virus support

Hello sludgeguts,

A. Please RUN HijackThis
  1. Click the SCAN button to produce a log.
  2. Place a check mark beside each one of the following items:

    O2 - BHO: (no name) - {040B7D23-99E1-BD14-BF1B-BFEE8A86EF9C} - (no file)
    O2 - BHO: (no name) - {0DD98BA3-25B7-4913-88AF-CFBDB28DA4CE} - (no file)
    O2 - BHO: (no name) - {14DB7B51-B663-4BBA-9320-EB84949A098F} - (no file)
    O2 - BHO: (no name) - {197846A8-E57E-F0A4-16D4-8563E6C3B0FF} - (no file)
    O2 - BHO: (no name) - {1AD5FCBE-100B-4D8F-7871-3CB6094DF4C3} - (no file)
    O2 - BHO: (no name) - {34877841-C4D0-C554-A648-E82B2CE6D8CC} - (no file)
    O2 - BHO: (no name) - {42C76E27-D4E8-8A39-CF3D-AAEF3E7DA299} - (no file)
    O2 - BHO: (no name) - {449FC5FC-81F2-4A4A-A7C6-3E42A88C62C9} - (no file)
    O2 - BHO: (no name) - {525EB293-5C57-76FC-05B0-7032D76FB69F} - (no file)
    O2 - BHO: (no name) - {5645ED67-538B-0D5B-817D-7C129130E693} - (no file)
    O2 - BHO: (no name) - {599D53DB-B54C-BD94-6604-9C3C6058E0C4} - (no file)
    O2 - BHO: (no name) - {6A857019-91D0-9D02-A848-E82B2CE6D99E} - (no file)
    O2 - BHO: (no name) - {88F78A1D-CD35-40F0-B3E5-946FB1BBF89A} - (no file)
    O2 - BHO: (no name) - {9C8A6B4D-6D6E-4843-891C-04439102F574} - (no file)
    O2 - BHO: (no name) - {A56A934A-85F4-4388-A362-BEB546E8F73C} - (no file)
    O2 - BHO: (no name) - {AAEE8DC8-830F-496F-AE31-8D4A51C01914} - (no file)
    O2 - BHO: (no name) - {B3FBAB34-16AC-4E79-DC2F-3EE600F60293} - (no file)
    O2 - BHO: (no name) - {f1b580b4-b04c-470f-8e10-0b5224ebab90} - (no file)
    O4 - HKLM\..\Run: [54323f93] rundll32.exe "C:\WINDOWS\system32\yagwgcwy.dll",b
    O4 - HKCU\..\Run: [Uvyi] C:\WINDOWS\system32\WWEXEC~1.EXE
    O20 - Winlogon Notify: hggfgge - C:\WINDOWS\
    O20 - Winlogon Notify: loctmiga - C:\WINDOWS\
    O20 - Winlogon Notify: msutil - C:\WINDOWS\
    O20 - Winlogon Notify: req - C:\WINDOWS\


  3. Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
B. 1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\yagwgcwy.dll
C:\WINDOWS\system32\REQ.DLL

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please re-enable all the programs that were disabled during the running of ComboFix then post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
ComboFix 07-11-19.4 - max 2007-12-06 19:30:05.5 - NTFSx86
Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\max\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\REQ.DLL
C:\WINDOWS\system32\yagwgcwy.dll
.

