Free Malware Removal Forum

by **dmc5jc** » May 4th, 2009, 2:12 pm

Hi,

My google searches have recently started to redirect me to clickcheck.ru and I cant get stop this through any of the programs I have tried (AVG, Spybot, Malwarebytes, Comodo, Avira AntiVir, CCleaner).

Your help would be much appreciated.

-----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:59:45, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1172178880\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6060920
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6060920
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1889C1D3-7FFB-4370-A2B5-C533DDB51891} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {544837AE-9C73-12CF-451A-0272F59E6C27} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {679663e5-4412-4086-92fd-0f0213b4de93} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DSLSTATEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" icon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2742364218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553538000} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Fac ... der4_5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BDE5B84-A84A-44A0-9087-CD85E24FF419}: NameServer = 92.31.241.20 92.31.241.21
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\humugege.dll c:\windows\system32\jemitawa.dll,C:\WINDOWS\system32\degipeme.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8730 bytes

by **Bio-Hazard** » May 6th, 2009, 10:14 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!

by **Bio-Hazard** » May 6th, 2009, 10:22 am

Multiple Anti Virus programs

You are operating multiple Anti Virus programs on your computer:

AVG8
AntiVir Personal Edition Classic
COMODO Internet Security - also has Antivirus module

It is NOT safe to have more than one anti-virus installed on a system, and that doing so not only does not provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes! You MUST remove all but one anti-virus program.

RootRepeal - Rootkit Detector

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Clickthe Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

random's system information tool (RSIT)

Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt (<<will be maximized)
- info.txt (<<will be minimized)
Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

RootRepeal.txt
RSIT logs, info.txt and log.txt
A description of how your computer is behaving

by **dmc5jc** » May 6th, 2009, 1:51 pm

Many thanks for your reply. I have been unable to upload the files as an attachment so I hope pasting them into seperate posts will be ok.

Root Repeal

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/06 18:10
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9227000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E8000 Size: 8192 File Visible: No
Status: -

Name: ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys
Image Path: C:\WINDOWS\system32\drivers\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys
Address: 0xA9410000 Size: 180224 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8597000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\!KillBox\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll
Status: Invisible to the Windows API!

Path: C:\!KillBox\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll( 1)
Status: Invisible to the Windows API!

Path: C:\!KillBox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll
Status: Invisible to the Windows API!

Path: C:\!KillBox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll( 1)
Status: Invisible to the Windows API!

Path: C:\!KillBox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll( 2)
Status: Invisible to the Windows API!

Path: C:\!KillBox\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys
Status: Invisible to the Windows API!

Path: C:\!KillBox\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys( 3)
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Prefetch\AVWSC.EXE-186A131A.pf
Status: Size mismatch (API: 30690, Raw: 31466)

Path: C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf
Status: Size mismatch (API: 923770, Raw: 929482)

Path: C:\WINDOWS\Prefetch\IGFXSRVC.EXE-1D88F978.pf
Status: Size mismatch (API: 77852, Raw: 77590)

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-0836F7BD.pf
Status: Size mismatch (API: 23958, Raw: 23218)

Path: C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf
Status: Size mismatch (API: 24098, Raw: 31270)

Path: C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf
Status: Size mismatch (API: 75160, Raw: 76784)

