Solve : Google, internet bugs...?

1.	Solve : Google, internet bugs...?
Answer» Ok well I've been having some problems where everytime I click a link through google I get redirected to some spam sites. It can be worked around by copying the address into the bar, but I can't SEEM to access any antivirus sites to help me out. I already know that this computer is screwed up badly, but any help would be appreciated. I have a hijackthis scan here: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:43:50 PM, on 9/29/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\program files\u-storage tool2.91\ustorage.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\PROGRA~1\Comodo\CBOClean\BOC425.exe C:\Program Files\HP DVD\Umbrella\DVDTray.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Electronic Arts\EADM\Core.exe C:\WINDOWS\system32\drivers\svchost.exe C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe C:\Program Files\BearShare Pro\Bearshare.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Windows Live\Mail\wlmail.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gymnastics.bc.ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\Media\csrss.exe F3 - REG:win.ini: load= F3 - REG:win.ini: run= O1 - Hosts: localhost O1 - Hosts: ___id___.c.mystat-in.net O1 - Hosts: 0.r.msn.com O1 - Hosts: 00fun.com O1 - Hosts: 00hq.com O1 - Hosts: 00inkjets.com O1 - Hosts: 00pro.com O1 - Hosts: 00web.com O1 - Hosts: 01.sharedsource.org O1 - Hosts: 010402.com O1 - Hosts: 011707160008.c.mystat-in.net O1 - Hosts: 0123hardcore.com O1 - Hosts: 0190-dialer.com O1 - Hosts: 0190-dialers.com O1 - Hosts: 01i.info O1 - Hosts: 01sexe.com O1 - Hosts: 01smith.com O1 - Hosts: Blocked Russian URL* O1 - Hosts: 0-29.com O1 - Hosts: 02kmky1xgzbmsdfx.com O1 - Hosts: 02pmnzy5eo29bfk4.com O1 - Hosts: 03.sharedsource.org O1 - Hosts: 030.com O1 - Hosts: 032439.com O1 - Hosts: 05.sharedsource.org O1 - Hosts: Blocked Russian URL O1 - Hosts: 05p.com O1 - Hosts: 061606084448.c.mystat-in.net O1 - Hosts: 070.us O1 - Hosts: 070806142521.c.mystat-in.net O1 - Hosts: 077.us O1 - Hosts: 079.us O1 - Hosts: 07ic5do2myz3vzpk.com O1 - Hosts: 08.185.87.46.liveadvert.com O1 - Hosts: 08.185.87.47.liveadvert.com O1 - Hosts: 08.185.87.48.liveadvert.com O1 - Hosts: 08.185.87.49.liveadvert.com O1 - Hosts: 08.185.87.5.liveadvert.com O1 - Hosts: 08.185.87.50.liveadvert.com O1 - Hosts: 08.185.87.51.liveadvert.com O1 - Hosts: 08.185.87.53.liveadvert.com O1 - Hosts: 08.185.87.54.liveadvert.com O1 - Hosts: 08.185.87.55.liveadvert.com O1 - Hosts: 08.185.87.56.liveadvert.com O1 - Hosts: 08.185.87.57.liveadvert.com O1 - Hosts: 08.185.87.58.liveadvert.com O1 - Hosts: 08.185.87.59.liveadvert.com O1 - Hosts: 08.185.87.6.liveadvert.com O1 - Hosts: 08.185.87.60.liveadvert.com O1 - Hosts: 08.185.87.61.liveadvert.com O1 - Hosts: 08.185.87.63.liveadvert.com O1 - Hosts: 08.185.87.64.liveadvert.com O1 - Hosts: 08.185.87.65.liveadvert.com O1 - Hosts: 08.185.87.66.liveadvert.com O1 - Hosts: 08.185.87.67.liveadvert.com O1 - Hosts: 08.185.87.68.liveadvert.com O1 - Hosts: 08.185.87.69.liveadvert.com O1 - Hosts: 08.185.87.7.liveadvert.com O1 - Hosts: 08.185.87.70.liveadvert.com O1 - Hosts: 08.185.87.71.liveadvert.com O1 - Hosts: 08.185.87.73.liveadvert.com O1 - Hosts: 08.185.87.74.liveadvert.com O1 - Hosts: 08.185.87.75.liveadvert.com O1 - Hosts: 08.185.87.76.liveadvert.com O1 - Hosts: 08.185.87.77.liveadvert.com O1 - Hosts: 08.185.87.78.liveadvert.com O1 - Hosts: 08.185.87.79.liveadvert.com O1 - Hosts: 08.185.87.8.liveadvert.com O1 - Hosts: 08.185.87.80.liveadvert.com O1 - Hosts: 08.185.87.81.liveadvert.com O1 - Hosts: 08.185.87.83.liveadvert.com O1 - Hosts: 08.185.87.84.liveadvert.com O1 - Hosts: 08.185.87.85.liveadvert.com O1 - Hosts: 08.185.87.86.liveadvert.com O1 - Hosts: 08.185.87.87.liveadvert.com O1 - Hosts: 08.185.87.88.liveadvert.com O1 - Hosts: 08.185.87.89.liveadvert.com O1 - Hosts: 08.185.87.9.liveadvert.com O1 - Hosts: 08.185.87.90.liveadvert.com O1 - Hosts: 08.185.87.91.liveadvert.com O1 - Hosts: 08.185.87.93.liveadvert.com O1 - Hosts: 08.185.87.94.liveadvert.com O1 - Hosts: 08.185.87.95.liveadvert.com O1 - Hosts: 08.185.87.96.liveadvert.com O1 - Hosts: 08.185.87.97.liveadvert.com O1 - Hosts: 08.185.87.98.liveadvert.com O1 - Hosts: 08.185.87.99.liveadvert.com O1 - Hosts: Blocked Russian URL O1 - Hosts: 08nigbmwk43i01y6.com O1 - Hosts: 09.sharedsource.org O1 - Hosts: 090906042103.c.mystat-in.net O1 - Hosts: 092706152958.c.mystat-in.net O1 - Hosts: 093qpeuqpmz6ebfa.com O1 - Hosts: 0bucksforpornmovie.com O1 - Hosts: 0calories.net O1 - Hosts: 0cat.com O1 - Hosts: 0catch.com O1 - Hosts: 0fkhzhpoxstn717y.com O1 - Hosts: 0i4ixakh2d6hun43.com O1 - Hosts: Blocked Russian URL O1 - Hosts: 0lgayporn.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file) O2 - BHO: Spybot-S&D IE PROTECTION - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file) O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.91\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.91 O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe" O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe O4 - Global Startup: MRI_DISABLED O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://web.tickle.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187695319359 O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://nicholas92.spaces.live.com/PhotoUpload/MsnPUpld.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Filter hijack: text/html - (no CLSID) - (no file) O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision CORPORATION - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 12691 bytes Please print these instructions as they will be needed later when Internet access is not available. Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/149534018/SDFix.exe.html When using this tool, you must use the Administrator's account or an account with Administrative rights Double click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet. Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log. Sorry should have mentioned this, i've tried booting into safe mode and I revcieve a blue screen stating my video card is non-operational..Hmmmm. We will have to do this the hard way then.... Download HostsXpert http://rapidshare.com/files/149571938/HostsXpert.zip.html Unzip HostXpert to your Desktop Open up the HostXpert program. Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled. Click Create Back Up Then click on Restore Microsoft's Host Files Close the HostXpert program . ---------- Open HijackThis and select Do a system scan only. Place a check mark next to the following entries: (if there) - F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\Media\csrss.exe - F3 - REG:win.ini: load= - F3 - REG:win.ini: run= - O1 - Hosts: <- If there are any 01 - Hosts left then place a check mark next to ALL of them - O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file) - O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) - O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file) - O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe - O18 - Filter hijack: text/html - (no CLSID) - (no file) Important: Close all windows except for HijackThis and then click Fix checked. Exit HijackThis. ---------- Download ComboFix by sUBs http://rapidshare.com/files/149571747/ComboFix.exe.html Be sure top save it to the Desktop. Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important:** Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. ComboFix 08-09-28.03 - Owner 2008-09-29 21:40:43.