:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-02 18:41 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-08-02 18:40 . 2001-08-17 12:17 629,952 --a------ C:\WINDOWS\system32\dllcache\eqn.sys
2008-08-02 18:39 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-08-02 18:38 . 2004-08-04 06:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-02 18:37 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-08-02 18:36 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-08-02 18:35 . 2004-05-13 00:39 876,653 --a------ C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-08-01 22:42 . 2005-06-16 16:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-01 22:42 . 2005-06-16 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-08-01 22:42 . 2005-06-16 16:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-01 22:42 . 2008-08-01 22:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-01 22:28 . 2008-08-01 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-01 22:26 . 2008-08-02 00:54 <DIR> d-------- C:\WINDOWS\system32\349168
2008-08-01 22:23 . 2008-08-01 22:26 2 --a------ C:\-1205938931
2008-07-16 12:46 . 2008-07-16 12:46 <DIR> d-------- C:\Program Files\Kye
2008-07-15 22:30 . 2008-07-15 22:41 <DIR> d-------- C:\Documents and Settings\Batman\Application Data\Wal-Mart Digital Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 12:40 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-09 12:35 --------- d-----w C:\Documents and Settings\Batman\Application Data\Lavasoft
2008-08-09 12:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 12:30 --------- d-----w C:\Program Files\Common Files\Broderbund
2008-08-09 12:28 --------- d-----w C:\Program Files\DNA
2008-08-09 12:28 --------- d-----w C:\Program Files\Cosmo Virtual Makeover 2
2008-08-09 12:28 --------- d-----w C:\Program Files\Cactus Bruce and the Corporate Monkeys
2008-08-09 12:26 --------- d-----w C:\Program Files\Magebane2
2008-08-09 12:19 --------- d-----w C:\Program Files\Azureus
2008-08-09 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-08-08 11:55 --------- d-----w C:\Program Files\Sophos SWEEP for NT
2008-08-03 18:35 --------- d-----w C:\Documents and Settings\Batman\Application Data\AVG7
2008-08-01 12:00 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-07-04 04:42 --------- d-----w C:\Program Files\MSECache
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2005-07-28 23:30 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 09:53 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:17 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifebBtQ]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwga32]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 02:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2006-04-05 21:30 3284992 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 09:50 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-09-14 09:50 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2004-11-09 11:32 393216 C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 11:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 20:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 09:53 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-06-27 22:28 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-07-27 04:42 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_09\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-09 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 20:43:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-09 20:48:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 00:48:28
ComboFix2.txt 2008-08-08 12:23:35

Pre-Run: 25,540,972,544 bytes free
Post-Run: 25,517,244,416 bytes free

213 --- E O F --- 2008-07-09 07:01:00

 

[peku006]

Hi Spiderware

RECOVERY CONSOLE

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
  
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

 

[Spiderware]