Path: C:\WINDOWS\system32\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ovfsthewcqptbtpgoeqyydqbovmwubkkavcmsi.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ovfsthknbylkfqvoyewrfndetrdswhahvxrvef.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ovfsthqwtqwttmernmxjptvrjxxvkbgingsnlr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\ovfsthocdppdwvqj.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\ovfsthxtkbcimuwp.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll1
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll2
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll1
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\0123CHE3\transactionID=94486026&apg=4115&site=webmd&dom=www%2Ewebmd%2Ecom&brand=mywebmd&uri=%2Fhw%2Fhealth%5Fguide%5Fatoz%2Fhw198785&tile=86200068&allowcompete=no&pos=top&adsize=728x9[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\0TIZWL2F\Type=click&FlightID=83750&AdID=111724&TargetID=9264&Segments=2743,3285,4121,4707,4757,4832,5422,6520,6582,7769,8463,8796,9643,10920&Values=47780&Redirect=;ord=dcoRyWy,bdqWrIh[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\1CCVD14X\we%e2%80%99re-bar-b-q%e2%80%99ing-now-baby-you-need-beef-jerky-booger-red-origin-wrestling-on-radio-uninformed-rock-bashers-great-tag-teams-where-have-you-gone[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\1CCVD14X\activity;src=1483470;met=1;v=1;pid=20631030;aid=140550789;ko=0;cid=22794312;rid=22812195;rv=1;&timestamp=1192229059140;eid1=2;ecn1=0;etm1=10;eid3=12;ecn3=0;etm3=8;eid4=13;ecn[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\8PYNWDYJ\Type=click&FlightID=84517&AdID=112441&TargetID=8228&Segments=2168,2743,4121,4129,4700,4841,6520,6582,7769,8463,8796,10920&Values=47780&Redirect=;ord=bAjgfWI,bdqWrIneAatcq[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\C52N8XUN\26PhotoAlbumId%3D1015431765%26PhotoId%3D1024367733&lmt=1192200250&dt=1192200250296&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=23&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\C52N8XUN\6MemberId%3D2858529023%26PhotoAlbumId%3D5504134559&lmt=1192200156&dt=1192200156890&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=17&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\C52N8XUN\click,oAUAACAVAAAWfwYAAMYCAAIAAAAAAP8AAAAGEAIAAgOrJAMAqcUAAPJLBAAAAAAAAAAAAAAAAAAAAAAAAAAAAO-HD0c[2].jsp%3Fmemberid%3D2858529023%26photoalbumid%3D5504134559%26photoid%3D5504151903,;
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXMVSTMB\CA2HSHGV.jsp%3FMemberId%3D19711723&lmt=1192200455&dt=1192200455093&cc=437&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=24&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXMVSTMB\3771339%26PhotoNbr%3D1%26PhotoAlbumId%3D5094001010&lmt=1192200353&dt=1192200353640&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=23&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXMVSTMB\26PhotoAlbumId%3D1015431765%26PhotoId%3D1024367733&lmt=1192200266&dt=1192200266531&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=25&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXMVSTMB\26PhotoAlbumId%3D2961296484%26PhotoId%3D2961347431&lmt=1192200211&dt=1192200211406&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=22&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXMVSTMB\26PhotoAlbumId%3D5094001010%26PhotoId%3D5120168684&lmt=1192200406&dt=1192200406234&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=29&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXMVSTMB\CAWPM9GT.jsp%3FMemberId%3D19711723&lmt=1192200466&dt=1192200466781&cc=437&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=26&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXMVSTMB\CAAR8I3K.jsp%3FMemberId%3D350475863&lmt=1192200429&dt=1192200429984&cc=437&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=23&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