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.837 [GMT -7:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Owner\Cookies\[email protected][2].txt C:\Program Files\Common Files\companion wizard C:\Program Files\Common Files\companion wizard\compwiz.exe C:\Program Files\vsadd-in C:\WINDOWS\cookies.ini C:\WINDOWS\smdat32m.sys C:\WINDOWS\system32\akttzn.exe C:\WINDOWS\system32\anticipator.dll C:\WINDOWS\system32\awtoolb.dll C:\WINDOWS\system32\bdn.com C:\WINDOWS\system32\bsva-egihsg52.exe C:\WINDOWS\system32\dpcproxy.exe C:\WINDOWS\system32\drivers\tdssserv.sys C:\WINDOWS\system32\emesx.dll C:\WINDOWS\system32\hoproxy.dll C:\WINDOWS\system32\hxiwlgpm.dat C:\WINDOWS\system32\hxiwlgpm.exe C:\WINDOWS\system32\mdm.exe C:\WINDOWS\system32\medup012.dll C:\WINDOWS\system32\msgp.exe C:\WINDOWS\system32\msnbho.dll C:\WINDOWS\system32\mssecu.exe C:\WINDOWS\system32\msvchost.exe C:\WINDOWS\system32\mtr2.exe C:\WINDOWS\system32\mwin32.exe C:\WINDOWS\system32\netode.exe C:\WINDOWS\system32\newsd32.exe C:\WINDOWS\system32\ps1.exe C:\WINDOWS\system32\psof1.exe C:\WINDOWS\system32\psoft1.exe C:\WINDOWS\system32\regc64.dll C:\WINDOWS\system32\regm64.dll C:\WINDOWS\system32\Rundl1.exe C:\WINDOWS\system32\smp C:\WINDOWS\system32\smp\msrc.exe C:\WINDOWS\system32\sncntr.exe C:\WINDOWS\system32\ssurf022.dll C:\WINDOWS\system32\ssvchost.com C:\WINDOWS\system32\ssvchost.exe C:\WINDOWS\system32\sysreq.exe C:\WINDOWS\system32\taack.dat C:\WINDOWS\system32\taack.exe C:\WINDOWS\system32\TDSSadw.dll C:\WINDOWS\system32\TDSSerrors.log C:\WINDOWS\system32\tdssinit.dll C:\WINDOWS\system32\TDSSl.dll C:\WINDOWS\system32\TDSSlog.dll C:\WINDOWS\system32\tdssmain.dll C:\WINDOWS\system32\tdssserf.dll C:\WINDOWS\system32\TDSSserf1.dll C:\WINDOWS\system32\tdssservers.dat C:\WINDOWS\system32\temp#01.exe C:\WINDOWS\system32\thun.dll C:\WINDOWS\system32\thun32.dll C:\WINDOWS\system32\VBIEWER.OCX C:\WINDOWS\system32\vbsys2.dll C:\WINDOWS\system32\vcatchpi.dll C:\WINDOWS\system32\windows_update.exe C:\WINDOWS\system32\winlogonpc.exe C:\WINDOWS\system32\winsystem.exe C:\WINDOWS\system32\WINWGPX.EXE . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DOMAINSERVICE -------\Legacy_TDSSSERV -------\Service_TDSSserv ((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 ))))))))))))))))))))))))))))))) . 2008-09-29 21:14 . 2008-09-28 23:28 d-------- C:\SDFix 2008-09-29 19:33 . 2008-09-29 19:33 d-------- C:\Program Files\Trend Micro 2008-09-29 18:36 . 2008-09-29 18:36 d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-13 22:00 . 2008-06-13 04:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-09-13 21:58 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-09-13 20:18 . 2008-09-13 20:18 2,833 --a------ C:\WINDOWS\system32\spupdsvc.inf 2008-09-13 20:14 . 2008-09-13 20:14 d-------- C:\WINDOWS\system32\scripting 2008-09-13 20:14 . 2008-09-13 20:14 d-------- C:\WINDOWS\system32\en 2008-09-13 20:14 . 2008-09-13 20:14 d-------- C:\WINDOWS\l2schemas 2008-09-12 18:09 . 2008-04-13 17:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll 2008-09-09 16:18 . 2008-09-20 13:28 d-------- C:\Documents and Settings\Owner\Application Data\SPORE 2008-09-09 16:18 . 2008-09-09 16:18 dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM 2008-09-09 16:17 . 2008-09-09 16:17 d-------- C:\ProgramData 2008-09-09 16:17 . 2008-09-09 16:17 1,216 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg 2008-09-09 16:06 . 2008-09-09 16:17 d-------- C:\Program Files\Electronic Arts 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Program Files\PowerDVD 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Program Files\CyberLink 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Program Files\Common Files\Sonic 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Documents and Settings\Owner\Application Data\Sonic 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2008-09-09 15:53 . 2008-09-09 15:54 d-------- C:\Program Files\Sonic_RecordNow 2008-09-09 15:53 . 2008-09-09 15:53 d-------- C:\Program Files\Sonic 2008-09-09 15:53 . 2008-09-09 15:56 d-------- C:\Program Files\HP DVD 2008-09-09 15:53 . 2008-09-09 15:54 d-------- C:\Program Files\Common Files\SureThing Shared 2008-09-09 15:53 . 2008-09-09 15:53 d-------- C:\Program Files\Common Files\LightScribe 2008-09-06 15:53 . 2008-09-06 15:53 90,112 --a------ C:\WINDOWS\system32\vudgnalc.exe 2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-09-06 12:42 . 2008-09-17 17:54 d-------- C:\Documents and Settings\All Users\Application Data\xkngtopm 2008-09-04 16:41 . 2008-09-04 16:43 d-------- C:\Program Files\FreeSpace2 2008-09-02 16:41 . 2008-09-02 16:41 d-------- C:\WINDOWS\Logs 2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe 2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll 2008-08-29 08:59 . 2008-08-29 09:00 d-------- C:\Program Files\pspvideo9 2008-08-28 17:27 . 2008-08-28 17:27 d-------- C:\Documents and Settings\Owner\Application Data\BearShare 2008-08-28 17:26 . 2008-08-28 17:26 d-------- C:\Program Files\BearShare Applications 2008-08-28 17:26 . 2007-11-22 07:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx 2008-08-28 13:04 . 2008-08-28 13:04 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-08-28 12:39 . 2008-08-28 12:39 d-------- C:\Program Files\Common Files\Macrovision Shared 2008-08-27 11:34 . 2008-08-27 11:34 d-------- C:\Documents and Settings\Owner\Application Data\Corel 2008-08-27 11:34 . 2008-08-27 11:34 d-------- C:\Documents and Settings\All Users\Application Data\Corel 2008-08-27 11:33 . 2008-08-27 11:33 d-------- C:\Program Files\Common Files\Corel 2008-08-19 13:33 . 2008-08-19 13:33 d-------- C:\Documents and Settings\Owner\Application Data\SmartFTP 2008-08-19 13:31 . 2008-08-19 13:49 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files 2008-08-18 08:19 . 2008-08-27 11:31 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-08-18 08:16 . 2008-08-27 11:33 d-------- C:\Program Files\Corel 2008-08-15 03:04 . 2008-09-13 20:18 2,675 --a------ C:\WINDOWS\imsins.BAK 2008-08-14 20:31 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-30 04:30 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4 2008-09-30 02:07 --------- d-----w C:\Program Files\RegScrubXP 2008-09-30 01:36 --------- d-----w C:\Program Files\iTunes 2008-09-30 01:36 --------- d-----w C:\Program Files\iPod 2008-09-30 01:31 --------- d-----w C:\Program Files\QuickTime 2008-09-30 01:31 --------- d-----w C:\Program Files\Common Files\Apple 2008-09-30 01:25 --------- d-----w C:\Program Files\Bonjour 2008-09-30 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic 2008-09-29 22:52 --------- d-----w C:\Program Files\LogMeIn 2008-09-28 19:34 --------- d-----w C:\Program Files\GoldWave 2008-09-28 02:34 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT 2008-09-25 02:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent 2008-09-22 02:34 --------- d-----w C:\Program Files\Nexon 2008-09-13 23:15 --------- d-----w C:\Program Files\Random 2008-09-09 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-09-09 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-06 22:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\wsInspector 2008-09-06 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC425 2008-09-06 20:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-06 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-03 23:08 --------- d-----w C:\Program Files\JkDefrag 2008-08-30 22:35 --------- d-----w C:\Program Files\Messenger Plus! Live 2008-08-30 22:02 --------- d-----w C:\Program Files\Guild Wars 2008-08-29 16:00 --------- d-----w C:\Program Files\AviSynth 2.5 2008-08-28 19:58 --------- d-----w C:\Program Files\Common Files\Adobe 2008-08-28 15:31 --------- d-----w C:\Program Files\Apple Software Update 2008-08-19 23:33 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-07-31 23:31 --------- d-----w C:\Program Files\Microsoft Reader 2008-07-31 23:03 --------- d-----w C:\Program Files\uTorrent Extreme Leecher Edition 2008-07-30 20:43 --------- d-----w C:\Program Files\uTorrent 2008-07-28 03:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer 2007-05-23 02:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-05-23 02:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll 2007-07-18 00:26 1,196,113 --sh--w C:\WINDOWS\inf\bwepft.bak1 2007-07-18 04:46 1,228,292 --sh--w C:\WINDOWS\inf\bwepft.ini2 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360] "EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112] "UStorag"="c:\program files\u-storage tool2.91\ustorage.exe" [2004-09-01 335967] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497] "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048] "BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 338432] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 57344] "DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 184320] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-01-18 41041] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 01000000 "NoRecentDocsNetHood"= 01000000 "NoUserNameInStartMenu"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\softnyx\\Rakion\\Bin\\Rakion.bin"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\BearShare Pro\\Bearshare.