Free Malware Removal Forum

[asaguda]

Okay, it seems I've got Vundo and a couple of other items on the computer that I don't really want. So far, Spybot S&D detected Vundo/VirtuMonde, and the other programs I have (AVG Antivirus and Antispyware, Ad-Aware, etc) didn't detect it.
Vundo apparently caused Spybot to crash while fixing the others, so the results Spybot got were unfixable, and so I've got a few malware items instead of just Vundo. (As if Vundo wasn't bad enough...)

Now I'm quite aware of what can happen to the computer if it's unsecure, so I've got a few running programs (Though I intend to strengthen the security after this) so not -everything- can get in.

So far, the only fix for Vundo I've tried is VundoFix, but there's one particular .dll that I cannot remove at all, not with VundoFix or without it, seemingly.
It finds an approximate number of 4-5 infected files and manages to remove all of them except one, and thus requests a reboot. When I scan after the reboot, it finds additional files, but that same .dll cannot be removed. So my guess would be that the infection keeps coming back, somehow.
Mind you, I'm not particularily good with removing the malware, which figures, otherwise I wouldn't be here.

I've read the rules, what to do before posting the log, and as a precaution renamed HiJackThis, as some malware can detect it running and hide themselves.
Oh, and I blocked IE from accessing the 'net, as I prefer Firefox. (Which causes Vundo to open blank IE windows. Annoying, but ironic.)

So without further ado, the log.
--------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47:22, on 2008-01-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\Omigawd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {0974F534-5B66-4EA8-8A9F-999B989555FB} - C:\WINDOWS\system32\geeda.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5897E361-CE56-4F46-BE57-9E6B26276970} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {740F4EC5-C8E6-4764-9837-43227117EC79} - C:\WINDOWS\system32\mlljj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {C4BC0823-F3FC-433D-B59E-D178A94B66A5} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {DBD27AC4-C042-4DC7-AE00-FFD2A441769A} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\mljjhef.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4771941812
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4780757500
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C53EB5-9051-4EB1-9EB2-C270F1C27C19}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{960F8B99-EFC3-4587-B701-A0169E17B761}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FE76D5-B2DD-4E3E-AA24-119EFFFA4EBD}: NameServer = 192.168.0.1
O20 - Winlogon Notify: winetn32 - winetn32.dll (file missing)
O22 - SharedTaskScheduler: heterandrous - {735e980d-45d2-4777-af82-9923d3c8d3ae} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - C:\Program Files\HPQ\SHARED\HPQWMI.exe (file missing)
O23 - Service: iPod-tjänst (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LVCOMSer - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (file missing)
O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Läsartjänsten USN Journal för mappdelning i Messenger (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 10288 bytes
----------------------------

Looking forward to any kind of help I might get.

[Simon V.]

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

• On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
• Click on the Run Cleaner button at the bottom right hand corner.
• When the cleanup is complete, click Tools in the Left Pane,
• Verify that Uninstall is highlighted in color, or click on it.
• In the lower right, click Save to Text File.
• Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
• You can leave the filename as install.txt.
• Click Save, then exit Ccleaner.

Step 2

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofi ... e-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt)

[asaguda]

Okay, just a note. I seem to have gotten rid of Vundo, which is kinda ironic HOW it happened.
A trojan sneaked its way into the undeleteable .dll, and AVG AntiVirus quarantined it, following my deletion of it. Then a VundoFix run, it was gone.
Even though I got it off of my computer for good, I kept getting random IE popups VERY often as soon as I opened Firefox. This was remedied by ComboFix for a moment, but now I'm getting those again.

And an explanation to why my registry looks like a mess made by a bomb, and then as if someone tried cleaning it up with another bomb;
I had a game that refused to install on my machine, so I installed it on my littlebrother's machine instead, and copied over the files. I also made a registry key of his whole registry which was kinda a mistake. Now my comp thinks I have stuff I don't have, like the HP Bluetooth thingy.

Here are the logs you requested, beginning with the ComboFix one;

ComboFix 08-01-16.4 - MD 2008-01-16 15:47:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.450 [GMT 1:00]
Running from: C:\Documents and Settings\MD\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-16 15:57 . 2008-01-16 15:57 <DIR> d-------- C:\TEMP\tn3
2008-01-16 15:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 03:01 . 2008-01-15 03:05 <DIR> d-------- C:\Program Files\Dofus
2008-01-14 02:40 . 2008-01-14 02:41 <DIR> d-------- C:\Documents and Settings\MD\Application Data\My Battle for Middle-earth Files
2008-01-14 02:39 . 2008-01-14 02:39 152,194 --a------ C:\WINDOWS\Elvenstar Mod V.5.0 English Uninstaller.exe
2008-01-13 22:23 . 2008-01-14 01:12 <DIR> d-------- C:\Program Files\EA GAMES
2008-01-13 01:36 . 2007-03-08 16:12 <DIR> d-------- C:\Program Files\Halo Custom Edition
2008-01-12 23:46 . 2008-01-16 15:58 2,150,432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 23:46 . 2008-01-16 15:54 26,228 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 23:43 . 2008-01-12 23:43 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-12 23:41 . 2008-01-12 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-12 23:41 . 2008-01-12 23:43 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-12 23:40 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-12 23:40 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-12 22:59 . 2008-01-16 15:37 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-12 22:58 . 2008-01-12 23:36 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 21:08 . 2008-01-12 21:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 01:11 . 2008-01-15 20:56 <DIR> d-------- C:\VundoFix Backups
2008-01-11 15:45 . 2008-01-11 15:45 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-11 07:38 . 2008-01-11 07:38 86,144 --a------ C:\WINDOWS\system32\drivers\sdbuss.sys
2008-01-11 07:38 . 2008-01-16 15:56 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-11 04:37 . 2008-01-16 09:00 <DIR> d-------- C:\Documents and Settings\MD\Application Data\AVG7
2008-01-11 04:37 . 2008-01-11 04:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-11 04:29 . 2008-01-11 04:29 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Grisoft
2008-01-11 04:29 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-11 04:28 . 2008-01-11 04:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 04:13 . 2008-01-11 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-10 23:04 . 2008-01-10 23:04 <DIR> d-------- C:\Program Files\forst
2008-01-10 22:04 . 2008-01-11 17:32 <DIR> d-------- C:\Documents and Settings\MD\.netpanzer
2008-01-10 22:03 . 2008-01-11 17:48 <DIR> d-------- C:\Program Files\NetPanzer
2008-01-06 15:46 . 2008-01-06 15:46 <DIR> d-------- C:\WINDOWS\Re-Volt Track Manager
2008-01-06 15:45 . 2008-01-06 15:45 <DIR> d-------- C:\CircuitsCustoms
2008-01-06 15:45 . 2008-01-06 15:45 286,720 --a------ C:\WINDOWS\iun507.exe
2008-01-06 15:40 . 2008-01-06 15:46 <DIR> d-------- C:\Program Files\Acclaim Entertainment
2008-01-06 00:07 . 2008-01-07 00:36 <DIR> d-------- C:\Program Files\RV House
2008-01-06 00:07 . 2006-08-03 11:39 54,694 --a------ C:\WINDOWS\system32\pthreadGC.dll
2008-01-01 09:52 . 2008-01-01 09:52 <DIR> d-------- C:\Program Files\JitBit
2007-12-29 22:53 . 2007-12-29 22:53 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Leadertech
2007-12-29 22:49 . 2008-01-11 00:32 <DIR> d-------- C:\WINDOWS\system32\dla
2007-12-29 22:49 . 2007-12-29 22:53 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Sonic
2007-12-29 22:49 . 2008-01-16 11:06 467 --a------ C:\WINDOWS\wininit.ini
2007-12-29 21:19 . 2007-12-29 21:23 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-29 21:18 . 2007-12-29 21:18 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Nero
2007-12-29 01:33 . 2008-01-15 10:12 <DIR> d-------- C:\Program Files\Toribash-3.06