((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-06 19:14 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-06 19:12 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
2007-12-02 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 14:41 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:50 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:39 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prcp.nls
2007-11-22 19:38 83,748 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\prc.nls
2007-11-22 19:38 57,856 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_scripto.dll
2007-11-22 19:38 26,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_seos.dll
2007-11-22 19:38 23,040 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_regtrace.exe
2007-11-22 19:38 12,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_smtpctrs.dll
2007-11-22 19:38 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_snprfdll.dll
2007-11-22 19:37 482,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlgnt.ime
2007-11-22 19:37 131,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxviceo.dll
2007-11-22 19:37 70,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pintlphr.exe
2007-11-22 19:37 67,584 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmigrate.dll
2007-11-22 19:37 65,536 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_mailmsg.dll
2007-11-22 19:37 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_ntfsdrv.dll
2007-11-22 19:37 36,927 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs411.dll
2007-11-22 19:37 14,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\padrs412.dll
2007-11-22 19:37 11,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxmcro.dll
2007-11-22 19:37 6,144 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\pmxgl.dll
2007-11-22 19:36 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:36 10,129,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxkor.dll
2007-11-22 19:36 10,096,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxcht.dll
2007-11-22 19:36 173,602 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_20002.nls
2007-11-22 19:36 54,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cap7146.sys
2007-11-22 19:36 43,520 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_fcachdll.dll
2007-11-22 19:36 24,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fpadmcgi.exe
2007-11-22 19:36 14,848 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\flattemp.exe
2007-11-22 19:36 7,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\f3ahvoas.dll
2007-11-22 19:35 188,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cfgwiz.exe
2007-11-22 19:35 162,850 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\c_10001.nls
2007-11-22 19:35 45,056 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_aqadmin.dll
2007-11-22 19:35 5,632 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\EXCH_adsiisex.dll
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:28 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 18:10 2,012,670 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5.CAT
2007-11-22 18:10 1,086,058 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NTPRINT.CAT
2007-11-22 18:10 1,042,903 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\SP2.CAT
2007-11-22 18:10 797,189 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5IIS.CAT
2007-11-22 18:10 399,645 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MAPIMIG.CAT
2007-11-22 18:10 382,952 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\NT5INF.CAT
2007-11-22 18:10 37,484 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\MW770.CAT
2007-11-22 18:10 31,281 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\FP4.CAT
2007-11-22 18:10 24,661 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2007-11-22 18:10 24,661 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\spxcoins.dll
2007-11-22 18:10 13,472 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\HPCRDP.CAT
2007-11-22 18:10 13,312 --a------ C:\WINDOWS\SYSTEM32\irclass.dll
2007-11-22 18:10 8,574 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\IASNT4.CAT
2007-11-22 18:10 7,710 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\OEMBIOS.CAT
2007-11-22 18:10 7,334 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\wmerrenu.cat
2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:53 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-11-18 19:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:52 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-11-18 19:51 351,888 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 14:41 --------- d-----w C:\Program Files\Java
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-11-07 15:19 --------- d-----w C:\Program Files\Dl_cats
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-06 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.

((((((((((((((((((((((((((((( snapshot_2007-12-02_14.49.28.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-30 18:44:37 6,940,722 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2007-12-06 19:24:47 7,060,547 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
- 2007-11-26 18:15:42 8,880,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlqrtdb.dat
+ 2007-12-02 18:32:04 8,880,640 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]

C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]
C:\WINDOWS\system32\NavLogon.dll 2004-02-12 11:38 45172 C:\WINDOWS\SYSTEM32\NavLogon.dll

S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 19:35:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-06 19:36:48
C:\ComboFix2.txt ... 2007-12-05 21:29
C:\ComboFix3.txt ... 2007-12-02 14:50
.
--- E O F ---
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:31, on 06/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11177 bytes
 
Hello sludgeguts,

Let's do a quick panda scan and see what else is still hiding out, I believe we might be nearing completion here :)