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-14 22336] R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-17 45376] R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848] S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-01-18 24635] S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [ ] S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStoryT\GameGuard\dump_wmimmc.sys [ ] S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Program Files\OMS\MapleStory\DXWnd\Cheat Engine\IlvMoney1148.sys [ ] S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2007-05-11 29184] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064] S3 USTOR;U-Storage Controller;C:\WINDOWS\system32\DRIVERS\UStork.sys [2004-08-17 20218] S4 Abel;Abel;C:\Program Files\Cain\Abel.exe [ ] S4 Multimedia_Interface;Multimedia_Interface;C:\WINDOWS\System32\dllcache\aysshell.exe [ ] . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\w9vybtzu.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gymnastics.bc.ca/ FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npdivx32.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npDivxPlayerPlugin.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npLegitCheckPlugin.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npnul32.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin2.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin3.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin4.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin5.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin6.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin7.dll . . ------- File Associations ------- . txtfile=C:\WINDOWS\NOTEPAD.EXE %1 . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-29 21:45:40 Windows 5.1.2600 Service Pack 3 NTFS scanning HIDDEN processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Comodo\CBOClean\BOCore.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\LogMeIn\x86\ramaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\PROGRA~1\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-09-29 21:49:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-30 04:49:40 Pre-Run: 12,831,875,072 bytes free Post-Run: 15,368,826,880 bytes free 288 --- E O F --- 2008-09-14 23:41:23 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:51:16 PM, on 9/29/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\program files\u-storage tool2.91\ustorage.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\PROGRA~1\Comodo\CBOClean\BOC425.exe C:\Program Files\HP DVD\Umbrella\DVDTray.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Electronic Arts\EADM\Core.exe C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gymnastics.bc.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.91\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.91 O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe" O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent O4 - Global Startup: MRI_DISABLED O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://web.tickle.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187695319359 O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://nicholas92.spaces.live.com/PhotoUpload/MsnPUpld.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 8510 bytes Download Deckard's Association File Tool (DAFT) and save it to your desktop. Double-click the daft.exe* icon. Read the disclaimer and click OK Click on the Scan button. If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question. Click the Fix button. Re-scan and save a logfile. By default, it will save as daft.txt Post the contents of that logfile in your next reply. . ---------- Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Driver:: DOMAINSERVICE TDSSSERV TDSSserv Folder:: C:\Documents and Settings\All Users\Application Data\xkngtopm File:: C:\WINDOWS\system32\vudgnalc.exe 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze ---------- Update your Mozilla Firefox Browser Recently there have been vulnerabilities detected in older versions of Mozilla Firefox. It is strongly suggested that you update to the current version. Mozilla Firefox 3.0 You can update it by clicking Help > Check for updates... The current version is Mozilla Firefox 3.0.3 It might be best to uninstall the beta version and do a fresh install of the new one. http://www.mozilla.com/en-US/firefox/ ---------- Download Malwarebytes' Anti-Malware (MBAM) Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy and Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. ---------- How is everything now?ComboFix 08-09-28.03 - Owner 2008-09-30 8:32:11.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.889 [GMT -7:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\vudgnalc.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\xkngtopm C:\WINDOWS\system32\vudgnalc.exe . ((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 ))))))))))))))))))))))))))))))) . 2008-09-29 21:14 . 2008-09-28 23:28 d-------- C:\SDFix 2008-09-29 19:33 . 2008-09-29 19:33 d-------- C:\Program Files\Trend Micro 2008-09-29 18:36 . 2008-09-29 18:36 d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-13 22:00 . 2008-06-13 04:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-09-13 21:58 . 2008-04-11 12:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-09-13 20:18 . 2008-09-13 20:18 2,833 --a------ C:\WINDOWS\system32\spupdsvc.inf 2008-09-13 20:14 . 2008-09-13 20:14 d-------- C:\WINDOWS\system32\scripting 2008-09-13 20:14 . 2008-09-13 20:14 d-------- C:\WINDOWS\system32\en 2008-09-13 20:14 . 2008-09-13 20:14 d-------- C:\WINDOWS\l2schemas 2008-09-12 18:09 . 2008-04-13 17:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll 2008-09-09 16:18 . 2008-09-20 13:28 d-------- C:\Documents and Settings\Owner\Application Data\SPORE 2008-09-09 16:18 . 2008-09-09 16:18 dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM 2008-09-09 16:17 . 2008-09-09 16:17 d-------- C:\ProgramData 2008-09-09 16:17 . 2008-09-09 16:17 1,216 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg 2008-09-09 16:06 . 2008-09-09 16:17 d-------- C:\Program Files\Electronic Arts 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Program Files\PowerDVD 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Program Files\CyberLink 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Program Files\Common Files\Sonic 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Documents and Settings\Owner\Application Data\Sonic 2008-09-09 15:55 . 2008-09-09 15:55 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2008-09-09 15:53 . 2008-09-09 15:54 d-------- C:\Program Files\Sonic_RecordNow 2008-09-09 15:53 . 2008-09-09 15:53 d-------- C:\Program Files\Sonic 2008-09-09 15:53 . 2008-09-09 15:56 d-------- C:\Program Files\HP DVD 2008-09-09 15:53 . 2008-09-09 15:54 d-------- C:\Program Files\Common Files\SureThing Shared 2008-09-09 15:53 . 2008-09-09 15:53 d-------- C:\Program Files\Common Files\LightScribe 2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx 2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts 2008-09-04 16:41 . 2008-09-04 16:43 d-------- C:\Program Files\FreeSpace2 2008-09-02 16:41 . 2008-09-02 16:41 d-------- C:\WINDOWS\Logs 2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe 2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll 2008-08-29 08:59 . 2008-08-29 09:00 d-------- C:\Program Files\pspvideo9 2008-08-28 17:27 . 2008-08-28 17:27 d-------- C:\Documents and Settings\Owner\Application Data\BearShare 2008-08-28 17:26 . 2008-08-28 17:26 d-------- C:\Program Files\BearShare Applications 2008-08-28 17:26 . 2007-11-22 07:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx 2008-08-28 13:04 . 2008-08-28 13:04 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-08-28 12:39 . 