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 14:43 --------- d-----w C:\Program Files\Trillian
2008-01-16 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-16 07:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-16 07:14 --------- d-----w C:\Program Files\Steam
2008-01-16 06:17 --------- d-----w C:\Program Files\Furcadia
2008-01-15 21:58 --------- d-----w C:\Program Files\TrackMania Nations ESWC
2008-01-13 16:23 2,991,616 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-13 16:23 1,426,944 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-13 16:17 --------- d-----w C:\Documents and Settings\MD\Application Data\uTorrent
2008-01-13 02:47 399,872 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-13 02:47 1,327,104 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-12 22:46 --------- d-----w C:\Program Files\F-Secure
2008-01-11 21:38 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-11 15:17 --------- d-----w C:\Program Files\Cheat Engine
2008-01-11 14:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-11 14:32 --------- d--h--w C:\Documents and Settings\MD\Application Data\ijjigame
2008-01-05 12:44 --------- d-----w C:\Program Files\Guild Wars
2007-12-17 04:29 --------- d-----w C:\Documents and Settings\MD\Application Data\X-Chat 2
2007-12-14 11:01 --------- d-----w C:\Documents and Settings\MD\Application Data\dvdcss
2007-12-14 10:59 --------- d-----w C:\Documents and Settings\MD\Application Data\CyberLink
2007-12-14 10:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-14 10:56 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-14 10:56 353,840 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-13 21:46 --------- d-----w C:\Program Files\Heroes of Might and Magic III Complete
2007-12-13 13:17 0 ----a-r C:\logwmemory.bin
2007-12-13 13:17 --------- d-----w C:\Documents and Settings\MD\Application Data\Soldat
2007-12-13 02:31 --------- d-----w C:\Program Files\xchat
2007-12-13 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 00:09 --------- d-----w C:\Program Files\Lavasoft
2007-12-03 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 19:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-03 13:01 --------- d-----w C:\Program Files\CCleaner
2007-12-02 19:09 --------- d-----w C:\Program Files\Pocket Tanks Deluxe
2007-12-01 14:39 --------- d-----w C:\Program Files\Windows Live
2007-12-01 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-01 08:55 --------- d-----w C:\Documents and Settings\MD\Application Data\DivX
2007-12-01 08:29 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-01 08:29 --------- d-----w C:\Documents and Settings\MD\Application Data\SystemRequirementsLab
2007-11-29 18:14 --------- d-----w C:\Program Files\Text to Speech Maker
2007-11-29 17:53 --------- d-----w C:\Program Files\NCT
2007-11-29 11:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-11-29 04:48 --------- d-----w C:\Documents and Settings\MD\Application Data\vlc
2007-11-29 03:36 --------- d-----w C:\Program Files\VideoLAN
2007-11-29 03:25 --------- d-----w C:\Program Files\Codec
2007-11-28 17:39 --------- d-----w C:\Program Files\uTorrent
2007-11-27 17:41 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-25 03:50 --------- d-----w C:\Program Files\Teamspeak2_RC2S
2007-11-23 00:58 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-23 00:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-23 00:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-11-23 00:48 --------- d-----w C:\Program Files\THQ
2007-11-22 22:55 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-11-22 22:55 --------- d-----w C:\Documents and Settings\MD\Application Data\teamspeak2
2007-11-19 08:28 --------- d-----w C:\Program Files\Winamp
2007-11-18 19:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-18 19:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-14 15:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-06 07:37 227,592 ----a-w C:\WINDOWS\system32\PDBoot.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974F534-5B66-4EA8-8A9F-999B989555FB}]
C:\WINDOWS\system32\geeda.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D8153AD-A748-4645-A2B4-90C9C89A4147}]
C:\WINDOWS\system32\mlljj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5897E361-CE56-4F46-BE57-9E6B26276970}]
C:\WINDOWS\system32\mljgf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4BC0823-F3FC-433D-B59E-D178A94B66A5}]
C:\WINDOWS\system32\awtsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBD27AC4-C042-4DC7-AE00-FFD2A441769A}]
C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-12 23:43 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
C:\WINDOWS\system32\mljjhef.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-12 23:43 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"Sonic RecordNow! Deluxe"="" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 08:23 221568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 14:19 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-11 04:40 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 06:28 36352]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 14:23 114688]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 14:22 94208]
"Cmaudio"="cmicnfg.cpl" []
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-11 04:36 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}"= C:\WINDOWS\system32\mljjhef.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winetn32]
winetn32.dll