Here you go

ComboFix 08-08-09.03 - Batman 2008-08-10 11:38:57.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.561 [GMT -4:00]
Running from: C:\Documents and Settings\Batman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Batman\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 20:49 . 2008-08-09 20:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 20:49 . 2008-08-09 20:49 <DIR> d-------- C:\Documents and Settings\Batman\Application Data\Malwarebytes
2008-08-09 20:49 . 2008-08-09 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 20:49 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 20:49 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 08:25 . 2008-08-09 08:25 125 --a------ C:\ioSpecial.ini
2008-08-03 21:25 . 2008-08-03 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 12:33 . 2008-08-03 12:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-03 12:33 . 2008-08-03 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 18:57 . 2001-08-17 13:28 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2008-08-02 18:56 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-08-02 18:55 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-08-02 18:54 . 2004-08-04 06:00 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-08-02 18:53 . 2004-08-04 06:00 456,704 --a------ C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-08-02 18:52 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-08-02 18:51 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-08-02 18:50 . 2004-08-04 00:56 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-08-02 18:49 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-08-02 18:48 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-08-02 18:47 . 2001-08-17 12:50 198,144 --a------ C:\WINDOWS\system32\dllcache\nv3.sys
2008-08-02 18:46 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-08-02 18:45 . 2004-08-04 06:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-08-02 18:44 . 2004-08-04 06:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-08-02 18:43 . 2004-08-04 06:00 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-08-02 18:42 . 2004-08-04 06:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-02 18:41 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-08-02 18:40 . 2001-08-17 12:17 629,952 --a------ C:\WINDOWS\system32\dllcache\eqn.sys
2008-08-02 18:39 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-08-02 18:38 . 2004-08-04 06:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-02 18:37 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-08-02 18:36 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-08-02 18:35 . 2004-05-13 00:39 876,653 --a------ C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-08-01 22:42 . 2005-06-16 16:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-01 22:42 . 2005-06-16 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-08-01 22:42 . 2005-06-16 16:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-01 22:42 . 2008-08-01 22:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-01 22:28 . 2008-08-09 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-01 22:23 . 2008-08-01 22:26 2 --a------ C:\-1205938931
2008-07-16 12:46 . 2008-07-16 12:46 <DIR> d-------- C:\Program Files\Kye
2008-07-15 22:30 . 2008-07-15 22:41 <DIR> d-------- C:\Documents and Settings\Batman\Application Data\Wal-Mart Digital Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 15:36 --------- d-----w C:\Documents and Settings\Batman\Application Data\AVG7
2008-08-10 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-08-09 12:40 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-09 12:35 --------- d-----w C:\Documents and Settings\Batman\Application Data\Lavasoft
2008-08-09 12:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 12:30 --------- d-----w C:\Program Files\Common Files\Broderbund
2008-08-09 12:28 --------- d-----w C:\Program Files\DNA
2008-08-09 12:28 --------- d-----w C:\Program Files\Cosmo Virtual Makeover 2
2008-08-09 12:28 --------- d-----w C:\Program Files\Cactus Bruce and the Corporate Monkeys
2008-08-09 12:26 --------- d-----w C:\Program Files\Magebane2
2008-08-09 12:19 --------- d-----w C:\Program Files\Azureus
2008-08-08 11:55 --------- d-----w C:\Program Files\Sophos SWEEP for NT
2008-08-01 12:00 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-07-04 04:42 --------- d-----w C:\Program Files\MSECache
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2005-07-28 23:30 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 09:53 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:17 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifebBtQ]
[BU]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 02:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2006-04-05 21:30 3284992 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 09:50 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-09-14 09:50 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2004-11-09 11:32 393216 C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 11:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 20:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 09:53 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-06-27 22:28 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-07-27 04:42 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_09\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-07-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-10 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Batman\Application Data\Mozilla\Firefox\Profiles\k6i2euwt.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 11:41:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-10 11:43:23
ComboFix-quarantined-files.txt 2008-08-10 15:43:03
ComboFix2.txt 2008-08-10 00:48:32
ComboFix3.txt 2008-08-08 12:23:35

Pre-Run: 25,553,129,472 bytes free
Post-Run: 25,517,236,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

205 --- E O F --- 2008-07-09 07:01:00



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:15 AM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Batman\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.asbury.edu
O15 - Trusted Zone: http://www.download3k.com
O15 - Trusted Zone: http://www.ecoresoftware.com
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.70.21.0_MEGAPANEL_USA.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: iifebBtQ - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 6468 bytes

 

[peku006]

Hi Spiderware

1 - Remove bad HijackThis entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  • 
    O20 - Winlogon Notify: iifebBtQ - C:\WINDOWS\)
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

2 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

File::
C:\WINDOWS\system32\iifebBtQ.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifebBtQ]

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

3 - Clean temp files

• Download and Run ATF Cleaner
  Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  if you use Opera:
  • 
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

4 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

5 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

6 - Status Check
Please reply with

1. the ComboFix log (C:\ComboFix.txt)
2. the Kaspersky online scanner report
3. a fresh HijackThis log

Thanks peku006

 

[Spiderware]

Here you go

ComboFix 08-08-10.06 - Batman 2008-08-11 18:16:32.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.552 [GMT -4:00]
Running from: C:\Documents and Settings\Batman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Batman\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\iifebBtQ.dll
.