2008-08-28 12:39 d-------- C:\Program Files\Common Files\Macrovision Shared 2008-08-27 11:34 . 2008-08-27 11:34 d-------- C:\Documents and Settings\Owner\Application Data\Corel 2008-08-27 11:34 . 2008-08-27 11:34 d-------- C:\Documents and Settings\All Users\Application Data\Corel 2008-08-27 11:33 . 2008-08-27 11:33 d-------- C:\Program Files\Common Files\Corel 2008-08-19 13:33 . 2008-08-19 13:33 d-------- C:\Documents and Settings\Owner\Application Data\SmartFTP 2008-08-19 13:31 . 2008-08-19 13:49 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files 2008-08-18 08:19 . 2008-08-27 11:31 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2008-08-18 08:16 . 2008-08-27 11:33 d-------- C:\Program Files\Corel 2008-08-15 03:04 . 2008-09-13 20:18 2,675 --a------ C:\WINDOWS\imsins.BAK 2008-08-14 20:31 . 2008-05-01 07:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-30 15:27 --------- d-----w C:\Program Files\LogMeIn 2008-09-30 04:50 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4 2008-09-30 02:07 --------- d-----w C:\Program Files\RegScrubXP 2008-09-30 01:36 --------- d-----w C:\Program Files\iTunes 2008-09-30 01:36 --------- d-----w C:\Program Files\iPod 2008-09-30 01:31 --------- d-----w C:\Program Files\QuickTime 2008-09-30 01:31 --------- d-----w C:\Program Files\Common Files\Apple 2008-09-30 01:25 --------- d-----w C:\Program Files\Bonjour 2008-09-30 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic 2008-09-28 19:34 --------- d-----w C:\Program Files\GoldWave 2008-09-28 02:34 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT 2008-09-25 02:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent 2008-09-22 02:34 --------- d-----w C:\Program Files\Nexon 2008-09-13 23:15 --------- d-----w C:\Program Files\Random 2008-09-09 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-09-09 23:02 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-09-06 22:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\wsInspector 2008-09-06 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\BOC425 2008-09-06 20:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-06 19:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-03 23:08 --------- d-----w C:\Program Files\JkDefrag 2008-08-30 22:35 --------- d-----w C:\Program Files\Messenger Plus! Live 2008-08-30 22:02 --------- d-----w C:\Program Files\Guild Wars 2008-08-29 16:00 --------- d-----w C:\Program Files\AviSynth 2.5 2008-08-28 19:58 --------- d-----w C:\Program Files\Common Files\Adobe 2008-08-28 15:31 --------- d-----w C:\Program Files\Apple Software Update 2008-08-19 23:33 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-07-31 23:31 --------- d-----w C:\Program Files\Microsoft Reader 2008-07-31 23:03 --------- d-----w C:\Program Files\uTorrent Extreme Leecher Edition 2008-07-30 20:43 --------- d-----w C:\Program Files\uTorrent 2008-07-28 03:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer 2007-07-18 04:46 1,228,292 --sh--w C:\WINDOWS\inf\bwepft.ini2 2007-07-18 00:26 1,196,113 --sh--w C:\WINDOWS\inf\bwepft.bak1 2006-11-19 00:17 831,027 --sha-w C:\WINDOWS\inf\bwepft.tmp 2007-05-23 02:14 8,784 ----a-w C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll 2007-05-23 02:17 245,408 ----a-w C:\Program Files\mozilla firefox\plugins\unicows.dll 2007-07-18 00:26 1,196,113 --sh--w C:\WINDOWS\inf\bwepft.bak1 2007-07-18 04:46 1,228,292 --sh--w C:\WINDOWS\inf\bwepft.ini2 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360] "EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112] "UStorag"="c:\program files\u-storage tool2.91\ustorage.exe" [2004-09-01 335967] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497] "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048] "BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 338432] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 57344] "DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 184320] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-01-18 41041] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMMyPictures"= 01000000 "NoRecentDocsNetHood"= 01000000 "NoUserNameInStartMenu"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"= "C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\softnyx\\Rakion\\Bin\\Rakion.bin"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\BearShare Pro\\Bearshare.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-14 22336] R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-17 45376] R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848] S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-01-18 24635] S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [ ] S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStoryT\GameGuard\dump_wmimmc.sys [ ] S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Program Files\OMS\MapleStory\DXWnd\Cheat Engine\IlvMoney1148.sys [ ] S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2007-05-11 29184] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064] S3 USTOR;U-Storage Controller;C:\WINDOWS\system32\DRIVERS\UStork.sys [2004-08-17 20218] S4 Abel;Abel;C:\Program Files\Cain\Abel.exe [ ] S4 Multimedia_Interface;Multimedia_Interface;C:\WINDOWS\System32\dllcache\aysshell.exe [ ] . Contents of the 'Scheduled Tasks' folder . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-30 08:35:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Comodo\CBOClean\BOCore.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\LogMeIn\x86\ramaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\PROGRA~1\iPod\bin\iPodService.exe . ********************************************************************** . Completion time: 2008-09-30 8:40:37 - machine was rebooted ComboFix-quarantined-files.txt 2008-09-30 15:40:31 ComboFix2.txt 2008-09-30 04:49:49 Pre-Run: 15,339,515,904 bytes free Post-Run: 15,326,818,304 bytes free 206 --- E O F --- 2008-09-14 23:41:23 DAFT Log saved on 2008-09-30 08:29:50 ----------------------------------------------------------------------- All associations okay! Malwarebytes' Anti-Malware 1.28 Database version: 1222 Windows 5.1.2600 Service Pack 3 9/30/2008 3:39:29 PM mbam-log-2008-09-30 (15-39-29).txt Scan type: Quick Scan Objects scanned: 55071 Time elapsed: 5 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Everything seems to be working normally now, thank you for your help! Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . . The above procedure will: Delete: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Set a New Restore Point to prevent possible reinfection from an old one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More Options Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. You can find instructions on how to enable and re-enable system restore here: Windows XP System Restore Guide or Windows Vista System Restore Guide . ---------- Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . ---------- Go to Microsoft Windows Update and get all critical updates. ---------- Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.** Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript To prevent unknown applications from being installed on your computer install WinPatrol 2008 * Using Winpatrol to protect your computer from malicious software I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Are there any tools out there that you can recommend to help protect my system better? Like a solid antivirus program etc.. With that Securina Software inspector it shows that I had some vulnerable programs, but the thing was they were just repeat copies of what i already had. Like one copy was secure and I then had a few out od date copies. any recommendations? Thanks again for all the help things seem to be running just as they had before the bug. Still a few bugs that seem to never go away.. The antivirus you have is one of the best. Nothing will stop everything. Quote Like one copy was secure and I then had a few out od date copies. any recommendations? What was out of date? Adobe Flash Player 9.x - Have another copy that is secure Macromedia Flash Player 6.x Sun Java JRE 1.5.x / 5.x - Also another copy that is secure Sun Java JRE 1.6.x / 6.x Sun Java JRE 1.6.x / 6.x