R1 sdbuss;sdbuss;C:\WINDOWS\system32\drivers\sdbuss.sys [2008-01-11 07:38]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl []
S3 AF15BDA;AF9015 BDA Filter;C:\WINDOWS\system32\Drivers\AF15BDA.sys []
S3 Revolution1;Revolution1;C:\Documents and Settings\MD\Desktop\gb\SHAK3.sys []
S3 XDva020;XDva020;C:\WINDOWS\system32\XDva020.sys []
S3 XDva025;XDva025;C:\WINDOWS\system32\XDva025.sys []
S3 XDva039;XDva039;C:\WINDOWS\system32\XDva039.sys []
S3 XDva041;XDva041;C:\WINDOWS\system32\XDva041.sys []
S3 XDva045;XDva045;C:\WINDOWS\system32\XDva045.sys []
S3 XDva049;XDva049;C:\WINDOWS\system32\XDva049.sys []
S3 XDva054;XDva054;C:\WINDOWS\system32\XDva054.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71fd7cbc-9ca3-11dc-8658-000d88f3e1f9}]
\Shell\AutoRun\command - E:\Autoplay.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 15:58:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 16:02:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-16 15:02:20
.
2008-01-16 07:48:38 --- E O F ---
---------------------------
Following is the CCleaner install log;

µTorrent
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0
Adobe Shockwave Player
AiO_Scan
AMIP (remove only)
AutoUpdate
AVG 7.5
AVG Anti-Spyware 7.5
Bluetooth by hp
CCleaner (remove only)
C-Media WDM Audio Driver
Conexant AC-Link Audio
Counter-Strike
DivX Codec
Dofus 1.21.0
DogProxy II
Elvenstar Mod V.5.0 English
Furcadia
Google Toolbar for Internet Explorer
Guild Wars
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics 2 Driver
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Development Kit 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Jitbit Macro Recorder
Logitech QuickCam
MapSource - European MetroGuide Version 5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Swedish Language Pack
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nano Pack v1.0 for Pocket Tanks Deluxe
neroxml
Netpanzer 0.8.2
Norton Security Scan
NVIDIA Drivers
OpenOffice.org 2.3
PerfectDisk
Pinnacle MediaCenter
Pocket Tanks Deluxe
QFolder
Quick Launch Buttons 5.00 C2
REALTEK Gigabit and Fast Ethernet NIC Driver
Re-Volt Track Manager 1.5.6
RV House 0.91.0
RVTT Ladder Editor 1.0.0
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Spybot - Search & Destroy
SpywareBlaster v3.5.1
Steam
System Requirements Lab
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
Text to Speech Maker version 1.6.0
TextPad 5
The Battle for Middle-earth (tm)
TIxx21/x515
Toribash 3.06
TrackMania Nations ESWC 1.7.9
Trillian
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VCRedistSetup
WebFldrs XP
VideoLAN VLC media player 0.8.6c
Winamp
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live inloggningsassistenten
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm
ZoneAlarm Spy Blocker
------------------------------
And the HiJackThis log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:19, on 2008-01-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\Omigawd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {0974F534-5B66-4EA8-8A9F-999B989555FB} - C:\WINDOWS\system32\geeda.dll (file missing)
O2 - BHO: (no name) - {0D8153AD-A748-4645-A2B4-90C9C89A4147} - C:\WINDOWS\system32\mlljj.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5897E361-CE56-4F46-BE57-9E6B26276970} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {C4BC0823-F3FC-433D-B59E-D178A94B66A5} - C:\WINDOWS\system32\awtsr.dll (file missing)
O2 - BHO: (no name) - {DBD27AC4-C042-4DC7-AE00-FFD2A441769A} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\mljjhef.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4771941812
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4780757500
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C53EB5-9051-4EB1-9EB2-C270F1C27C19}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{960F8B99-EFC3-4587-B701-A0169E17B761}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FE76D5-B2DD-4E3E-AA24-119EFFFA4EBD}: NameServer = 192.168.0.1
O20 - Winlogon Notify: winetn32 - winetn32.dll (file missing)
O22 - SharedTaskScheduler: heterandrous - {735e980d-45d2-4777-af82-9923d3c8d3ae} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - C:\Program Files\HPQ\SHARED\HPQWMI.exe (file missing)
O23 - Service: iPod-tjänst (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LVCOMSer - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (file missing)
O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: Läsartjänsten USN Journal för mappdelning i Messenger (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 9644 bytes
------------------------------

Thankful for any help I might get, as the IE popups are getting MIGHTILY annoying.

[Simon V.]

Hi

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

(Click on Start, then Control Panel. Double click on Add or Remove Programs)

µTorrent

Also remove the following programs:

Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Development Kit 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1

Then download and install Java Runtime Environment (JRE) 6 Update 4.

Step 1

Please go to VirusTotal or Jotti and upload C:\WINDOWS\system32\drivers\sdbuss.sys for scanning.

For VirusTotal:

• Please copy and paste C:\WINDOWS\system32\drivers\sdbuss.sys in the text box next to the Browse... button.
• Click on Send File.

For Jotti:

• Please copy and paste C:\WINDOWS\system32\drivers\sdbuss.sys in the text box next to the Browse... button.
• Click on Submit.

Copy/paste the results in Notepad and save them to your desktop.

Step 2

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all

File::

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp

Folder::

C:\TEMP\tn3
C:\VundoFix Backups

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0974F534-5B66-4EA8-8A9F-999B989555FB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D8153AD-A748-4645-A2B4-90C9C89A4147}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5897E361-CE56-4F46-BE57-9E6B26276970}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4BC0823-F3FC-433D-B59E-D178A94B66A5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBD27AC4-C042-4DC7-AE00-FFD2A441769A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow! Deluxe"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FC1B64D9-3499-4791-82D5-AABAC3FAEA45}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winetn32]

Driver::

XDva020
XDva025
XDva039
XDva041
XDva045
XDva049
XDva054

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.



Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 3

Close all programs before continuing, and try not to run anything during the scan.

Please do an online scan with Kaspersky WebScanner. (You will need to use Internet Explorer to run this scan)

On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

• The program will launch and then begin downloading the latest definition files.
• Once the files have been downloaded click on Next.
• Now click on Scan Settings.
• In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
  
  Extended (if available, otherwise Standard)

• Scan Options:
  
  Scan Archives
  Scan Mail Bases

• Click OK.
• Now under Select a Target to Scan:
  
  Select My Computer.

• The program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button and save the file to your desktop.

Step 4

In your next reply, please post:

• the Virustotal/Jotti results
• the Combofix log (C:\Combofix.txt)
• the Kaspersky Online Scan report
• a new HijackThis log

[asaguda]

Ah, but I use torrenting to gain CD and DVD images of programs and games I already have. I am aware the keygens provided with some software is malicious, and so I only download what I already have to make a personal backup, should the CD or DVD not work. It also happens I download music directly from a 'Direct-to-Drive' site, which means you buy the music and then download it directly. My option of choice is via the Torrent protocol.

Lately I haven't use uTorrent though, and decided to uninstall it for the time being.

OBSERVE: VirusTotal and Jotti both complained that I had a firewall blocking me from uploading items. It also happens with uploading avatars to forum or the like. Tried turning ZoneAlarm off and doublechecked that the Windows Firewall was off to no avail. So you'll, sadly, get no Jotti/VirusTotal result.
I do however have the other three logs you requested;

The ComboFix log;
ComboFix 08-01-16.4 - MD 2008-01-17 7:48:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.441 [GMT 1:00]
Running from: C:\Documents and Settings\MD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MD\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\WINDOWS\system32\drivers\core.cache.dsk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\WINDOWS\Internet Logs\xDB1.tmp
C:\WINDOWS\Internet Logs\xDB2.tmp
C:\WINDOWS\Internet Logs\xDB3.tmp
C:\WINDOWS\Internet Logs\xDB4.tmp
C:\VundoFix Backups
C:\VundoFix Backups\adeeg.ini.bad
C:\VundoFix Backups\adeeg.ini2.bad
C:\VundoFix Backups\awtqp.dll.bad
C:\VundoFix Backups\awtsr.dll.bad
C:\VundoFix Backups\fgjlm.ini.bad
C:\VundoFix Backups\fgjlm.ini2.bad
C:\VundoFix Backups\geeda.dll.bad
C:\VundoFix Backups\jjllm.ini.bad
C:\VundoFix Backups\jjllm.ini2.bad
C:\VundoFix Backups\mljgf.dll.bad
C:\VundoFix Backups\mlljj.dll.bad
C:\VundoFix Backups\pqtwa.ini.bad
C:\VundoFix Backups\pqtwa.ini2.bad
C:\VundoFix Backups\rstwa.ini.bad
C:\VundoFix Backups\rstwa.ini2.bad
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_XDVA039
-------\LEGACY_XDVA041
-------\LEGACY_XDVA045
-------\LEGACY_XDVA049
-------\LEGACY_XDVA054
-------\XDva020
-------\XDva025
-------\XDva039
-------\XDva041
-------\XDva045
-------\XDva049
-------\XDva054


((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 07:58 . 2008-01-17 07:58 <DIR> d-------- C:\TEMP\tn3
2008-01-16 15:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 03:01 . 2008-01-15 03:05 <DIR> d-------- C:\Program Files\Dofus
2008-01-14 02:40 . 2008-01-14 02:41 <DIR> d-------- C:\Documents and Settings\MD\Application Data\My Battle for Middle-earth Files
2008-01-14 02:39 . 2008-01-14 02:39 152,194 --a------ C:\WINDOWS\Elvenstar Mod V.5.0 English Uninstaller.exe
2008-01-13 22:23 . 2008-01-14 01:12 <DIR> d-------- C:\Program Files\EA GAMES
2008-01-13 01:36 . 2007-03-08 16:12 <DIR> d-------- C:\Program Files\Halo Custom Edition
2008-01-12 23:46 . 2008-01-17 07:59 2,232,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 23:46 . 2008-01-17 07:55 27,212 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 23:43 . 2008-01-12 23:43 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-12 23:41 . 2008-01-12 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-12 23:41 . 2008-01-12 23:43 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-12 23:40 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-12 23:40 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-12 22:59 . 2008-01-17 07:53 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-12 22:58 . 2008-01-12 23:36 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 21:08 . 2008-01-12 21:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 15:45 . 2008-01-11 15:45 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-11 07:38 . 2008-01-11 07:38 86,144 --a------ C:\WINDOWS\system32\drivers\sdbuss.sys
2008-01-11 07:38 . 2008-01-17 07:56 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-11 04:37 . 2008-01-16 09:00 <DIR> d-------- C:\Documents and Settings\MD\Application Data\AVG7
2008-01-11 04:37 . 2008-01-11 04:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-11 04:29 . 2008-01-11 04:29 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Grisoft
2008-01-11 04:29 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-11 04:28 . 2008-01-11 04:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 04:13 . 2008-01-11 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-10 23:04 . 2008-01-10 23:04 <DIR> d-------- C:\Program Files\forst
2008-01-10 22:04 . 2008-01-11 17:32 <DIR> d-------- C:\Documents and Settings\MD\.netpanzer
2008-01-10 22:03 . 2008-01-11 17:48 <DIR> d-------- C:\Program Files\NetPanzer
2008-01-06 15:46 . 2008-01-06 15:46 <DIR> d-------- C:\WINDOWS\Re-Volt Track Manager
2008-01-06 15:45 . 2008-01-06 15:45 <DIR> d-------- C:\CircuitsCustoms
2008-01-06 15:45 . 2008-01-06 15:45 286,720 --a------ C:\WINDOWS\iun507.exe
2008-01-06 15:40 . 2008-01-06 15:46 <DIR> d-------- C:\Program Files\Acclaim Entertainment
2008-01-06 00:07 . 2008-01-07 00:36 <DIR> d-------- C:\Program Files\RV House
2008-01-06 00:07 . 2006-08-03 11:39 54,694 --a------ C:\WINDOWS\system32\pthreadGC.dll
2008-01-01 09:52 . 2008-01-01 09:52 <DIR> d-------- C:\Program Files\JitBit
2007-12-29 22:53 . 2007-12-29 22:53 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Leadertech
2007-12-29 22:49 . 2008-01-11 00:32 <DIR> d-------- C:\WINDOWS\system32\dla
2007-12-29 22:49 . 2007-12-29 22:53 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Sonic
2007-12-29 22:49 . 2008-01-16 11:06 467 --a------ C:\WINDOWS\wininit.ini
2007-12-29 21:19 . 2007-12-29 21:23 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-29 21:18 . 2007-12-29 21:18 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Nero
2007-12-29 01:33 . 2008-01-15 10:12 <DIR> d-------- C:\Program Files\Toribash-3.06