((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-09 20:49 . 2008-08-09 20:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 20:49 . 2008-08-09 20:49 <DIR> d-------- C:\Documents and Settings\Batman\Application Data\Malwarebytes
2008-08-09 20:49 . 2008-08-09 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 20:49 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 20:49 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 08:25 . 2008-08-09 08:25 125 --a------ C:\ioSpecial.ini
2008-08-03 21:25 . 2008-08-03 21:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-03 12:33 . 2008-08-03 12:33 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-03 12:33 . 2008-08-03 12:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-02 18:57 . 2001-08-17 13:28 771,581 --a------ C:\WINDOWS\system32\dllcache\winacisa.sys
2008-08-02 18:56 . 2001-08-17 13:28 794,654 --a------ C:\WINDOWS\system32\dllcache\usr1801.sys
2008-08-02 18:55 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\system32\dllcache\tridxp.dll
2008-08-02 18:54 . 2004-08-04 06:00 571,392 --a------ C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-08-02 18:53 . 2004-08-04 06:00 456,704 --a------ C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-08-02 18:52 . 2004-08-03 22:41 404,990 --a------ C:\WINDOWS\system32\dllcache\slntamr.sys
2008-08-02 18:51 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\system32\dllcache\sblfx.dll
2008-08-02 18:50 . 2004-08-04 00:56 397,056 --a------ C:\WINDOWS\system32\dllcache\s3gnb.dll
2008-08-02 18:49 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-08-02 18:48 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-08-02 18:47 . 2001-08-17 12:50 198,144 --a------ C:\WINDOWS\system32\dllcache\nv3.sys
2008-08-02 18:46 . 2004-08-04 00:56 1,737,856 --a------ C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-08-02 18:45 . 2004-08-04 06:00 1,875,968 --a------ C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-08-02 18:44 . 2004-08-04 06:00 1,158,818 --a------ C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-08-02 18:43 . 2004-08-04 06:00 811,064 --a------ C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-08-02 18:42 . 2004-08-04 06:00 13,463,552 --a------ C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-02 18:41 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\system32\dllcache\g400d.dll
2008-08-02 18:40 . 2001-08-17 12:17 629,952 --a------ C:\WINDOWS\system32\dllcache\eqn.sys
2008-08-02 18:39 . 2001-08-17 12:14 952,007 --a------ C:\WINDOWS\system32\dllcache\diwan.sys
2008-08-02 18:38 . 2004-08-04 06:00 1,677,824 --a------ C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-02 18:37 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-08-02 18:36 . 2004-08-04 00:56 1,888,992 --a------ C:\WINDOWS\system32\dllcache\ati3duag.dll
2008-08-02 18:35 . 2004-05-13 00:39 876,653 --a------ C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-08-01 22:42 . 2005-06-16 16:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-01 22:42 . 2005-06-16 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2008-08-01 22:42 . 2005-06-16 16:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-08-01 22:42 . 2008-08-01 22:42 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-01 22:28 . 2008-08-09 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-01 22:23 . 2008-08-01 22:26 2 --a------ C:\-1205938931
2008-07-16 12:46 . 2008-07-16 12:46 <DIR> d-------- C:\Program Files\Kye
2008-07-15 22:30 . 2008-07-15 22:41 <DIR> d-------- C:\Documents and Settings\Batman\Application Data\Wal-Mart Digital Photo Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 07:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-08-10 15:36 --------- d-----w C:\Documents and Settings\Batman\Application Data\AVG7
2008-08-09 12:40 --------- d-----w C:\Program Files\Jasc Software Inc
2008-08-09 12:35 --------- d-----w C:\Documents and Settings\Batman\Application Data\Lavasoft
2008-08-09 12:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-09 12:30 --------- d-----w C:\Program Files\Common Files\Broderbund
2008-08-09 12:28 --------- d-----w C:\Program Files\DNA
2008-08-09 12:28 --------- d-----w C:\Program Files\Cosmo Virtual Makeover 2
2008-08-09 12:28 --------- d-----w C:\Program Files\Cactus Bruce and the Corporate Monkeys
2008-08-09 12:26 --------- d-----w C:\Program Files\Magebane2
2008-08-09 12:19 --------- d-----w C:\Program Files\Azureus
2008-08-08 11:55 --------- d-----w C:\Program Files\Sophos SWEEP for NT
2008-08-01 12:00 --------- d-----w C:\Documents and Settings\Guest\Application Data\AVG7
2008-07-04 04:42 --------- d-----w C:\Program Files\MSECache
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2005-07-28 23:30 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-27 09:53 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:17 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 02:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2006-04-05 21:30 3284992 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 21:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 17:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 17:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 09:50 53248 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-09-14 09:50 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2004-11-09 11:32 393216 C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a------ 2004-11-11 11:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 20:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-27 09:53 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-06-27 22:28 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-07-27 04:42 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_09\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-08-11 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 18:19:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-11 18:21:02
ComboFix-quarantined-files.txt 2008-08-11 22:20:39
ComboFix2.txt 2008-08-10 15:43:24
ComboFix3.txt 2008-08-10 00:48:32
ComboFix4.txt 2008-08-08 12:23:35