Answer»

Ok well I've been having some problems where everytime I click a link through google I get redirected to some spam sites. It can be worked around by copying the address into the bar, but I can't SEEM to access any antivirus sites to help me out. I already know that this computer is screwed up badly, but any help would be appreciated. I have a hijackthis scan here:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:50 PM, on 9/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\program files\u-storage tool2.91\ustorage.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\BearShare Pro\Bearshare.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gymnastics.bc.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\Media\csrss.exe
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O1 - Hosts: localhost
O1 - Hosts: ___id___.c.mystat-in.net
O1 - Hosts: 0.r.msn.com
O1 - Hosts: 00fun.com
O1 - Hosts: 00hq.com
O1 - Hosts: 00inkjets.com
O1 - Hosts: 00pro.com
O1 - Hosts: 00web.com
O1 - Hosts: 01.sharedsource.org
O1 - Hosts: 010402.com
O1 - Hosts: 011707160008.c.mystat-in.net
O1 - Hosts: 0123hardcore.com
O1 - Hosts: 0190-dialer.com
O1 - Hosts: 0190-dialers.com
O1 - Hosts: 01i.info
O1 - Hosts: 01sexe.com
O1 - Hosts: 01smith.com
O1 - Hosts: *Blocked Russian URL*
O1 - Hosts: 0-29.com
O1 - Hosts: 02kmky1xgzbmsdfx.com
O1 - Hosts: 02pmnzy5eo29bfk4.com
O1 - Hosts: 03.sharedsource.org
O1 - Hosts: 030.com
O1 - Hosts: 032439.com
O1 - Hosts: 05.sharedsource.org
O1 - Hosts: *Blocked Russian URL*
O1 - Hosts: 05p.com
O1 - Hosts: 061606084448.c.mystat-in.net
O1 - Hosts: 070.us
O1 - Hosts: 070806142521.c.mystat-in.net
O1 - Hosts: 077.us
O1 - Hosts: 079.us
O1 - Hosts: 07ic5do2myz3vzpk.com
O1 - Hosts: 08.185.87.46.liveadvert.com
O1 - Hosts: 08.185.87.47.liveadvert.com
O1 - Hosts: 08.185.87.48.liveadvert.com
O1 - Hosts: 08.185.87.49.liveadvert.com
O1 - Hosts: 08.185.87.5.liveadvert.com
O1 - Hosts: 08.185.87.50.liveadvert.com
O1 - Hosts: 08.185.87.51.liveadvert.com
O1 - Hosts: 08.185.87.53.liveadvert.com
O1 - Hosts: 08.185.87.54.liveadvert.com
O1 - Hosts: 08.185.87.55.liveadvert.com
O1 - Hosts: 08.185.87.56.liveadvert.com
O1 - Hosts: 08.185.87.57.liveadvert.com
O1 - Hosts: 08.185.87.58.liveadvert.com
O1 - Hosts: 08.185.87.59.liveadvert.com
O1 - Hosts: 08.185.87.6.liveadvert.com
O1 - Hosts: 08.185.87.60.liveadvert.com
O1 - Hosts: 08.185.87.61.liveadvert.com
O1 - Hosts: 08.185.87.63.liveadvert.com
O1 - Hosts: 08.185.87.64.liveadvert.com
O1 - Hosts: 08.185.87.65.liveadvert.com
O1 - Hosts: 08.185.87.66.liveadvert.com
O1 - Hosts: 08.185.87.67.liveadvert.com
O1 - Hosts: 08.185.87.68.liveadvert.com
O1 - Hosts: 08.185.87.69.liveadvert.com
O1 - Hosts: 08.185.87.7.liveadvert.com
O1 - Hosts: 08.185.87.70.liveadvert.com
O1 - Hosts: 08.185.87.71.liveadvert.com
O1 - Hosts: 08.185.87.73.liveadvert.com
O1 - Hosts: 08.185.87.74.liveadvert.com
O1 - Hosts: 08.185.87.75.liveadvert.com
O1 - Hosts: 08.185.87.76.liveadvert.com
O1 - Hosts: 08.185.87.77.liveadvert.com
O1 - Hosts: 08.185.87.78.liveadvert.com
O1 - Hosts: 08.185.87.79.liveadvert.com
O1 - Hosts: 08.185.87.8.liveadvert.com
O1 - Hosts: 08.185.87.80.liveadvert.com
O1 - Hosts: 08.185.87.81.liveadvert.com
O1 - Hosts: 08.185.87.83.liveadvert.com
O1 - Hosts: 08.185.87.84.liveadvert.com
O1 - Hosts: 08.185.87.85.liveadvert.com
O1 - Hosts: 08.185.87.86.liveadvert.com
O1 - Hosts: 08.185.87.87.liveadvert.com
O1 - Hosts: 08.185.87.88.liveadvert.com
O1 - Hosts: 08.185.87.89.liveadvert.com
O1 - Hosts: 08.185.87.9.liveadvert.com
O1 - Hosts: 08.185.87.90.liveadvert.com
O1 - Hosts: 08.185.87.91.liveadvert.com
O1 - Hosts: 08.185.87.93.liveadvert.com
O1 - Hosts: 08.185.87.94.liveadvert.com
O1 - Hosts: 08.185.87.95.liveadvert.com
O1 - Hosts: 08.185.87.96.liveadvert.com
O1 - Hosts: 08.185.87.97.liveadvert.com
O1 - Hosts: 08.185.87.98.liveadvert.com
O1 - Hosts: 08.185.87.99.liveadvert.com
O1 - Hosts: *Blocked Russian URL*
O1 - Hosts: 08nigbmwk43i01y6.com
O1 - Hosts: 09.sharedsource.org
O1 - Hosts: 090906042103.c.mystat-in.net
O1 - Hosts: 092706152958.c.mystat-in.net
O1 - Hosts: 093qpeuqpmz6ebfa.com
O1 - Hosts: 0bucksforpornmovie.com
O1 - Hosts: 0calories.net
O1 - Hosts: 0cat.com
O1 - Hosts: 0catch.com
O1 - Hosts: 0fkhzhpoxstn717y.com
O1 - Hosts: 0i4ixakh2d6hun43.com
O1 - Hosts: *Blocked Russian URL*
O1 - Hosts: 0lgayporn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
O2 - BHO: Spybot-S&D IE PROTECTION - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.91\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.91
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - Global Startup: MRI_DISABLED
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://web.tickle.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187695319359
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://nicholas92.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision CORPORATION - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 12691 bytes