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 06:45 --------- d-----w C:\Program Files\Trillian
2008-01-17 06:44 --------- d-----w C:\Program Files\Java
2008-01-17 06:21 --------- d-----w C:\Program Files\Furcadia
2008-01-17 05:27 --------- d-----w C:\Program Files\Steam
2008-01-16 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-16 07:56 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-15 21:58 --------- d-----w C:\Program Files\TrackMania Nations ESWC
2008-01-13 16:17 --------- d-----w C:\Documents and Settings\MD\Application Data\uTorrent
2008-01-12 22:46 --------- d-----w C:\Program Files\F-Secure
2008-01-11 21:38 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-11 15:17 --------- d-----w C:\Program Files\Cheat Engine
2008-01-11 14:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-11 14:32 --------- d--h--w C:\Documents and Settings\MD\Application Data\ijjigame
2008-01-05 12:44 --------- d-----w C:\Program Files\Guild Wars
2007-12-17 04:29 --------- d-----w C:\Documents and Settings\MD\Application Data\X-Chat 2
2007-12-14 11:01 --------- d-----w C:\Documents and Settings\MD\Application Data\dvdcss
2007-12-14 10:59 --------- d-----w C:\Documents and Settings\MD\Application Data\CyberLink
2007-12-14 10:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-14 10:56 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-14 10:56 353,840 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-13 21:46 --------- d-----w C:\Program Files\Heroes of Might and Magic III Complete
2007-12-13 13:17 0 ----a-r C:\logwmemory.bin
2007-12-13 13:17 --------- d-----w C:\Documents and Settings\MD\Application Data\Soldat
2007-12-13 02:31 --------- d-----w C:\Program Files\xchat
2007-12-13 02:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 00:09 --------- d-----w C:\Program Files\Lavasoft
2007-12-03 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 19:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-03 13:01 --------- d-----w C:\Program Files\CCleaner
2007-12-02 19:09 --------- d-----w C:\Program Files\Pocket Tanks Deluxe
2007-12-01 14:39 --------- d-----w C:\Program Files\Windows Live
2007-12-01 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-01 08:55 --------- d-----w C:\Documents and Settings\MD\Application Data\DivX
2007-12-01 08:29 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-01 08:29 --------- d-----w C:\Documents and Settings\MD\Application Data\SystemRequirementsLab
2007-11-29 18:14 --------- d-----w C:\Program Files\Text to Speech Maker
2007-11-29 17:53 --------- d-----w C:\Program Files\NCT
2007-11-29 11:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-11-29 04:48 --------- d-----w C:\Documents and Settings\MD\Application Data\vlc
2007-11-29 03:36 --------- d-----w C:\Program Files\VideoLAN
2007-11-29 03:25 --------- d-----w C:\Program Files\Codec
2007-11-27 17:41 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-25 03:50 --------- d-----w C:\Program Files\Teamspeak2_RC2S
2007-11-23 00:58 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-23 00:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-23 00:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-11-23 00:48 --------- d-----w C:\Program Files\THQ
2007-11-22 22:55 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-11-22 22:55 --------- d-----w C:\Documents and Settings\MD\Application Data\teamspeak2
2007-11-19 08:28 --------- d-----w C:\Program Files\Winamp
2007-11-18 19:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-18 19:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-14 15:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-06 07:37 227,592 ----a-w C:\WINDOWS\system32\PDBoot.exe
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-12 23:43 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-12 23:43 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 08:23 221568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 14:19 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-11 04:40 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 06:28 36352]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 14:23 114688]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 14:22 94208]
"Cmaudio"="cmicnfg.cpl" []
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-11 04:36 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

R1 sdbuss;sdbuss;C:\WINDOWS\system32\drivers\sdbuss.sys [2008-01-11 07:38]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl []
S3 AF15BDA;AF9015 BDA Filter;C:\WINDOWS\system32\Drivers\AF15BDA.sys []
S3 Revolution1;Revolution1;C:\Documents and Settings\MD\Desktop\gb\SHAK3.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71fd7cbc-9ca3-11dc-8658-000d88f3e1f9}]
\Shell\AutoRun\command - E:\Autoplay.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 07:58:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 8:03:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 07:03:09
ComboFix2.txt 2008-01-16 15:02:34
.
2008-01-16 17:00:43 --- E O F ---
----------------------------

And the Kaspersky scan log;
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 18, 2008 1:59:57 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/01/2008
Kaspersky Anti-Virus database records: 515845
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 69642
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 2
Duration of the scan process: 01:34:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip/iexplorer.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\cert8.db Object is locked skipped
C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\history.dat Object is locked skipped
C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\key3.db Object is locked skipped
C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\parent.lock Object is locked skipped
C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\search.sqlite Object is locked skipped
C:\Documents and Settings\MD\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\MD\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Application Data\Mozilla\Firefox\Profiles\ry96reod.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\MD\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\MD\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\MD\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\MD\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{229B4E02-33B3-4E35-A78D-6DDB32E8FE33}\RP220\A0066651.exe Object is locked skipped
C:\System Volume Information\_restore{229B4E02-33B3-4E35-A78D-6DDB32E8FE33}\RP221\A0067640.dll Object is locked skipped
C:\System Volume Information\_restore{229B4E02-33B3-4E35-A78D-6DDB32E8FE33}\RP228\A0071173.dll Object is locked skipped
C:\System Volume Information\_restore{229B4E02-33B3-4E35-A78D-6DDB32E8FE33}\RP238\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\WHATISMYNAME.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BBC025DD-B473-41F3-984D-E6CF32567EA6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sdbuss.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
---------------------------------

And the HiJackThis (More known as Omigawd to me. :p) log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:03:35, on 2008-01-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Omigawd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4771941812
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4780757500
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C53EB5-9051-4EB1-9EB2-C270F1C27C19}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{960F8B99-EFC3-4587-B701-A0169E17B761}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FE76D5-B2DD-4E3E-AA24-119EFFFA4EBD}: NameServer = 192.168.0.1
O22 - SharedTaskScheduler: heterandrous - {735e980d-45d2-4777-af82-9923d3c8d3ae} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - C:\Program Files\HPQ\SHARED\HPQWMI.exe (file missing)
O23 - Service: iPod-tjänst (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LVCOMSer - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (file missing)
O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: Läsartjänsten USN Journal för mappdelning i Messenger (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 9070 bytes
----------------------

Looking forward to the next reply.

[Simon V.]

Hi

Please download Suspicious File Packer and save it to your desktop.

• Right-click on sfp.zip and select Extract All....
• Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
• Click on the Browse button. Click on Desktop. Then click OK.
• Once done, check (tick) the Show extracted files box and click Finish.
• Double click on sfp.exe to run it.
• Copy and paste in the following files into Suspicious File Packer.
  
  

  Code: Select all

  C:\WINDOWS\system32\drivers\sdbuss.sys

  
  
• Click Continue.
• It will start packing. Once done, visit http://www.bleepingcomputer.com/submit-malware.php.
• In the Link to topic where this file was requested: type:
  
  

  Code: Select all

  http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=26893

  
  
• Click on Browse... and navigate to your desktop. There's a file named requested-files[date].cab. Select this file and click Open.
• Click Send File.

Let me know when that's done.

[asaguda]

All done. Awaiting further instructions, Sir.
Kidding, but still. :p

[Simon V.]

Hi

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

Code: Select all

File::

C:\WINDOWS\system32\drivers\sdbuss.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip

Folder::

C:\TEMP\tn3

Driver::

sdbuss
Revolution1

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.



Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Open HijackThis, perform a scan and put a check next to the following items (if present):

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O22 - SharedTaskScheduler: heterandrous - {735e980d-45d2-4777-af82-9923d3c8d3ae} - (no file)

Close all programs except HijackThis and click on Fix checked.

Step 3

In your next reply, please post:

• the Combofix log (C:\Combofix.txt)
• a new HijackThis log
• a description of how your computer is currently running

[asaguda]

First the logs, last the description.

ComboFix;
ComboFix 08-01-16.4 - MD 2008-01-20 18:45:28.2 - NTFSx86
Running from: C:\Documents and Settings\MD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MD\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sdbuss.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip
C:\temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sdbuss.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_REVOLUTION1
-------\LEGACY_SDBUSS
-------\Revolution1
-------\sdbuss


((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 11:46 . 2008-01-20 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-01-20 11:45 . 2008-01-20 11:46 <DIR> d-------- C:\Program Files\Common Files\HP
2008-01-20 11:40 . 2008-01-20 11:40 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-01-20 11:38 . 2005-03-08 05:43 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-01-20 11:37 . 2005-03-08 05:43 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-01-20 11:36 . 2005-03-08 05:43 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-01-20 11:36 . 2004-08-04 06:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-01-20 11:36 . 2004-08-04 06:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-01-20 11:31 . 2004-09-29 12:12 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-01-20 11:31 . 2004-09-29 12:15 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-01-20 11:31 . 2004-09-29 12:09 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-01-20 11:31 . 2004-09-29 12:14 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-01-20 11:31 . 2004-09-29 12:08 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-01-20 11:31 . 2004-09-29 12:09 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-01-20 11:28 . 2004-08-04 07:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-01-20 11:28 . 2004-08-04 07:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-20 11:28 . 2004-08-04 07:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-20 11:24 . 2008-01-20 12:03 <DIR> d-------- C:\Documents and Settings\MD\Application Data\HP
2008-01-20 01:28 . 2008-01-20 01:30 <DIR> d-------- C:\Program Files\Knights & Merchants The Peasants Rebellion
2008-01-19 11:29 . 2008-01-19 11:29 <DIR> d-------- C:\Program Files\Black Isle
2008-01-18 16:02 . 2008-01-18 16:02 280 --a------ C:\WINDOWS\system32\PDBootState
2008-01-18 06:35 . 2008-01-19 14:09 <DIR> d-------- C:\Program Files\MythWar_en
2008-01-18 02:38 . 2008-01-20 02:01 <DIR> d-------- C:\Program Files\uTorrent
2008-01-17 18:38 . 2008-01-17 18:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-17 18:38 . 2008-01-17 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-17 17:40 . 2008-01-17 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-01-17 17:32 . 2008-01-17 17:38 <DIR> d-------- C:\Program Files\Yahoo!
2008-01-16 15:44 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 23:46 . 2008-01-20 18:51 5,636,128 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-12 23:46 . 2008-01-20 12:35 66,356 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-12 23:43 . 2008-01-12 23:43 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-12 23:41 . 2008-01-12 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-12 23:41 . 2008-01-12 23:43 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-12 23:40 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-12 23:40 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-12 22:59 . 2008-01-20 18:34 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-12 22:58 . 2008-01-12 23:36 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-12 21:08 . 2008-01-12 21:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 15:45 . 2008-01-11 15:45 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-01-11 04:37 . 2008-01-20 01:31 <DIR> d-------- C:\Documents and Settings\MD\Application Data\AVG7
2008-01-11 04:37 . 2008-01-11 04:37 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-11 04:29 . 2008-01-11 04:29 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Grisoft
2008-01-11 04:29 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-11 04:28 . 2008-01-11 04:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-11 04:13 . 2008-01-11 18:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-10 23:04 . 2008-01-10 23:04 <DIR> d-------- C:\Program Files\forst
2008-01-10 22:04 . 2008-01-11 17:32 <DIR> d-------- C:\Documents and Settings\MD\.netpanzer
2008-01-06 15:46 . 2008-01-06 15:46 <DIR> d-------- C:\WINDOWS\Re-Volt Track Manager
2008-01-06 15:45 . 2008-01-06 15:45 <DIR> d-------- C:\CircuitsCustoms
2008-01-06 15:45 . 2008-01-06 15:45 286,720 --a------ C:\WINDOWS\iun507.exe
2008-01-06 15:40 . 2008-01-06 15:46 <DIR> d-------- C:\Program Files\Acclaim Entertainment
2008-01-06 00:07 . 2008-01-07 00:36 <DIR> d-------- C:\Program Files\RV House
2008-01-06 00:07 . 2006-08-03 11:39 54,694 --a------ C:\WINDOWS\system32\pthreadGC.dll
2007-12-29 22:53 . 2007-12-29 22:53 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Leadertech
2007-12-29 22:49 . 2008-01-11 00:32 <DIR> d-------- C:\WINDOWS\system32\dla
2007-12-29 22:49 . 2007-12-29 22:53 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Sonic
2007-12-29 22:49 . 2008-01-16 11:06 467 --a------ C:\WINDOWS\wininit.ini
2007-12-29 21:19 . 2007-12-29 21:23 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-29 21:18 . 2007-12-29 21:18 <DIR> d-------- C:\Documents and Settings\MD\Application Data\Nero
2007-12-29 01:33 . 2008-01-15 10:12 <DIR> d-------- C:\Program Files\Toribash-3.06