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
 
Incident Status Location

Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:adware/comet Not disinfected Windows Registry
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Briss\Cookies\briss@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Briss\Cookies\briss@888[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Briss\Cookies\briss@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Briss\Cookies\briss@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Briss\Cookies\briss@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Briss\Cookies\briss@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Briss\Cookies\briss@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Briss\Cookies\briss@bs.serving-sys[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Briss\Cookies\briss@cassava[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Briss\Cookies\briss@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Briss\Cookies\briss@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Briss\Cookies\briss@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Briss\Cookies\briss@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Briss\Cookies\briss@serving-sys[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Briss\Cookies\briss@tradedoubler[2].txt
Spyware:Cookie/Golden Palace Online Casino Not disinfected C:\Documents and Settings\Briss\Cookies\briss@www.goldenpalace[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mark\Cookies\mark@ad.yieldmanager[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mark\Cookies\mark@advertising[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mark\Cookies\mark@advertising[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mark\Cookies\mark@advertising[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mark\Cookies\mark@advertising[4].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\mark\Cookies\mark@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\mark\Cookies\mark@atdmt[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mark\Cookies\mark@casalemedia[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mark\Cookies\mark@casalemedia[3].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mark\Cookies\mark@casalemedia[4].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\mark\Cookies\mark@casalemedia[5].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\mark\Cookies\mark@doubleclick[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mark\Cookies\mark@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\mark\Cookies\mark@perf.overture[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\mark\Cookies\mark@statse.webtrendslive[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\max\Cookies\max@247realmedia[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\max\Cookies\max@ad.yieldmanager[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\max\Cookies\max@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\max\Cookies\max@bs.serving-sys[2].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\max\Cookies\max@casinotropez[2].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\max\Cookies\max@fl01.ct2.comclick[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\max\Cookies\max@i.screensavers[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\max\Cookies\max@int.sitestat[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\max\Cookies\max@int.sitestat[2].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\max\Cookies\max@pacificpoker[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\max\Cookies\max@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\max\Cookies\max@serving-sys[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\max\Cookies\max@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\max\Cookies\max@tradedoubler[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\max\Cookies\max@xiti[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\max\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\max\Desktop\ComboFix.exe[nircmd.cfexe]
 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@247realmedia[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@ad.yieldmanager[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@adultfriendfinder[1].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@adviva[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@as1.falkag[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@azjmp[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@ccbill[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@gostats[2].txt
Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@ilead.itrack[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@int.sitestat[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@int.sitestat[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@server.iad.liveperson[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@statse.webtrendslive[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@tradedoubler[2].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@weborama[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@webpower[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\mickey\Cookies\mickey@yadro[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\mickey\Local Settings\Temp\Cookies\mickey@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\mickey\Local Settings\Temp\Cookies\mickey@doubleclick[1].txt
Virus:Generic Malware Disinfected C:\Documents and Settings\mickey\Local Settings\Temp\sta39F.exe
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\sam\Cookies\sam@247realmedia[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\sam\Cookies\sam@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\sam\Cookies\sam@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\sam\Cookies\sam@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\sam\Cookies\sam@adopt.hbmediapro[1].txt
Spyware:Cookie/ads.tripod.lycos.com Not disinfected C:\Documents and Settings\sam\Cookies\sam@ads.tripod.lycos[3].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\sam\Cookies\sam@adultfriendfinder[1].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\sam\Cookies\sam@adviva[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\sam\Cookies\sam@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\sam\Cookies\sam@belnk[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\sam\Cookies\sam@cassava[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\sam\Cookies\sam@cs.sexcounter[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\sam\Cookies\sam@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\sam\Cookies\sam@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\sam\Cookies\sam@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\sam\Cookies\sam@drivecleaner[2].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\sam\Cookies\sam@fe.lea.lycos[1].txt
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\sam\Cookies\sam@fl01.ct2.comclick[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\sam\Cookies\sam@goclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\sam\Cookies\sam@go[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\sam\Cookies\sam@i.screensavers[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\sam\Cookies\sam@kount[2].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\sam\Cookies\sam@mp3search[1].txt
Spyware:Cookie/WegCash Not disinfected C:\Documents and Settings\sam\Cookies\sam@programs.wegcash[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\sam\Cookies\sam@rightmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\sam\Cookies\sam@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\sam\Cookies\sam@server.iad.liveperson[1].txt
 
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\sam\Cookies\sam@stats.drivecleaner[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\sam\Cookies\sam@statse.webtrendslive[2].txt
Spyware:Cookie/SaveNow Not disinfected C:\Documents and Settings\sam\Cookies\sam@tracking.thunderdownloads[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\sam\Cookies\sam@tradedoubler[1].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\sam\Cookies\sam@weborama[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\sam\Cookies\sam@webpower[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\sam\Cookies\sam@www.drivecleaner[1].txt
Spyware:Cookie/Intelli-tracker Not disinfected C:\Documents and Settings\sam\Cookies\sam@www.intelli-tracker[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\sam\Cookies\sam@www.myaffiliateprogram[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\sam\Cookies\sam@www.web-stat[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\sam\Cookies\sam@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\sam\Cookies\sam@xmts[2].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\sam\Cookies\sam@xxxcounter[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\sam\Cookies\sam@yadro[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\sue\Cookies\sue@112.2o7[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\sue\Cookies\sue@247realmedia[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\sue\Cookies\sue@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\sue\Cookies\sue@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\sue\Cookies\sue@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\sue\Cookies\sue@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\sue\Cookies\sue@advertising[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\sue\Cookies\sue@anm.co[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\sue\Cookies\sue@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\sue\Cookies\sue@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\sue\Cookies\sue@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\sue\Cookies\sue@azjmp[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\sue\Cookies\sue@bs.serving-sys[2].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\sue\Cookies\sue@centrport[1].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\sue\Cookies\sue@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\sue\Cookies\sue@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\sue\Cookies\sue@did-it[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\sue\Cookies\sue@doubleclick[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\sue\Cookies\sue@enhance[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\sue\Cookies\sue@int.sitestat[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\sue\Cookies\sue@int.sitestat[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\sue\Cookies\sue@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\sue\Cookies\sue@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\sue\Cookies\sue@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\sue\Cookies\sue@questionmarket[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\sue\Cookies\sue@revenue[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\sue\Cookies\sue@rightmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\sue\Cookies\sue@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\sue\Cookies\sue@server.iad.liveperson[4].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\sue\Cookies\sue@serving-sys[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\sue\Cookies\sue@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\sue\Cookies\sue@statcounter[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\sue\Cookies\sue@tickle[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\sue\Cookies\sue@tribalfusion[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\sue\Cookies\sue@www.myaffiliateprogram[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\sue\Cookies\sue@xiti[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\sue\Cookies\sue@xmts[2].txt
 
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\audofben.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\cnjvjtqk.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\jokpcjje.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\qpkvyobf.exe.vir
Adware:Adware/PurityScan Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\regsvr32.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\rxdnblub.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32\uansobhs.exe.vir
Spyware:Spyware/Vundo Not disinfected C:\qoobox\Quarantine\catchme2007-11-27_112830.07.zip[jkhhe.dll]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Motive\btbb\pskill.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Virus:Trj/Lineage.AJO Disinfected C:\WINDOWS\SYSTEM32\dhsoux.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\Shex.exe
 
Hello sludgeguts :)

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\SYSTEM32\Shex.exe
C:\WINDOWS\system32\oins.exe

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D62A517-E7C6-4E1F-A577-07D4AC549A48}]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Last edited:
ComboFix 07-12-08.1 - max 2007-12-08 9:20:53.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.179 [GMT 0:00]
Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\max\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\oins.exe
C:\WINDOWS\SYSTEM32\Shex.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\oins.exe
C:\WINDOWS\SYSTEM32\Shex.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-08 to 2007-12-08 )))))))))))))))))))))))))))))))
.

2007-12-08 09:11 . 2007-12-08 09:11 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-07 15:54 . 2007-12-07 18:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-07 15:54 . 2007-12-07 15:54 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-07 15:54 . 2007-12-07 15:54 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-06 19:12 . 2007-12-08 09:08 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
2007-12-02 14:41 . 2007-12-02 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 14:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-27 07:55 . 2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 . 2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 . 2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-24 18:43 . 2007-12-05 21:13 808,848 ---hs---- C:\WINDOWS\SYSTEM32\ywcgwgay.ini
2007-11-23 20:50 . 2007-11-23 20:52 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:59 . 2007-11-22 19:59 2,422 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-11-22 19:39 . 2004-08-12 14:10 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:37 . 2004-08-12 13:58 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-11-22 19:36 . 2004-08-12 13:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:35 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:29 . 2004-08-12 13:58 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe
2007-11-22 19:28 . 2004-08-12 13:57 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 . 2004-08-12 13:57 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 . 2004-08-12 13:57 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 . 2004-08-12 13:58 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 . 2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 17:58 . 2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 . 2007-11-23 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:53 . 2007-12-05 21:24 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-11-18 19:52 . 2007-12-07 18:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:52 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-11-18 19:51 . 2007-12-08 09:10 351,888 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 . 2007-12-07 19:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 . 2007-11-18 21:03 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 . 2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-17 11:39 . 2007-11-17 14:59 489 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-07 18:09 --------- d-----w C:\Program Files\iTunes
2007-12-07 17:58 --------- d-----w C:\Program Files\DellSupport
2007-12-07 17:57 --------- d-----w C:\Program Files\Dell Photo AIO Printer 922
2007-12-07 17:56 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-07 17:55 --------- d-----w C:\Program Files\btbb_wcm
2007-12-07 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-07 15:48 --------- d-----w C:\Program Files\Dl_cats
2007-12-06 19:12 2,811,364 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-02 14:41 --------- d-----w C:\Program Files\Java
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-27 07:30 61,539 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_25_21_44_20_small.dmp.zip
2007-11-27 07:30 61,435 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_25_21_44_32_small.dmp.zip
2007-11-25 19:49 194,771 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_25_18_01_20_small.dmp.zip
2007-11-25 19:49 180,683 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_25_18_01_39_small.dmp.zip
2007-11-21 10:38 66,056 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_39_55_small.dmp.zip
2007-11-21 10:38 215,145 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_32_51_small.dmp.zip
2007-11-21 10:38 185,660 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_32_29_small.dmp.zip
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-08 14:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]

C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]

S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-08 09:26:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-08 9:27:35
C:\ComboFix2.txt ... 2007-12-06 19:36
C:\ComboFix3.txt ... 2007-12-05 21:29
.
--- E O F ---
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:58, on 08/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11258 bytes
 
Hello sludgeguts,

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\SYSTEM32\ywcgwgay.ini

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
  • A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
ComboFix 07-12-08.1 - max 2007-12-09 12:44:41.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.305 [GMT 0:00]Running from: C:\Documents and Settings\max\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\max\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\ywcgwgay.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\ywcgwgay.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-07 15:54 . 2007-12-07 18:35 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-12-07 15:54 . 2007-12-07 15:54 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2007-12-07 15:54 . 2007-12-07 15:54 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2007-12-06 19:12 . 2007-12-09 08:36 0 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\lvuvc.hs
2007-12-02 14:41 . 2007-12-02 14:41 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-02 14:41 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2007-11-27 07:55 . 2007-11-27 07:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 18:49 . 2007-11-26 18:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-26 18:49 . 2007-11-26 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-23 20:50 . 2007-11-23 20:52 <DIR> d-------- C:\Program Files\Safer Networking
2007-11-22 19:59 . 2007-11-22 19:59 2,422 --a------ C:\WINDOWS\SYSTEM32\wpa.bak
2007-11-22 19:39 . 2004-08-12 14:10 28,288 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\xjis.nls
2007-11-22 19:37 . 2004-08-12 13:58 1,875,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2007-11-22 19:36 . 2004-08-12 13:58 13,463,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2007-11-22 19:35 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\fp4awel.dll
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2007-11-22 19:30 . 2007-11-22 19:30 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2007-11-22 19:29 . 2004-08-12 13:58 16,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\isignup.exe
2007-11-22 19:28 . 2004-08-12 13:57 214,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn1.exe
2007-11-22 19:28 . 2004-08-12 13:57 86,016 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwconn2.exe
2007-11-22 19:28 . 2004-08-12 13:57 32,768 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\icwdl.dll
2007-11-22 19:28 . 2004-08-12 13:58 20,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\inetwiz.exe
2007-11-22 18:11 . 2007-11-22 18:11 34 --a------ C:\WINDOWS\SYSTEM\oeminfo.ini
2007-11-22 17:58 . 2007-11-22 17:58 <DIR> d-------- C:\WINDOWS\dell
2007-11-20 20:03 . 2007-11-23 20:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-18 19:53 . 2007-12-08 22:03 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-11-18 19:52 . 2007-12-07 18:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-11-18 19:52 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-11-18 19:51 . 2007-12-09 08:37 351,888 --a------ C:\WINDOWS\SYSTEM32\vsconfig.xml
2007-11-18 19:50 . 2007-12-08 19:59 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-18 19:06 . 2007-11-18 21:03 <DIR> d-------- C:\Program Files\Registry Defender
2007-11-18 13:24 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-11-18 13:24 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2007-11-17 17:38 . 2007-11-17 17:38 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-17 11:39 . 2007-11-17 14:59 489 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-08 14:13 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-08 13:52 --------- d-----w C:\Program Files\GSC Game World
2007-12-08 13:51 --------- d-----w C:\Program Files\Microsoft Games
2007-12-07 18:09 --------- d-----w C:\Program Files\iTunes
2007-12-07 17:58 --------- d-----w C:\Program Files\DellSupport
2007-12-07 17:57 --------- d-----w C:\Program Files\Dell Photo AIO Printer 922
2007-12-07 17:56 --------- d-----w C:\Program Files\Common Files\Motive
2007-12-07 17:55 --------- d-----w C:\Program Files\btbb_wcm
2007-12-07 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-12-07 15:48 --------- d-----w C:\Program Files\Dl_cats
2007-12-06 19:12 2,811,364 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-02 14:41 --------- d-----w C:\Program Files\Java
2007-11-29 09:03 --------- d-----w C:\Program Files\BitLord
2007-11-27 07:30 61,539 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_25_21_44_20_small.dmp.zip
2007-11-27 07:30 61,435 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_11_25_21_44_32_small.dmp.zip
2007-11-25 19:49 194,771 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_25_18_01_20_small.dmp.zip
2007-11-25 19:49 180,683 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_25_18_01_39_small.dmp.zip
2007-11-21 10:38 66,056 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_39_55_small.dmp.zip
2007-11-21 10:38 215,145 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_32_51_small.dmp.zip
2007-11-21 10:38 185,660 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_19_20_32_29_small.dmp.zip
2007-11-17 17:37 --------- d-----w C:\Program Files\Logitech
2007-11-17 17:37 --------- d-----w C:\Program Files\Common Files\logishrd
2007-11-17 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-12 17:47 --------- d-----w C:\Documents and Settings\max\Application Data\HP
2007-10-15 20:03 --------- d-----w C:\Program Files\Full Tilt Poker.Net
2007-10-11 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2005-05-02 12:42 374,279 --sh--w C:\WINDOWS\Help\litusm.bak1
.

((((((((((((((((((((((((((((( snapshot@2007-12-08_ 9.26.50.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-17 14:08:21 53,248 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2007-12-08 14:12:18 53,248 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2006-12-17 14:08:21 12,800 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2007-12-08 14:12:18 12,800 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2006-12-17 14:08:21 473,600 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2007-12-08 14:12:18 473,600 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2006-12-17 14:08:17 2,676,224 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:14 2,676,224 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:18 2,846,720 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:15 2,846,720 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:18 563,712 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:15 563,712 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:18 567,296 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:15 567,296 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:19 576,000 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:16 576,000 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:19 577,024 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:16 577,024 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:19 577,536 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:16 577,536 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:20 577,536 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:17 577,536 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:20 578,560 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:17 578,560 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:21 578,560 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2007-12-08 14:12:19 578,560 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-12-17 14:08:21 145,920 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2007-12-08 14:12:20 145,920 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2006-12-17 14:08:22 159,232 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2007-12-08 14:12:20 159,232 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2006-12-17 14:08:22 364,544 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2007-12-08 14:12:20 364,544 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2006-12-17 14:08:22 178,176 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2007-12-08 14:12:20 178,176 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2006-12-17 14:08:20 223,232 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2007-12-08 14:12:18 223,232 ----a-w C:\WINDOWS\ASSEMBLY\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 10:14]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 13:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-01-26 00:41]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 01:01]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-06-18 15:30]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 11:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05]
"vptray"="C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" [2004-02-12 11:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 13:55 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 10:06]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 18:55]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-11-30 10:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 12:34]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" []
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 13:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-12 14:01 C:\WINDOWS\SYSTEM32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 05:00]

C:\Documents and Settings\sam\Start Menu\Programs\Startup\
eTomi Pro On Startup.lnk - C:\Program Files\eTomiPro\Gui\etomipro.exe [2005-02-08 14:15:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-03-16 14:24:02]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2007-10-05 19:37:10]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe [2005-02-07 18:53:16]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-01-28 18:35:59]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 17:10:04]

S3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys
S3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINDOWS\system32\drivers\BTNetFilter.sys
S3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys
S3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20452f93-714b-11d9-a746-806d6172696f}]
\Shell\AutoRun\command - D:\Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-05 14:32:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 12:50:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-09 12:50:47
C:\ComboFix2.txt ... 2007-12-08 09:27
C:\ComboFix3.txt ... 2007-12-06 19:36
.
--- E O F ---
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:06:58, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZipm12.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm413YYGB
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1195318132796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/prequal/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11409 bytes
 
Hello sludgeguts,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCxdm413YYGB
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -


Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Your logs are looking much better, how is your computer currently running?
 
Have done as you asked computer seems to be in a much better state from where we began is there anything else you would like me to do
 
Hello sludgeguts,

Go ahead and delete the following folder now:

C:\Qoobox

Go ahead and remove any tools we used during your fix now, as they will no longer be needed.

Congratulations, your computer is now clean of malware!

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  2. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources
  3. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  4. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls
  5. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  6. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware
  7. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
 
Back
Top