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/149534018/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

Sorry should have mentioned this, i've tried booting into safe mode and I revcieve a blue screen stating my video card is non-operational..Hmmmm. We will have to do this the hard way then....

Download HostsXpert http://rapidshare.com/files/149571938/HostsXpert.zip.html

Unzip HostXpert to your Desktop
Open up the HostXpert program.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click Create Back Up
Then click on Restore Microsoft's Host Files
Close the HostXpert program

.
----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\Media\csrss.exe
- F3 - REG:win.ini: load=
- F3 - REG:win.ini: run=
- O1 - Hosts: <- If there are any 01 - Hosts left then place a check mark next to ALL of them
- O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
- O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
- O18 - Filter hijack: text/html - (no CLSID) - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix by sUBs http://rapidshare.com/files/149571747/ComboFix.exe.html Be sure top save it to the Desktop.

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

ComboFix 08-09-28.03 - Owner 2008-09-29 21:40:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.837 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\vsadd-in
C:\WINDOWS\cookies.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\akttzn.exe
C:\WINDOWS\system32\anticipator.dll
C:\WINDOWS\system32\awtoolb.dll
C:\WINDOWS\system32\bdn.com
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\system32\dpcproxy.exe
C:\WINDOWS\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\system32\hoproxy.dll
C:\WINDOWS\system32\hxiwlgpm.dat
C:\WINDOWS\system32\hxiwlgpm.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\medup012.dll
C:\WINDOWS\system32\msgp.exe
C:\WINDOWS\system32\msnbho.dll
C:\WINDOWS\system32\mssecu.exe
C:\WINDOWS\system32\msvchost.exe
C:\WINDOWS\system32\mtr2.exe
C:\WINDOWS\system32\mwin32.exe
C:\WINDOWS\system32\netode.exe
C:\WINDOWS\system32\newsd32.exe
C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\psof1.exe
C:\WINDOWS\system32\psoft1.exe
C:\WINDOWS\system32\regc64.dll
C:\WINDOWS\system32\regm64.dll
C:\WINDOWS\system32\Rundl1.exe
C:\WINDOWS\system32\smp
C:\WINDOWS\system32\smp\msrc.exe
C:\WINDOWS\system32\sncntr.exe
C:\WINDOWS\system32\ssurf022.dll
C:\WINDOWS\system32\ssvchost.com
C:\WINDOWS\system32\ssvchost.exe
C:\WINDOWS\system32\sysreq.exe
C:\WINDOWS\system32\taack.dat
C:\WINDOWS\system32\taack.exe
C:\WINDOWS\system32\TDSSadw.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\TDSSl.dll
C:\WINDOWS\system32\TDSSlog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\TDSSserf1.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\temp#01.exe
C:\WINDOWS\system32\thun.dll
C:\WINDOWS\system32\thun32.dll
C:\WINDOWS\system32\VBIEWER.OCX
C:\WINDOWS\system32\vbsys2.dll
C:\WINDOWS\system32\vcatchpi.dll
C:\WINDOWS\system32\windows_update.exe
C:\WINDOWS\system32\winlogonpc.exe
C:\WINDOWS\system32\winsystem.exe
C:\WINDOWS\system32\WINWGPX.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Legacy_TDSSSERV
-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-29 21:14 . 2008-09-28 23:28      d--------   C:\SDFix
2008-09-29 19:33 . 2008-09-29 19:33      d--------   C:\Program Files\Trend Micro
2008-09-29 18:36 . 2008-09-29 18:36      d--------   C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-13 22:00 . 2008-06-13 04:05   272,128   -----c---   C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-13 21:58 . 2008-04-11 12:04   691,712   -----c---   C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-13 20:18 . 2008-09-13 20:18   2,833   --a------   C:\WINDOWS\system32\spupdsvc.inf
2008-09-13 20:14 . 2008-09-13 20:14      d--------   C:\WINDOWS\system32\scripting
2008-09-13 20:14 . 2008-09-13 20:14      d--------   C:\WINDOWS\system32\en
2008-09-13 20:14 . 2008-09-13 20:14      d--------   C:\WINDOWS\l2schemas
2008-09-12 18:09 . 2008-04-13 17:12   69,120   ---------   C:\WINDOWS\system32\wlanapi.dll
2008-09-09 16:18 . 2008-09-20 13:28      d--------   C:\Documents and Settings\Owner\Application Data\SPORE
2008-09-09 16:18 . 2008-09-09 16:18      dr-h-----   C:\Documents and Settings\Owner\Application Data\SecuROM
2008-09-09 16:17 . 2008-09-09 16:17      d--------   C:\ProgramData
2008-09-09 16:17 . 2008-09-09 16:17   1,216   --a------   C:\WINDOWS\system32\ealregsnapshot1.reg
2008-09-09 16:06 . 2008-09-09 16:17      d--------   C:\Program Files\Electronic Arts
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Program Files\PowerDVD
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Program Files\CyberLink
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Program Files\Common Files\Sonic
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Documents and Settings\Owner\Application Data\Sonic
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Documents and Settings\All Users\Application Data\CyberLink
2008-09-09 15:53 . 2008-09-09 15:54      d--------   C:\Program Files\Sonic_RecordNow
2008-09-09 15:53 . 2008-09-09 15:53      d--------   C:\Program Files\Sonic
2008-09-09 15:53 . 2008-09-09 15:56      d--------   C:\Program Files\HP DVD
2008-09-09 15:53 . 2008-09-09 15:54      d--------   C:\Program Files\Common Files\SureThing Shared
2008-09-09 15:53 . 2008-09-09 15:53      d--------   C:\Program Files\Common Files\LightScribe
2008-09-06 15:53 . 2008-09-06 15:53   90,112   --a------   C:\WINDOWS\system32\vudgnalc.exe
2008-09-06 15:09 . 2008-09-06 15:09   90,112   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09   57,344   --a------   C:\WINDOWS\system32\QuickTime.qts
2008-09-06 12:42 . 2008-09-17 17:54      d--------   C:\Documents and Settings\All Users\Application Data\xkngtopm
2008-09-04 16:41 . 2008-09-04 16:43      d--------   C:\Program Files\FreeSpace2
2008-09-02 16:41 . 2008-09-02 16:41      d--------   C:\WINDOWS\Logs
2008-08-29 10:18 . 2008-08-29 10:18   87,336   --a------   C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53   61,440   --a------   C:\WINDOWS\system32\dnssd.dll
2008-08-29 08:59 . 2008-08-29 09:00      d--------   C:\Program Files\pspvideo9
2008-08-28 17:27 . 2008-08-28 17:27      d--------   C:\Documents and Settings\Owner\Application Data\BearShare
2008-08-28 17:26 . 2008-08-28 17:26      d--------   C:\Program Files\BearShare Applications
2008-08-28 17:26 . 2007-11-22 07:00   483,328   --a------   C:\WINDOWS\system32\actskn45.ocx
2008-08-28 13:04 . 2008-08-28 13:04      d--------   C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-28 12:39 . 2008-08-28 12:39      d--------   C:\Program Files\Common Files\Macrovision Shared
2008-08-27 11:34 . 2008-08-27 11:34      d--------   C:\Documents and Settings\Owner\Application Data\Corel
2008-08-27 11:34 . 2008-08-27 11:34      d--------   C:\Documents and Settings\All Users\Application Data\Corel
2008-08-27 11:33 . 2008-08-27 11:33      d--------   C:\Program Files\Common Files\Corel
2008-08-19 13:33 . 2008-08-19 13:33      d--------   C:\Documents and Settings\Owner\Application Data\SmartFTP
2008-08-19 13:31 . 2008-08-19 13:49      d--------   C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-08-18 08:19 . 2008-08-27 11:31   848   --ahs----   C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-18 08:16 . 2008-08-27 11:33      d--------   C:\Program Files\Corel
2008-08-15 03:04 . 2008-09-13 20:18   2,675   --a------   C:\WINDOWS\imsins.BAK
2008-08-14 20:31 . 2008-05-01 07:33   331,776   -----c---   C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 04:30   ---------   d-----w   C:\Program Files\Mozilla Firefox 3 Beta 4
2008-09-30 02:07   ---------   d-----w   C:\Program Files\RegScrubXP
2008-09-30 01:36   ---------   d-----w   C:\Program Files\iTunes
2008-09-30 01:36   ---------   d-----w   C:\Program Files\iPod
2008-09-30 01:31   ---------   d-----w   C:\Program Files\QuickTime
2008-09-30 01:31   ---------   d-----w   C:\Program Files\Common Files\Apple
2008-09-30 01:25   ---------   d-----w   C:\Program Files\Bonjour
2008-09-30 01:21   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic
2008-09-29 22:52   ---------   d-----w   C:\Program Files\LogMeIn
2008-09-28 19:34   ---------   d-----w   C:\Program Files\GoldWave
2008-09-28 02:34   20   ---h--w   C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-25 02:35   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\uTorrent
2008-09-22 02:34   ---------   d-----w   C:\Program Files\Nexon
2008-09-13 23:15   ---------   d-----w   C:\Program Files\Random
2008-09-09 23:42   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-09 23:02   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-09-06 22:56   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\wsInspector
2008-09-06 20:28   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\BOC425
2008-09-06 20:27   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 19:50   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 23:08   ---------   d-----w   C:\Program Files\JkDefrag
2008-08-30 22:35   ---------   d-----w   C:\Program Files\Messenger Plus! Live
2008-08-30 22:02   ---------   d-----w   C:\Program Files\Guild Wars
2008-08-29 16:00   ---------   d-----w   C:\Program Files\AviSynth 2.5
2008-08-28 19:58   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-08-28 15:31   ---------   d-----w   C:\Program Files\Apple Software Update
2008-08-19 23:33   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-07-31 23:31   ---------   d-----w   C:\Program Files\Microsoft Reader
2008-07-31 23:03   ---------   d-----w   C:\Program Files\uTorrent Extreme Leecher Edition
2008-07-30 20:43   ---------   d-----w   C:\Program Files\uTorrent
2008-07-28 03:15   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-05-23 02:14   8,784   ----a-w   C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-23 02:17   245,408   ----a-w   C:\Program Files\mozilla firefox\plugins\unicows.dll
2007-07-18 00:26   1,196,113   --sh--w   C:\WINDOWS\inf\bwepft.bak1
2007-07-18 04:46   1,228,292   --sh--w   C:\WINDOWS\inf\bwepft.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"UStorag"="c:\program files\u-storage tool2.91\ustorage.exe" [2004-09-01 335967]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 338432]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 57344]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 184320]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-01-18 41041]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\softnyx\\Rakion\\Bin\\Rakion.bin"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\BearShare Pro\\Bearshare.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-14 22336]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-17 45376]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-01-18 24635]
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [ ]
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStoryT\GameGuard\dump_wmimmc.sys [ ]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Program Files\OMS\MapleStory\DXWnd\Cheat Engine\IlvMoney1148.sys [ ]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2007-05-11 29184]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 USTOR;U-Storage Controller;C:\WINDOWS\system32\DRIVERS\UStork.sys [2004-08-17 20218]
S4 Abel;Abel;C:\Program Files\Cain\Abel.exe [ ]
S4 Multimedia_Interface;Multimedia_Interface;C:\WINDOWS\System32\dllcache\aysshell.exe [ ]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\w9vybtzu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.gymnastics.bc.ca/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npdivx32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npDivxPlayerPlugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npLegitCheckPlugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin7.dll
.
.
------- File Associations -------
.
txtfile=C:\WINDOWS\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 21:45:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning HIDDEN processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-29 21:49:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-30 04:49:40