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 17:32 --------- d-----w C:\Program Files\TrackMania Nations ESWC
2008-01-20 15:58 --------- d-----w C:\Program Files\Heroes of Might and Magic III Complete
2008-01-20 11:54 --------- d-----w C:\Program Files\Steam
2008-01-20 10:47 --------- d-----w C:\Program Files\Furcadia
2008-01-20 06:22 --------- d-----w C:\Documents and Settings\MD\Application Data\uTorrent
2008-01-19 10:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 10:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-19 02:32 --------- d-----w C:\Program Files\Trillian
2008-01-17 06:44 --------- d-----w C:\Program Files\Java
2008-01-16 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 22:46 --------- d-----w C:\Program Files\F-Secure
2008-01-11 21:38 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-11 14:32 --------- d--h--w C:\Documents and Settings\MD\Application Data\ijjigame
2007-12-17 04:29 --------- d-----w C:\Documents and Settings\MD\Application Data\X-Chat 2
2007-12-14 11:01 --------- d-----w C:\Documents and Settings\MD\Application Data\dvdcss
2007-12-14 10:59 --------- d-----w C:\Documents and Settings\MD\Application Data\CyberLink
2007-12-14 10:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-13 13:17 0 ----a-r C:\logwmemory.bin
2007-12-13 13:17 --------- d-----w C:\Documents and Settings\MD\Application Data\Soldat
2007-12-13 02:31 --------- d-----w C:\Program Files\xchat
2007-12-04 00:09 --------- d-----w C:\Program Files\Lavasoft
2007-12-03 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 19:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-03 13:01 --------- d-----w C:\Program Files\CCleaner
2007-12-01 14:39 --------- d-----w C:\Program Files\Windows Live
2007-12-01 09:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-01 08:55 --------- d-----w C:\Documents and Settings\MD\Application Data\DivX
2007-12-01 08:29 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-01 08:29 --------- d-----w C:\Documents and Settings\MD\Application Data\SystemRequirementsLab
2007-11-29 18:14 --------- d-----w C:\Program Files\Text to Speech Maker
2007-11-29 17:53 --------- d-----w C:\Program Files\NCT
2007-11-29 11:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-11-29 04:48 --------- d-----w C:\Documents and Settings\MD\Application Data\vlc
2007-11-29 03:36 --------- d-----w C:\Program Files\VideoLAN
2007-11-29 03:25 --------- d-----w C:\Program Files\Codec
2007-11-27 17:41 --------- d-----w C:\Program Files\Alcohol Soft
2007-11-25 03:50 --------- d-----w C:\Program Files\Teamspeak2_RC2S
2007-11-23 00:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-23 00:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2007-11-23 00:48 --------- d-----w C:\Program Files\THQ
2007-11-22 22:55 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-11-22 22:55 --------- d-----w C:\Documents and Settings\MD\Application Data\teamspeak2
.

((((((((((((((((((((((((((((( snapshot@2008-01-17_ 8.01.53.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 06:46:56 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-20 17:44:20 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 06:46:56 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-20 17:44:20 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 06:46:57 6,193,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-20 17:44:20 6,193,152 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-17 06:46:57 180,224 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-20 17:44:20 180,224 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 06:46:58 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-20 17:44:21 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-17 06:46:58 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 17:44:21 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-20 10:42:52 4,286 ----a-r C:\WINDOWS\Installer\{EA103B64-C0E4-4C0E-A506-751590E1653D}\Shortcut_start.9FAB98ED_2143_4534_9750_7CD4ECEB9596.exe
+ 2003-03-18 18:05:50 89,088 ----a-w C:\WINDOWS\system32\atl71.dll
+ 2004-08-04 06:08:46 26,496 ----a-w C:\WINDOWS\system32\drivers\USBSTOR.SYS
+ 2005-04-08 01:51:15 278,528 ----a-w C:\WINDOWS\system32\hpgwiamd.dll
+ 2004-06-11 12:27:32 118,784 ----a-r C:\WINDOWS\system32\HPODXPAT.DLL
+ 2005-04-08 01:51:07 606,208 ----a-w C:\WINDOWS\system32\hpotscl.dll
+ 2005-04-08 01:51:10 258,122 ----a-w C:\WINDOWS\system32\hpovst08.dll
+ 2005-02-17 07:40:28 73,728 ----a-w C:\WINDOWS\system32\HPTcpMib.dll
+ 2005-02-17 07:41:24 155,648 ----a-w C:\WINDOWS\system32\HPTcpMon.dll
+ 2005-02-17 07:42:48 204,800 ----a-w C:\WINDOWS\system32\HPTcpMUI.dll
+ 2005-03-08 04:39:43 274,432 ----a-w C:\WINDOWS\system32\HPZc3212.dll
+ 2005-03-08 04:41:42 196,608 ----a-w C:\WINDOWS\system32\hpzcoi12.dll
+ 2005-03-08 04:41:47 393,216 ----a-w C:\WINDOWS\system32\hpzcon12.dll
+ 2003-12-09 12:58:28 28,672 ----a-w C:\WINDOWS\system32\hpzjfw01.dll
+ 2005-01-24 09:30:04 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
+ 2005-02-04 11:58:55 98,304 ----a-w C:\WINDOWS\system32\hpzjsn01.dll
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2005-04-20 07:44:05 153,820 ----a-r C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpop1412.dat
+ 2005-03-08 04:41:41 212,992 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpz2ku12.dll
+ 2005-03-08 04:41:46 299,008 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzcfg12.exe
+ 2005-03-08 04:41:42 196,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzcoi12.dll
+ 2005-03-08 04:41:47 393,216 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzcon12.dll
+ 2005-03-08 04:41:48 659,456 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzeng12.exe
+ 2005-03-08 04:41:49 69,632 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzflt12.dll
+ 2005-03-08 04:41:51 1,597,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzimc12.dll
+ 2005-03-08 04:41:54 352,256 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzime12.dll
+ 2005-03-08 04:41:57 2,150,400 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzims12.dll
+ 2005-03-08 04:42:01 225,280 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzjui12.dll
+ 2005-03-08 04:41:42 139,345 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzlnt12.dll
+ 2005-03-08 04:42:02 143,360 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzpcl12.dll
+ 2005-03-08 04:41:43 507,904 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzpm312.dll
+ 2005-03-08 04:42:03 331,776 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzpre12.exe
+ 2005-03-08 04:48:14 3,203,072 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzr3212.dll
+ 2005-03-08 04:42:04 372,736 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzres12.dll
+ 2005-03-08 04:48:16 1,765,376 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzrm312.dll
+ 2005-03-08 04:42:05 679,936 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzslk12.dll
+ 2005-03-18 03:32:53 180,315 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzsnt12.dll
+ 2005-03-08 04:42:06 401,408 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzstc12.exe
+ 2005-03-08 04:42:07 180,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzstw12.exe
+ 2005-03-08 04:42:08 61,440 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpztbi12.dll
+ 2005-03-08 04:42:09 176,128 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpztbu12.exe
+ 2005-03-08 04:42:10 7,348,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpztbx12.exe
+ 2005-03-08 04:42:17 176,188 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\hppsc_1400_series22d9\hpzvip12.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-12 23:43 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-12 23:43 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 08:23 221568]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-04-05 14:19 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-11 04:40 579072]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 06:28 36352]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-04-05 14:23 114688]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-04-05 14:22 94208]
"Cmaudio"="cmicnfg.cpl" []
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-11 04:36 219136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl []
S3 AF15BDA;AF9015 BDA Filter;C:\WINDOWS\system32\Drivers\AF15BDA.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71fd7cbc-9ca3-11dc-8658-000d88f3e1f9}]
\Shell\AutoRun\command - E:\Autoplay.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 18:56:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 19:00:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-20 18:00:11
ComboFix2.txt 2008-01-17 07:03:22
ComboFix3.txt 2008-01-16 15:02:34
.
2008-01-20 17:02:44 --- E O F ---
---------------

And the HiJackThis log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:24, on 2008-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\Omigawd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live inloggningshjälpen - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4771941812
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 4780757500
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{54C53EB5-9051-4EB1-9EB2-C270F1C27C19}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{960F8B99-EFC3-4587-B701-A0169E17B761}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FE76D5-B2DD-4E3E-AA24-119EFFFA4EBD}: NameServer = 192.168.0.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Unknown owner - C:\Program Files\HPQ\SHARED\HPQWMI.exe (file missing)
O23 - Service: iPod-tjänst (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LVCOMSer - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (file missing)
O23 - Service: LVSrvLauncher - Unknown owner - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O23 - Service: Läsartjänsten USN Journal för mappdelning i Messenger (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 8647 bytes
------------------------

Description;
I can't thank ye enough, actually. I get no more of those stupid IE popups, and what's more, the computer is now slightly faster.
Thanks much-ly, Sirs.
I'm going to defrag the HDD too, as well as do a full system scan with all the anti-whatever programs I have so far to make sure nothing was left behind.

Once again, Thank you.

P.S. If any problem comes back, I won't doubt asking for assistance again.
Sincerely; A now malware free person.

EDIT: Bloody hell, as soon as my computer is fixed, I myself break down. Stupid random nosebleed.

[Simon V.]

Hi

I'm glad to hear your computer is running OK again.

EDIT: Bloody hell, as soon as my computer is fixed, I myself break down. Stupid random nosebleed.

I'm sorry to hear that, but the good news is you don't need Combofix to fix it, only a bit of rest

Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

Click Start then Run....

• Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)
  
  
  
  
• This will uninstall Combofix.

Make your Internet Explorer More Secure

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab.
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  
  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

• Next press the Apply button and then the OK to exit the Internet Properties page.

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option (if you have an older version than 1.5, please update it). This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here: http://www.bleepingcomputer.com/tutoria ... ial43.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo.

[asaguda]

Ironically enough my chair broke too. *Grumbles.*

Yep, I read that article, and it helped me to more software that doesn't clash with eachother.
Thanks for all the help, kind Sir.
Have a good day/night, and take care!

P.S. I can't stop staring at that avatar. *Makes grabby hands.* I want!

[Simon V.]

Ironically enough my chair broke too. *Grumbles.*

Heh, seems like Murphy is at work

Thanks for all the help, kind Sir.

You're very welcome. Happy surfing and stay safe!

[NonSuch]

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.