\CXMVSTMB\BQCD0.jsp%3FProfilePhoto%3DY%26MemberId%3D19711723&lmt=1192200461&dt=1192200461468&cc=361&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=25&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\G7VNEG9T\activity;src=1483470;met=1;v=1;pid=20631030;aid=140550789;ko=0;cid=22794307;rid=22812190;rv=1;&timestamp=1192241322953;eid1=2;ecn1=1;etm1=10;eid2=11;ecn2=1;etm2=0;eid3=12;ecn[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\KHUNK1YN\Type=click&FlightID=83750&AdID=111724&TargetID=9264&Segments=2168,2743,4121,4129,4707,4757,4832,5422,6520,6582,7769,8463,8796,10920&Values=47780&Redirect=;ord=ctqdwui,bdqWrIo[2]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\OPYB8DYR\%3DProfile_jsp%26MemberId%3D2858529023%26popup%3D0&lmt=1192200135&dt=1192200135875&cc=437&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=17&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\OPYB8DYR\26PhotoAlbumId%3D5094001010%26PhotoId%3D5120050721&lmt=1192200376&dt=1192200376843&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=27&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\OPYB8DYR\BI1.jsp%3FProfilePhoto%3DY%26MemberId%3D2858529023&lmt=1192200145&dt=1192200145421&cc=315&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=17&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\OPYB8DYR\26PhotoAlbumId%3D5094001010%26PhotoId%3D5094021473&lmt=1192200413&dt=1192200413218&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=30&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\OPYB8DYR\26PhotoAlbumId%3D5094001010%26PhotoId%3D5094088186&lmt=1192200364&dt=1192200364031&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=25&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\OPYB8DYR\5059451%26PhotoNbr%3D1%26PhotoAlbumId%3D1015431765&lmt=1192200227&dt=1192200227562&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=21&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\OPYB8DYR\CAODWKWH.jsp%3FMemberId%3D1015059451&lmt=1192200199&dt=1192200199328&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=20&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\SDYZOXIN\activity;src=866086;met=1;v=1;pid=20630591;aid=141388360;ko=0;cid=22847097;rid=22864980;rv=1;&timestamp=1192202194656;eid1=2;ecn1=0;etm1=10;eid5=1034;ecn5=0;etm5=10;eid6=1020[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\SDYZOXIN\26PhotoAlbumId%3D1015431765%26PhotoId%3D1024362732&lmt=1192200232&dt=1192200232843&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=22&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\SDYZOXIN\26PhotoAlbumId%3D1015431765%26PhotoId%3D1024367733&lmt=1192200261&dt=1192200261296&cc=342&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=25&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\SDYZOXIN\HYF.jsp%3FProfilePhoto%3DY%26MemberId%3D2858529023&lmt=1192200174&dt=1192200174484&cc=315&u_h=768&u_w=1024&u_ah=738&u_aw=1024&u_cd=32&u_tz=60&u_his=18&u_java=true&u_nplug=0&u_nmime=0
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\SLUBOXQN\transactionID=94486026&apg=4115&site=webmd&dom=www%2Ewebmd%2Ecom&brand=mywebmd&uri=%2Fhw%2Fhealth%5Fguide%5Fatoz%2Fhw198785&tile=86200068&allowcompete=no&pos=top&adsize=1x1&n[1]
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\WDABSLYV\activity;src=866086;met=1;v=1;pid=20630582;aid=140826714;ko=0;cid=22824526;rid=22842409;rv=1;&timestamp=1192219297609;eid1=2;ecn1=0;etm1=10;eid2=1037;ecn2=1;etm2=9;eid3=1019;[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Internet Files\Content.IE5\YHZSTKNU\activity;src=1483470;met=1;v=1;pid=20631030;aid=140550789;ko=0;cid=22794312;rid=22812195;rv=1;&timestamp=1192229049140;eid1=2;ecn1=1;etm1=10;eid2=11;ecn2=1;etm2=0;eid3=12;ecn[1].gif
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: ovfsthqwtqwttmernmxjptvrjxxvkbgingsnlr.dll]
Process: svchost.exe (PID: 916) Address: 0x10000000 Size: 73728

Object: Hidden Module [Name: ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll]
Process: Explorer.EXE (PID: 1556) Address: 0x10000000 Size: 24576

Hidden Services
-------------------
Service Name: ovfsthrmyvyqjxuwprqhrmlmkvxobhoomqtnsg
Image Path: C:\WINDOWS\system32\drivers\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys

by **Bio-Hazard** » May 6th, 2009, 2:39 pm

Hello!

Copying and pasting the log what i want you to do. Dont run the RSIT. Lets start with Combofix.

Did you uninstalled 2 of your Antivirus programs?

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

by **dmc5jc** » May 6th, 2009, 2:48 pm

RSIT - Info

info.txt logfile of random's system information tool 1.06 2009-05-06 17:50:31

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Anchor Service CS4-->MsiExec.exe /I{1618734A-3957-4ADD-8199-F973763109A8}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge CS4-->MsiExec.exe /I{83877DB1-8B77-45BC-AB43-2BAC22E093E0}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps CS4-->MsiExec.exe /I{94D398EB-D2FD-4FD1-B8C4-592635E8A191}
Adobe Color - Photoshop Specific CS4-->MsiExec.exe /I{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}
Adobe Color EU Extra Settings CS4-->MsiExec.exe /I{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}
Adobe Color JA Extra Settings CS4-->MsiExec.exe /I{0D6013AB-A0C7-41DC-973C-E93129C9A29F}
Adobe Color NA Recommended Settings CS4-->MsiExec.exe /I{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}
Adobe Color Video Profiles CS CS4-->MsiExec.exe /I{63C24A08-70F3-4C8E-B9FB-9F21A903801D}
Adobe CSI CS4-->MsiExec.exe /I{0F723FC1-7606-4867-866C-CE80AD292DAF}
Adobe Default Language CS4-->MsiExec.exe /I{C52E3EC1-048C-45E1-8D53-10B0C6509683}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Device Central CS4-->MsiExec.exe /I{67F0E67A-8E93-4C2C-B29D-47C48262738A}
Adobe Dreamweaver CS3-->C:\Program Files\Common Files\Adobe\Installers\435a6af7459cb02a9c1138113a26e93\Setup.exe
Adobe Dreamweaver CS3-->MsiExec.exe /I{F01D5ED5-D53A-4468-B428-149DC2CB3110}
Adobe Drive CS4-->MsiExec.exe /I{16E16F01-2E2D-4248-A42F-76261C147B6C}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe ExtendScript Toolkit CS4-->MsiExec.exe /I{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}
Adobe Extension Manager CS3-->MsiExec.exe /I{D7A53E41-3F32-4A44-989C-53DDEBB2130C}
Adobe Extension Manager CS4-->MsiExec.exe /I{054EFA56-2AC1-48F4-A883-0AB89874B972}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS4-->MsiExec.exe /I{931AB7EA-3656-4BB7-864D-022B09E3DD67}
Adobe Output Module-->MsiExec.exe /I{BB4E33EC-8181-4685-96F7-8554293DEC6A}
Adobe PDF Library Files CS4-->MsiExec.exe /I{F93C84A6-0DC6-42AF-89FA-776F7C377353}
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Photoshop CS4 Support-->MsiExec.exe /I{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}
Adobe Photoshop CS4-->C:\Program Files\Common Files\Adobe\Installers\faf656ef605427ee2f42989c3ad31b8\Setup.exe --uninstall=1
Adobe Photoshop CS4-->MsiExec.exe /I{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}
Adobe Photoshop CS4-->MsiExec.exe /I{E4848436-0345-47E2-B648-8B522FCDA623}
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Search for Help-->MsiExec.exe /I{F0E64E2E-3A60-40D8-A55D-92F6831875DA}
Adobe Service Manager Extension-->MsiExec.exe /I{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}
Adobe Setup-->MsiExec.exe /I{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}
Adobe Setup-->MsiExec.exe /I{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe Type Support CS4-->MsiExec.exe /I{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Update Manager CS4-->MsiExec.exe /I{05308C4E-7285-4066-BAE3-6B50DA6ED755}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}
Adobe XMP Panels CS4-->MsiExec.exe /I{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}
AdobeColorCommonSetCMYK-->MsiExec.exe /I{68243FF8-83CA-466B-B2B8-9F99DA5479C4}
AdobeColorCommonSetRGB-->MsiExec.exe /I{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}
AOL Uninstaller (Choose which Products to Remove)-->C:\Program Files\Common Files\AOL\uninstaller.exe
AutoCAD 2006 - English-->MsiExec.exe /I{5783F2D7-4001-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer-->C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BT Voyager 105 ADSL Modem-->C:\Program Files\BT Voyager 105 ADSL Modem\uninstall.exe
BT Voyager Modem AOL Test-->C:\WINDOWS\AppRun.exe C:\PROGRA~1\VOYAGE~2
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Conexant D850 56K V.9x DFVc Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
Connect-->MsiExec.exe /I{B29AD377-CC12-490A-A480-1452337C618D}
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Support 3.2-->MsiExec.exe /X{3846E811-639D-4DE1-844B-30491C0A6C0C}
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Football Manager 2009-->"C:\Program Files\Steam\steam.exe" steam://uninstall/10540
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) Graphics Media Accelerator Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Intel(R) PROSet for Wired Connections-->MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
kuler-->MsiExec.exe /I{098727E1-775A-4450-B573-3F441F1CA243}
MCU-->MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Device Emulator version 1.0 - ENU-->MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN-->C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Nokia Connectivity Cable Driver-->MsiExec.exe /X{3BFFC6B8-4EC0-4240-858C-998FD4077983}
PDF Settings CS4-->MsiExec.exe /I{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
Photoshop Camera Raw-->MsiExec.exe /I{CC75AB5C-2110-4A7F-AF52-708680D22FE8}
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Roxio DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Roxio RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\INSTALL.LOG
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Spybot - Search & Destroy 1.4-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Suite Shared Configuration CS4-->MsiExec.exe /I{842B4B72-9E8F-4962-B3C1-1C422A5C4434}
VeohTV BETA-->C:\Program Files\InstallShield Installation Information\{0405E51E-9582-4207-8F38-AC44201D3808}\setup.exe -runfromtemp -l0x0409
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic (disabled)
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic (outdated)
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition (disabled)
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic (disabled)
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic
AV: Avira AntiVir PersonalEdition Classic