Pre-Run: 12,831,875,072 bytes free
Post-Run: 15,368,826,880 bytes free

288   --- E O F ---   2008-09-14 23:41:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:16 PM, on 9/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\program files\u-storage tool2.91\ustorage.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gymnastics.bc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.91\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.91
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - Global Startup: MRI_DISABLED
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://web.tickle.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187695319359
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://nicholas92.spaces.live.com/PhotoUpload/MsnPUpld.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8510 bytes
Download Deckard's Association File Tool (DAFT) and save it to your desktop.

Double-click the daft.exe icon. Read the disclaimer and click OK
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
Click the Fix button.
Re-scan and save a logfile.
By default, it will save as daft.txt
Post the contents of that logfile in your next reply.

.
----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Driver::
DOMAINSERVICE
TDSSSERV
TDSSserv

Folder::
C:\Documents and Settings\All Users\Application Data\xkngtopm

File::
C:\WINDOWS\system32\vudgnalc.exe
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Update your Mozilla Firefox Browser
Recently there have been vulnerabilities detected in older versions of Mozilla Firefox.
It is strongly suggested that you update to the current version.
Mozilla Firefox 3.0
You can update it by clicking Help > Check for updates...

The current version is Mozilla Firefox 3.0.3

It might be best to uninstall the beta version and do a fresh install of the new one. http://www.mozilla.com/en-US/firefox/