Pre-Run: 25,468,637,184 bytes free
Post-Run: 25,451,696,128 bytes free

193 --- E O F --- 2008-07-09 07:01:00





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:50 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Batman\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.asbury.edu
O15 - Trusted Zone: http://www.download3k.com
O15 - Trusted Zone: http://www.ecoresoftware.com
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.70.21.0_MEGAPANEL_USA.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 6467 bytes





--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 23:00:07
Records in database: 1083545
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 66270
Threat name: 6
Infected objects: 90
Suspicious objects: 0
Duration of the scan: 02:57:47


File name / Threat name / Threats count
C:\Documents and Settings\Batman\Desktop\Movies\Smoke on the Water.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\01 - Chrono Cross ~ Time's Scar.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\a1s.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\a1u.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\a1v.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\a1z.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\a4c.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\a4e.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\b2c.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\b3e.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\b5b.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\b5c.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\b6a.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\b6b.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c1d.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c2e.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c2h.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c3a.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c3b.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c3f.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c5ca.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c5f.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c6i.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c7h.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c8b.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\c8d.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e1e.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e1l.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e1n.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e1p.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e1w.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e2b.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e2c.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e2d.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e2e.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e2f.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e3a.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e3d.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e3e.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e3h.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e3j.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e3l.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e4j.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e4k.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e4o.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\e5b.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\g1h.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\g1j.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\g1l.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\g1m.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\g3b.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\g4b.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\g5a.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario\j1p.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 1.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 10.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 11.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 12.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 13.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 14.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 15.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 2.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 3.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 4.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 5.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 6.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 7.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 8.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\artist\album\artist - Track 9.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\albi.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\arise.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\Big Tent Revival--0 - Two Sets of Jones.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\business_time.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\fringes.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\hiphopopotamusvrhymnoceros.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\issues.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\Jars Of Clay-Jars of Clay-03 - Love Song for a Savior.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\jenny_.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\theGospelSong01.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Documents and Settings\Batman\My Documents\My Music\iTunes\think_thinkaboutit.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\QooBox\Quarantine\C\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.l 1
C:\QooBox\Quarantine\C\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.o 1
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\0.exe.vir Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.aq 1
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\3.exe.vir Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.ap 1
C:\QooBox\Quarantine\C\WINDOWS\system32\dpfrdd.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hoxuhkeu.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ndposx.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ttionsan.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wpqgkp.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ywiydhkh.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.bzx 1

The selected area was scanned.

 

[peku006]

Hi Spiderware

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.

• Go to http://java.sun.com/javase/downloads/index.jsp
• Click on the link named Java Runtime Environment (JRE) 6 Update 7
• Click on the radio button to Accept License Agreement
• Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java (Java 6 Runtime Environment, JRE or JSE)
• Reboot your computer
• Delete the folder C:\Program Files\Java if present
• Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
• Reboot your computer

Download to the desktop: Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
• Choose the Scan-tab, remove the mark at Heuristic analysis.
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  
  
  
  If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Thanks peku006

 

[Spiderware]

Here you go

01826390.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.59300;Deleted.;
06526890.FIL;C:\$VAULT$.AVG;Trojan.Packed.568;Deleted.;
06528046.FIL;C:\$VAULT$.AVG;Trojan.Packed.568;Deleted.;
06528453.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
06534421.FIL;C:\$VAULT$.AVG;Trojan.Packed.568;Deleted.;
06534718.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.1086;Deleted.;
06534812.FIL;C:\$VAULT$.AVG;Trojan.Packed.568;Deleted.;
06534937.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.3299;Deleted.;
06536765.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
06537875.FIL;C:\$VAULT$.AVG;Trojan.Packed.568;Deleted.;
06538921.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.1086;Deleted.;
06541593.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.3299;Deleted.;
06544500.FIL;C:\$VAULT$.AVG;Trojan.Aolspy.8;Deleted.;
06547328.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.1086;Deleted.;
06547390.FIL;C:\$VAULT$.AVG;Adware.404Search.5;Incurable.Moved.;
17102328.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
20103859.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50035;Deleted.;
20215890.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.3200;Deleted.;
20216078.FIL\serial.exe;C:\$VAULT$.AVG\20216078.FIL;Trojan.Packed.155;;
20216078.FIL\number.exe;C:\$VAULT$.AVG\20216078.FIL;Trojan.DownLoad.3200;;
20216078.FIL;C:\$VAULT$.AVG;Archive contains infected objects;Moved.;
20216453.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
20216984.FIL;C:\$VAULT$.AVG;Trojan.Aolspy.8;Deleted.;
20217046.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.1086;Deleted.;
20217203.FIL;C:\$VAULT$.AVG;Adware.404Search.5;Incurable.Moved.;
21411437.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.458;Deleted.;
21411718.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.450;Deleted.;
21411796.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.458;Deleted.;
21411890.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.458;Deleted.;
21412015.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.458;Deleted.;
21412062.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.450;Deleted.;
21412109.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.458;Deleted.;
21843171.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50035;Deleted.;
21850843.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.50035;Deleted.;
RegUBP2b-Batman.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Batman\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Batman\Desktop;Archive contains infected objects;Moved.;
Smoke on the Water.mp3;C:\Documents and Settings\Batman\Desktop\Movies;Trojan.WMALoader;Cured.;
01 - Chrono Cross ~ Time's Scar.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs;Trojan.WMALoader;Cured.;
ARS_v2r.exe;C:\Documents and Settings\Batman\Desktop\Silly programs;Trojan.MulDrop.5773;Deleted.;
a1s.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
a1u.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
a1v.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
a1z.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
a4c.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
a4e.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
b2c.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
b3e.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
b5b.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
b5c.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
b6a.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
b6b.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c1d.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c2e.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c2h.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c3a.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c3b.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c3f.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c5ca.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c5f.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c6i.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c7h.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c8b.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
c8d.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e1e.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e1l.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e1n.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e1p.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e1w.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e2b.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e2c.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e2d.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e2e.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e2f.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e3a.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e3d.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e3e.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e3h.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e3j.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e3l.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e4j.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e4k.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e4o.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
e5b.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
g1h.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
g1j.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
g1l.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
g1m.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
g3b.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
g4b.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
g5a.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
j1p.mp3;C:\Documents and Settings\Batman\Desktop\Silly programs\Age of Empires II\Sound\scenario;Trojan.WMALoader;Cured.;
artist - Track 1.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 10.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 11.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 12.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 13.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 14.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 15.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 2.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 3.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 4.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 5.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 6.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 7.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 8.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
artist - Track 9.mp3;C:\Documents and Settings\Batman\My Documents\My Music\artist\album;Trojan.WMALoader;Cured.;
albi.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
arise.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
Big Tent Revival--0 - Two Sets of Jones.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
business_time.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
fringes.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
hiphopopotamusvrhymnoceros.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
issues.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
Jars Of Clay-Jars of Clay-03 - Love Song for a Savior.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
jenny_.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
theGospelSong01.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
think_thinkaboutit.mp3;C:\Documents and Settings\Batman\My Documents\My Music\iTunes;Trojan.WMALoader;Cured.;
GTDownDE_87.ocx;C:\i386;Adware.Gdown;Incurable.Moved.;
N2PLUGIN.DLL.vir;C:\QooBox\Quarantine\C\Program Files\Need2Find\bar\1.bin;Adware.Msearch;Incurable.Moved.;
NPND2FN.DLL.vir;C:\QooBox\Quarantine\C\Program Files\Need2Find\bar\1.bin;Adware.MyWay;Incurable.Moved.;
lbbd32.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;BackDoor.Banker.origin;Incurable.Moved.;
lbcd64.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;BackDoor.Banker.origin;Incurable.Moved.;
A0062852.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP859;Trojan.Packed.155;Deleted.;
A0062867.DLL;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP860;Adware.Msearch;Incurable.Moved.;
A0062868.DLL;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP860;Adware.MyWay;Incurable.Moved.;
A0062877.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP860;BackDoor.Banker.origin;Incurable.Moved.;
A0062911.EXE;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP860;Program.PsExec.170;Incurable.Moved.;
A0063513.rbf;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP863;Trojan.Click.1487;Deleted.;
A0064448.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP870;Adware.MyWay;Incurable.Moved.;
A0064460.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP870;Trojan.StartPage.1505;Deleted.;
A0064518.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP871;BackDoor.Banker.origin;Incurable.Moved.;
A0064534.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP871\A0064534.exe;Program.PsExec.171;;
A0064534.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP871;Archive contains infected objects;Moved.;
A0064539.EXE;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP871;Program.PsExec.170;Incurable.Moved.;
A0064636.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP873\A0064636.exe;Program.PsExec.171;;
A0064636.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP873;Archive contains infected objects;Moved.;
A0064736.reg;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP876;Trojan.StartPage.1505;Deleted.;
A0064737.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP876\A0064737.exe;Program.PsExec.171;;
A0064737.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP876;Archive contains infected objects;Moved.;
A0064738.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP876;Trojan.MulDrop.5773;Deleted.;
GTDownDE_87.ocx;C:\WINDOWS\system32;Adware.Gdown;Incurable.Moved.;





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:03 AM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Batman\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://mail.asbury.edu
O15 - Trusted Zone: http://www.download3k.com
O15 - Trusted Zone: http://www.ecoresoftware.com
O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.70.21.0_MEGAPANEL_USA.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

--
End of file - 6758 bytes

 

[peku006]

Hi Spiderware

Congratulations, your log looks clean!

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• When shown the disclaimer, Select "2"
  

The above procedure will:

• Delete the following:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

Here are some free programs I recommend that could help you improve your computer's security.


Install SpyWare Blaster 4.1
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Note:"Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:

Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note: If you are running Windows XP SP2, you should upgrade to SP3.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing! :bigthumb:

 

[Spiderware]

Thanks again for everything