======System event log======

Computer Name: HOME
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0011F56CF5B6. The IP address being used is 169.254.200.231.

Record Number: 51134
Source Name: Dhcp
Time Written: 20090421123517.000000+060
Event Type: warning
User:

Computer Name: HOME
Event Code: 7000
Message: The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service failed to start due to the following error:
The system cannot find the path specified.

Record Number: 51116
Source Name: Service Control Manager
Time Written: 20090421123412.000000+060
Event Type: error
User:

Computer Name: HOME
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0011F56CF5B6. The IP address being used is 169.254.200.231.

Record Number: 51110
Source Name: Dhcp
Time Written: 20090420143006.000000+060
Event Type: warning
User:

Computer Name: HOME
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0011F56CF5B6. The IP address being used is 169.254.200.231.

Record Number: 51104
Source Name: Dhcp
Time Written: 20090420142820.000000+060
Event Type: warning
User:

Computer Name: HOME
Event Code: 7000
Message: The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service failed to start due to the following error:
The system cannot find the path specified.

Record Number: 51086
Source Name: Service Control Manager
Time Written: 20090420142714.000000+060
Event Type: error
User:

=====Application event log=====

Computer Name: HOME
Event Code: 4113
Message:
Record Number: 4434
Source Name: Avira AntiVir
Time Written: 20080707133229.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME
Event Code: 4113
Message:
Record Number: 4433
Source Name: Avira AntiVir
Time Written: 20080707133229.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME
Event Code: 4113
Message:
Record Number: 4432
Source Name: Avira AntiVir
Time Written: 20080707133218.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME
Event Code: 4113
Message:
Record Number: 4431
Source Name: Avira AntiVir
Time Written: 20080707133218.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HOME
Event Code: 4113
Message:
Record Number: 4430
Source Name: Avira AntiVir
Time Written: 20080707133208.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

by **dmc5jc** » May 6th, 2009, 2:51 pm

RSIT Log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Dan at 2009-05-06 18:16:12
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 30 GB (56%) free of 54 GB
Total RAM: 3062 MB (86% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16:22, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1172178880\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dan\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Dan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6060920
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6060920
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DSLSTATEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" icon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Dan\protect.dll,_IWMPEvents@16
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\gfeg3.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\2953286194.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\gfeg3.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2742364218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553538000} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Fac ... der4_5.cab
O20 - AppInit_DLLs: c:\windows\system32\humugege.dll c:\windows\system32\jemitawa.dll,C:\WINDOWS\system32\degipeme.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7743 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\ParetoLogic Registration.job
C:\WINDOWS\tasks\Schedule Task Weekly.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
SITEguard

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-10-14 94208]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-10-14 114688]
"DSLSTATEXE"=C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe [2003-06-28 1658965]
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [2007-12-07 71008]
"autochk"=C:\WINDOWS\system32\autochk.dll [2009-05-06 24064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"autochk"=C:\DOCUME~1\Dan\protect.dll [2009-05-06 24064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\3c4365ac]
C:\WINDOWS\system32\nivedusa.dll,b []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autochk]
C:\WINDOWS\system32\autochk.dll [2009-05-06 24064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
C:\PROGRA~1\AVG\AVG8\avgtray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe [2008-07-17 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bibowkd.dll]
C:\WINDOWS\system32\bibowkd.dll,dozjrld []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\BitTorrent_DNA\dna.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
c:\dell\bldbubg.exe [2006-09-20 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Internet Security]
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe -h []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO SafeSurf]
C:\Program Files\COMODO\SafeSurf\cssurf.exe -s []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPM3f705630]
c:\windows\system32\jemitawa.dll,a []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gimavozigo]
C:\WINDOWS\system32\tigogitu.dll,s []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1172178880\ee\AOLSoftware.exe [2006-11-17 50736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe [2005-10-14 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
C:\Program Files\Napster\napster.exe /systray []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\prnet]
C:\WINDOWS\system32\prnet.tmp []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uhvjsul.dll]
C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [2008-05-15 3644464]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
C:\Program Files\Windows Defender\MSASCui.exe -hide []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
C:\PROGRA~1\COMMON~1\AUTODE~1\ACSTAR~1.EXE [2005-03-05 10872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
C:\WINDOWS\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe -systray []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
C:\Program Files\Digital Line Detect\DLG.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^ChkDisk.dll]
C:\Documents and Settings\Dan\Start Menu\Programs\Startup\ChkDisk.dll [2009-05-06 24064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^ChkDisk.lnk]
C:\DOCUME~1\Dan\STARTM~1\Programs\Startup\ChkDisk.dll,_IWMPEvents@16 []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Documents and Settings\Dan\Start Menu\Programs\Startup
ChkDisk.dll
ChkDisk.lnk - C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="c:\windows\system32\humugege.dll c:\windows\system32\jemitawa.dll,C:\WINDOWS\system32\degipeme.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-10-14 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\degipeme.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\1172178880\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1172178880\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\BitTorrent_DNA\dna.exe"="C:\Program Files\BitTorrent_DNA\dna.exe:*:Enabled:BitTorrent DNA"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe"="C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AOL 9.0\waol.exe"="C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\AOL 9.0 VR\waol.exe"="C:\Program Files\AOL 9.0 VR\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe"="C:\Program Files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information"
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe"="C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Disabled:Football Manager 2008"
"C:\Program Files\Steam\SteamApps\common\football manager 2009\fm.exe"="C:\Program Files\Steam\SteamApps\common\football manager 2009\fm.exe:*:Enabled:Football Manager 2009"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32"
"C:\Program Files\Java\jre6\bin\jusched.exe"="C:\Program Files\Java\jre6\bin\jusched.exe:*:Enabled:jusched"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AOL 9.0\waol.exe"="C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======File associations======

.js - edit -
.js - open -
.scr - open - "C:\WINDOWS\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-05-06 17:50:15 ----D---- C:\rsit
2009-05-06 17:01:54 ----ASH---- C:\WINDOWS\system32\autochk.dll
2009-05-06 15:22:45 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-01 18:55:41 ----D---- C:\Program Files\Trend Micro
2009-05-01 18:51:47 ----D---- C:\!KillBox
2009-05-01 18:38:01 ----D---- C:\Program Files\QUAD Utilities
2009-05-01 17:11:35 ----A---- C:\WINDOWS\system32\cssdll32.dll
2009-05-01 17:11:02 ----D---- C:\Documents and Settings\All Users\Application Data\Comodo
2009-05-01 17:10:59 ----D---- C:\Program Files\COMODO
2009-05-01 16:37:55 ----A---- C:\rollback.ini
2009-05-01 16:17:47 ----D---- C:\Documents and Settings\Dan\Application Data\Malwarebytes
2009-05-01 16:17:41 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-05-01 16:06:33 ----D---- C:\Program Files\Common Files\ParetoLogic
2009-05-01 16:06:33 ----D---- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2009-04-30 23:13:23 ----HDC---- C:\WINDOWS\ie8
2009-04-30 23:11:39 ----A---- C:\WINDOWS\system32\MRT.INI
2009-04-30 23:09:56 ----A---- C:\WINDOWS\system32\MRT.exe
2009-04-30 23:03:12 ----D---- C:\WINDOWS\system32\XPSViewer
2009-04-30 23:03:09 ----D---- C:\Program Files\MSBuild
2009-04-30 23:03:00 ----D---- C:\Program Files\Reference Assemblies
2009-04-30 22:07:14 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-30 19:34:59 ----D---- C:\Program Files\AVG
2009-04-29 21:36:00 ----D---- C:\Documents and Settings\All Users\Application Data\SITEguard
2009-04-29 21:35:13 ----D---- C:\Program Files\Common Files\iS3
2009-04-29 21:35:13 ----D---- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2009-04-21 16:15:55 ----D---- C:\Documents and Settings\Dan\Application Data\YoudaGames