----------

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

How is everything now?ComboFix 08-09-28.03 - Owner 2008-09-30 8:32:11.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.889 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\vudgnalc.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\xkngtopm
C:\WINDOWS\system32\vudgnalc.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-29 21:14 . 2008-09-28 23:28      d--------   C:\SDFix
2008-09-29 19:33 . 2008-09-29 19:33      d--------   C:\Program Files\Trend Micro
2008-09-29 18:36 . 2008-09-29 18:36      d--------   C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-13 22:00 . 2008-06-13 04:05   272,128   -----c---   C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-13 21:58 . 2008-04-11 12:04   691,712   -----c---   C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-13 20:18 . 2008-09-13 20:18   2,833   --a------   C:\WINDOWS\system32\spupdsvc.inf
2008-09-13 20:14 . 2008-09-13 20:14      d--------   C:\WINDOWS\system32\scripting
2008-09-13 20:14 . 2008-09-13 20:14      d--------   C:\WINDOWS\system32\en
2008-09-13 20:14 . 2008-09-13 20:14      d--------   C:\WINDOWS\l2schemas
2008-09-12 18:09 . 2008-04-13 17:12   69,120   ---------   C:\WINDOWS\system32\wlanapi.dll
2008-09-09 16:18 . 2008-09-20 13:28      d--------   C:\Documents and Settings\Owner\Application Data\SPORE
2008-09-09 16:18 . 2008-09-09 16:18      dr-h-----   C:\Documents and Settings\Owner\Application Data\SecuROM
2008-09-09 16:17 . 2008-09-09 16:17      d--------   C:\ProgramData
2008-09-09 16:17 . 2008-09-09 16:17   1,216   --a------   C:\WINDOWS\system32\ealregsnapshot1.reg
2008-09-09 16:06 . 2008-09-09 16:17      d--------   C:\Program Files\Electronic Arts
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Program Files\PowerDVD
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Program Files\CyberLink
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Program Files\Common Files\Sonic
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Documents and Settings\Owner\Application Data\Sonic
2008-09-09 15:55 . 2008-09-09 15:55      d--------   C:\Documents and Settings\All Users\Application Data\CyberLink
2008-09-09 15:53 . 2008-09-09 15:54      d--------   C:\Program Files\Sonic_RecordNow
2008-09-09 15:53 . 2008-09-09 15:53      d--------   C:\Program Files\Sonic
2008-09-09 15:53 . 2008-09-09 15:56      d--------   C:\Program Files\HP DVD
2008-09-09 15:53 . 2008-09-09 15:54      d--------   C:\Program Files\Common Files\SureThing Shared
2008-09-09 15:53 . 2008-09-09 15:53      d--------   C:\Program Files\Common Files\LightScribe
2008-09-06 15:09 . 2008-09-06 15:09   90,112   --a------   C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09   57,344   --a------   C:\WINDOWS\system32\QuickTime.qts
2008-09-04 16:41 . 2008-09-04 16:43      d--------   C:\Program Files\FreeSpace2
2008-09-02 16:41 . 2008-09-02 16:41      d--------   C:\WINDOWS\Logs
2008-08-29 10:18 . 2008-08-29 10:18   87,336   --a------   C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53   61,440   --a------   C:\WINDOWS\system32\dnssd.dll
2008-08-29 08:59 . 2008-08-29 09:00      d--------   C:\Program Files\pspvideo9
2008-08-28 17:27 . 2008-08-28 17:27      d--------   C:\Documents and Settings\Owner\Application Data\BearShare
2008-08-28 17:26 . 2008-08-28 17:26      d--------   C:\Program Files\BearShare Applications
2008-08-28 17:26 . 2007-11-22 07:00   483,328   --a------   C:\WINDOWS\system32\actskn45.ocx
2008-08-28 13:04 . 2008-08-28 13:04      d--------   C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-28 12:39 . 2008-08-28 12:39      d--------   C:\Program Files\Common Files\Macrovision Shared
2008-08-27 11:34 . 2008-08-27 11:34      d--------   C:\Documents and Settings\Owner\Application Data\Corel
2008-08-27 11:34 . 2008-08-27 11:34      d--------   C:\Documents and Settings\All Users\Application Data\Corel
2008-08-27 11:33 . 2008-08-27 11:33      d--------   C:\Program Files\Common Files\Corel
2008-08-19 13:33 . 2008-08-19 13:33      d--------   C:\Documents and Settings\Owner\Application Data\SmartFTP
2008-08-19 13:31 . 2008-08-19 13:49      d--------   C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-08-18 08:19 . 2008-08-27 11:31   848   --ahs----   C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-18 08:16 . 2008-08-27 11:33      d--------   C:\Program Files\Corel
2008-08-15 03:04 . 2008-09-13 20:18   2,675   --a------   C:\WINDOWS\imsins.BAK
2008-08-14 20:31 . 2008-05-01 07:33   331,776   -----c---   C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 15:27   ---------   d-----w   C:\Program Files\LogMeIn
2008-09-30 04:50   ---------   d-----w   C:\Program Files\Mozilla Firefox 3 Beta 4
2008-09-30 02:07   ---------   d-----w   C:\Program Files\RegScrubXP
2008-09-30 01:36   ---------   d-----w   C:\Program Files\iTunes
2008-09-30 01:36   ---------   d-----w   C:\Program Files\iPod
2008-09-30 01:31   ---------   d-----w   C:\Program Files\QuickTime
2008-09-30 01:31   ---------   d-----w   C:\Program Files\Common Files\Apple
2008-09-30 01:25   ---------   d-----w   C:\Program Files\Bonjour
2008-09-30 01:21   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic
2008-09-28 19:34   ---------   d-----w   C:\Program Files\GoldWave
2008-09-28 02:34   20   ---h--w   C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-09-25 02:35   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\uTorrent
2008-09-22 02:34   ---------   d-----w   C:\Program Files\Nexon
2008-09-13 23:15   ---------   d-----w   C:\Program Files\Random
2008-09-09 23:42   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-09 23:02   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-09-06 22:56   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\wsInspector
2008-09-06 20:28   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\BOC425
2008-09-06 20:27   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-06 19:50   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 23:08   ---------   d-----w   C:\Program Files\JkDefrag
2008-08-30 22:35   ---------   d-----w   C:\Program Files\Messenger Plus! Live
2008-08-30 22:02   ---------   d-----w   C:\Program Files\Guild Wars
2008-08-29 16:00   ---------   d-----w   C:\Program Files\AviSynth 2.5
2008-08-28 19:58   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-08-28 15:31   ---------   d-----w   C:\Program Files\Apple Software Update
2008-08-19 23:33   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-07-31 23:31   ---------   d-----w   C:\Program Files\Microsoft Reader
2008-07-31 23:03   ---------   d-----w   C:\Program Files\uTorrent Extreme Leecher Edition
2008-07-30 20:43   ---------   d-----w   C:\Program Files\uTorrent
2008-07-28 03:15   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-07-18 04:46   1,228,292   --sh--w   C:\WINDOWS\inf\bwepft.ini2
2007-07-18 00:26   1,196,113   --sh--w   C:\WINDOWS\inf\bwepft.bak1
2006-11-19 00:17   831,027   --sha-w   C:\WINDOWS\inf\bwepft.tmp
2007-05-23 02:14   8,784   ----a-w   C:\Program Files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-05-23 02:17   245,408   ----a-w   C:\Program Files\mozilla firefox\plugins\unicows.dll
2007-07-18 00:26   1,196,113   --sh--w   C:\WINDOWS\inf\bwepft.bak1
2007-07-18 04:46   1,228,292   --sh--w   C:\WINDOWS\inf\bwepft.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EA Core"="C:\Program Files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"UStorag"="c:\program files\u-storage tool2.91\ustorage.exe" [2004-09-01 335967]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 338432]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2004-09-03 57344]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 184320]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-01-18 41041]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\softnyx\\Rakion\\Bin\\Rakion.bin"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\BearShare Pro\\Bearshare.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-14 22336]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-07-17 45376]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S3 Apache2.2;Apache2.2;C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-01-18 24635]
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys [ ]
S3 dump_wmimmc;dump_wmimmc;C:\Nexon\MapleStoryT\GameGuard\dump_wmimmc.sys [ ]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Program Files\OMS\MapleStory\DXWnd\Cheat Engine\IlvMoney1148.sys [ ]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\DRIVERS\libusb0.sys [2007-05-11 29184]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 USTOR;U-Storage Controller;C:\WINDOWS\system32\DRIVERS\UStork.sys [2004-08-17 20218]
S4 Abel;Abel;C:\Program Files\Cain\Abel.exe [ ]
S4 Multimedia_Interface;Multimedia_Interface;C:\WINDOWS\System32\dllcache\aysshell.exe [ ]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 08:35:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Comodo\CBOClean\BOCore.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-09-30 8:40:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-30 15:40:31
ComboFix2.txt 2008-09-30 04:49:49

Pre-Run: 15,339,515,904 bytes free
Post-Run: 15,326,818,304 bytes free

206   --- E O F ---   2008-09-14 23:41:23
DAFT Log saved on 2008-09-30 08:29:50
-----------------------------------------------------------------------
All associations okay!
Malwarebytes' Anti-Malware 1.28
Database version: 1222
Windows 5.1.2600 Service Pack 3

9/30/2008 3:39:29 PM
mbam-log-2008-09-30 (15-39-29).txt

Scan type: Quick Scan
Objects scanned: 55071
Time elapsed: 5 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Everything seems to be working normally now, thank you for your help!

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

.
.
The above procedure will:

Delete:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Are there any tools out there that you can recommend to help protect my system better? Like a solid antivirus program etc..

With that Securina Software inspector it shows that I had some vulnerable programs, but the thing was they were just repeat copies of what i already had. Like one copy was secure and I then had a few out od date copies. any recommendations?

Thanks again for all the help things seem to be running just as they had before the bug. Still a few bugs that seem to never go away..

The antivirus you have is one of the best. Nothing will stop everything.

Quote

Like one copy was secure and I then had a few out od date copies. any recommendations?

What was out of date?    Adobe Flash Player 9.x - Have another copy that is secure
    Macromedia Flash Player 6.x
    Sun Java JRE 1.5.x / 5.x - Also another copy that is secure
    Sun Java JRE 1.6.x / 6.x
    Sun Java JRE 1.6.x / 6.x

Solve : Google, internet bugs...?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment