Thank you for your reply to my post. I did exactly as you said with the Combofix. The log file report is below. As for the games... yes I do play games on here but not online games. I only play games that I have a CD for.
Combofix report:
ComboFix 09-01-10.03 - Administrator 2009-01-11 19:39:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.148 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\windows\system32\fvhthipc.ini
c:\windows\system32\levdxwjj.ini
c:\windows\system32\TDSSosvd.dat
----- BITS: Possible infected sites -----
hxxp://childhe.comhxxp://rapidshare.com.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SWAPM
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
-------\Service_VFILT
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.
2009-01-07 00:54 . 2009-01-07 00:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-06 23:08 . 2009-01-07 00:54 <DIR> d-------- c:\program files\GAry
2009-01-06 23:02 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 23:01 . 2009-01-06 23:03 <DIR> d-------- c:\program files\BEATTHEFUCKER
2009-01-06 23:01 . 2009-01-06 23:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 23:01 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 19:07 . 2009-01-05 19:07 7,168 --a------ c:\windows\system32\
0s_install.exe
2009-01-03 18:43 . 2009-01-03 18:43 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 23:58 . 2008-12-31 23:58 <DIR> d-------- c:\program files\ClamWin
2008-12-31 23:58 . 2008-12-31 23:58 <DIR> d-------- c:\documents and settings\All Users\.clamwin
2008-12-31 23:58 . 2008-12-31 23:59 <DIR> d-------- c:\documents and settings\Administrator\Application Data\.clamwin
2008-12-31 07:21 . 2008-11-17 13:05 12,576 --a------ c:\windows\system32\drivers\TfKbMon.sys
2008-12-31 05:48 . 2009-01-01 16:36 0 --a------ c:\windows\system32\drivers\27ffd505.sys
2008-12-31 05:46 . 2008-12-31 05:46 2 --a------ C:\-65386453
2008-12-31 05:45 . 2008-12-31 05:46 4,707 --a------ c:\windows\system32\aidb.dat
2008-12-31 05:44 . 2008-12-31 05:44 113,664 --a------ c:\windows\system32\mqapi.exe
2008-12-31 01:46 . 2008-12-31 01:52 <DIR> d-------- c:\program files\LucyQ Deluxe
2008-12-31 01:36 . 2008-12-31 01:38 <DIR> d-------- c:\documents and settings\Administrator\uspy
2008-12-28 03:04 . 2008-12-28 03:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayPond
2008-12-28 03:02 . 2008-12-28 03:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Meridian93
2008-12-28 03:02 . 2008-12-28 03:02 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jetsetter
2008-12-28 03:01 . 2008-12-28 03:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\blg
2008-12-28 03:01 . 2008-12-28 03:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\blg
2008-12-28 02:51 . 2008-12-28 02:51 0 --a------ c:\windows\system32\system32xp.exe.tmp
2008-12-13 23:56 . 2008-12-29 01:05 <DIR> d-------- c:\program files\LeeGTs Games
2008-12-13 23:54 . 2008-12-13 23:54 73,625,706 --a------ c:\windows\system32\xa31238421.exe
2008-12-13 23:54 . 2008-12-13 23:54 73,625,706 --a------ c:\windows\system32\xa31229500.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 01:30 --------- d-----w c:\program files\Trillian
2009-01-11 09:03 --------- d-----w c:\program files\Games
2009-01-11 09:02 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-07 01:08 --------- d-----w c:\program files\Varmintz Deluxe
2009-01-01 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-31 13:48 --------- d-----w c:\program files\Opera
2008-12-14 06:24 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2008-12-14 06:24 --------- d-----w c:\documents and settings\Administrator\Application Data\PlayFirst
2008-12-14 06:23 --------- d-----w c:\documents and settings\Administrator\Application Data\Games
2008-12-11 00:13 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2008-12-10 01:11 --------- d-----w c:\documents and settings\Administrator\Application Data\Shape games
2008-12-10 01:09 --------- d-----w c:\documents and settings\All Users\Application Data\NeptunesAdve
2008-12-10 01:08 --------- d-----w c:\documents and settings\Administrator\Application Data\Anabel
2008-12-10 01:02 --------- d-----w c:\program files\Janes Hotel
2008-12-10 01:01 --------- d-----w c:\program files\Ice Cream Mania
2008-12-10 01:01 --------- d-----w c:\program files\Flower Shop Big City Break
2008-12-10 01:01 --------- d-----w c:\program files\Fishing Craze
2008-12-10 01:01 --------- d-----w c:\program files\Delicious 2 Deluxe
2008-12-10 01:01 --------- d-----w c:\program files\Cake Mania 2
2008-12-10 00:21 --------- d-----w c:\program files\Happy Hour
2008-12-10 00:16 --------- d-----w c:\program files\Eye For Design
2008-12-09 23:52 --------- d-----w c:\program files\Paparazzi
2008-12-09 09:59 --------- d-----w c:\documents and settings\Administrator\Application Data\Ubisoft
2008-12-06 07:52 --------- d-----w c:\program files\mcbiz4
2008-12-01 23:45 --------- d-----w c:\documents and settings\Administrator\Application Data\Artogon
2008-12-01 23:17 --------- d-----w c:\documents and settings\Administrator\Application Data\FileSubmit
2008-11-30 06:34 --------- d-----w c:\documents and settings\All Users\Application Data\Alawar Stargaze
2008-11-30 06:29 --------- d-----w c:\program files\Burger Island
2008-11-29 01:01 --------- d-----w c:\documents and settings\All Users\Application Data\BigFish
2008-11-29 01:00 --------- d-----w c:\documents and settings\Administrator\Application Data\BigFish
2008-11-29 00:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Dragon Altar Games
2008-11-29 00:45 --------- d-----w c:\program files\Sultan of Persia
2008-11-27 01:44 --------- d-----w c:\program files\Sallys Salon
2008-11-26 23:51 --------- d-----w c:\program files\Bookworm Adventures Deluxe
2008-11-23 07:21 --------- d-----w c:\program files\The Race
2008-11-18 05:30 --------- d-----w c:\documents and settings\All Users\Application Data\Playrix Entertainment
2008-11-18 03:30 --------- d-----w c:\documents and settings\Administrator\Application Data\cerasus.media
2008-11-18 03:26 --------- d-----w c:\program files\Common Files\SWF Studio
2008-11-18 03:25 --------- d-----w c:\documents and settings\Administrator\Application Data\SpinTop Games
2008-11-18 03:23 --------- d-----w c:\documents and settings\All Users\Application Data\Gogii Games
2008-11-18 03:23 --------- d-----w c:\documents and settings\Administrator\Application Data\Gogii Games
2008-11-14 10:07 --------- d-----w c:\program files\Law And Order The Vengeful Heart
2008-11-14 06:19 --------- d-----w c:\documents and settings\All Users\Application Data\AlawarWrapper
2008-10-13 00:04 286,720 ----a-w c:\windows\iun506.exe
2008-08-12 06:05 0 ----a-w c:\program files\temp01
2006-02-23 13:16 34,048 ----a-w c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 13:16 45,056 ----a-w c:\program files\mozilla firefox\plugins\upd62int.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-09-11 443968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=c:\windows\system32\klomp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\
000.fcl [2006-11-02 15:51:58 13560]
S1 27ffd505;27ffd505;c:\windows\system32\drivers\27ffd505.sys [2008-12-31 0]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-06 38496]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f25bed3-49e6-11dd-8085-ebf2c1b884a6}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-12 c:\windows\Tasks\rsdxzsvb.job
- c:\windows\system32\rundll32.exe [2008-04-13 21:42]
.
- - - - ORPHANS REMOVED - - - -
Notify-cbXPFyxV - cbXPFyxV.dll
.
------- Supplementary Scan -------
.
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file://c:\program files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx
c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file://c:\program files\Jigsaw Puzzle Platinum\Images\armhelper.ocx
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g4vlymwa.default\
FF - prefs.js: browser.startup.homepage -
hxxp://news.google.com/nwshp?client=fir ... =en&tab=wnFF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g4vlymwa.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Opera\program\plugins\np32dsw.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-01-11 19:43:14
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\
000.fcl"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-11 19:51:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 01:50:55
Pre-Run: 24,980,885,504 bytes free
Post-Run: 25,804,496,896 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
196
HiJack This report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:32 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) -
file://C:\Program Files\Jigsaw Puzzle Platinum\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) -
file://C:\Program Files\Jigsaw Puzzle Platinum\Images\armhelper.ocx
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
--
End of file - 3513 bytes
Waiting to hear back from you before I do anything else. Again I thank you for all your help with this computer.