======List of files/folders modified in the last 1 months======

2009-05-06 18:10:37 ----D---- C:\WINDOWS\system32\drivers
2009-05-06 18:09:33 ----D---- C:\WINDOWS\Temp
2009-05-06 18:09:30 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-05-06 18:09:22 ----D---- C:\WINDOWS\system32
2009-05-06 18:08:44 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-06 17:54:50 ----SHD---- C:\Config.Msi
2009-05-06 17:47:05 ----D---- C:\WINDOWS\Prefetch
2009-05-06 17:46:02 ----SHD---- C:\WINDOWS\Installer
2009-05-06 17:45:36 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-05-06 17:45:36 ----AD---- C:\Program Files
2009-05-06 17:45:35 ----SD---- C:\WINDOWS\Tasks
2009-05-06 17:45:35 ----HD---- C:\WINDOWS\inf
2009-05-06 17:43:56 ----D---- C:\WINDOWS
2009-05-06 17:42:59 ----SD---- C:\Documents and Settings\Dan\Application Data\Microsoft
2009-05-06 17:42:39 ----D---- C:\Documents and Settings\Dan\Application Data\Lavasoft
2009-05-06 15:29:16 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-06 14:21:56 ----D---- C:\Program Files\AntiVir PersonalEdition Classic
2009-05-06 14:21:55 ----D---- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2009-05-05 18:15:21 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-04 17:30:46 ----D---- C:\WINDOWS\system32\CatRoot
2009-05-04 17:29:04 ----D---- C:\WINDOWS\system32\dllcache
2009-05-04 11:41:10 ----D---- C:\WINDOWS\system32\FxsTmp
2009-05-02 11:56:54 ----D---- C:\Program Files\Java
2009-05-02 11:54:43 ----D---- C:\Program Files\Common Files
2009-05-02 11:48:54 ----D---- C:\WINDOWS\Debug
2009-05-02 11:40:01 ----RASH---- C:\boot.ini
2009-05-02 11:40:01 ----A---- C:\WINDOWS\win.ini
2009-05-02 11:40:01 ----A---- C:\WINDOWS\system.ini
2009-05-02 11:36:01 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-01 17:27:06 ----D---- C:\WINDOWS\Microsoft.NET
2009-05-01 17:27:03 ----RSD---- C:\WINDOWS\assembly
2009-05-01 16:46:00 ----D---- C:\Program Files\BitTorrent
2009-05-01 11:34:55 ----D---- C:\temp
2009-05-01 11:19:56 ----D---- C:\Program Files\AOL 9.0 VR
2009-05-01 11:19:43 ----D---- C:\Program Files\Common Files\aolshare
2009-05-01 11:19:30 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-30 23:16:47 ----D---- C:\WINDOWS\system32\en-US
2009-04-30 23:16:47 ----D---- C:\WINDOWS\Media
2009-04-30 23:16:47 ----D---- C:\WINDOWS\Help
2009-04-30 23:16:47 ----D---- C:\Program Files\Internet Explorer
2009-04-30 23:16:46 ----D---- C:\WINDOWS\system32\wbem
2009-04-30 23:16:46 ----D---- C:\WINDOWS\AppPatch
2009-04-30 23:08:52 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-30 23:06:36 ----D---- C:\WINDOWS\WinSxS
2009-04-30 23:03:05 ----RSD---- C:\WINDOWS\Fonts
2009-04-30 19:32:29 ----D---- C:\Program Files\Mozilla Firefox
2009-04-30 19:09:07 ----D---- C:\WINDOWS\SoftwareDistribution
2009-04-30 17:28:49 ----D---- C:\WINDOWS\pss
2009-04-30 16:52:56 ----D---- C:\Program Files\Adobe
2009-04-30 16:50:36 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-04-30 16:44:40 ----D---- C:\Program Files\Google
2009-04-30 16:42:27 ----D---- C:\Program Files\Microsoft Games
2009-04-30 16:35:39 ----D---- C:\Program Files\CCleaner
2009-04-29 19:17:52 ----A---- C:\WINDOWS\wininit.ini
2009-04-21 16:14:32 ----D---- C:\Documents and Settings\Dan\Application Data\BitTorrent
2009-04-09 20:30:15 ----D---- C:\Program Files\Steam

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-11-25 75072]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2008-08-14 74720]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-10-14 1302812]
R3 lanusb;GlobeSpan USB ADSL LAN Modem; C:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 138402]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 PPPoEWin;PPPoEWin Miniport; C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 104375]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2006-02-10 1107224]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 avgntflt;avgntflt; \??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys []
S3 CO_Mon;CO_Mon; \??\C:\WINDOWS\system32\Drivers\CO_Mon.sys []
S3 DSproct;DSproct; \??\C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys []
S3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
S3 IndieVolume;IndieVolume Service; \??\C:\Program Files\IndieVolume\IndieVolume.sys []
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-10-10 9216]
S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-10-10 12800]
S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-10-10 138240]
S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-10-10 12800]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter; C:\WINDOWS\System32\Drivers\sskbfd.sys [2006-08-03 14848]
S3 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-04-27 28352]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP; C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys [2007-03-22 25600]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler; C:\Program Files\AntiVir PersonalEdition Classic\sched.exe [2008-10-23 68865]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 AntiVirService;AntiVir PersonalEdition Classic Guard; C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe [2008-10-23 151297]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2007-11-14 77944]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-12-31 655624]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 183280]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

by **dmc5jc** » May 6th, 2009, 2:55 pm

Apologies for the delay, I'm having trouble with my internet connection.

I will resume with the Combo Fix post tomorrow evening if that's ok. Thanks for your time.

by **Bio-Hazard** » May 6th, 2009, 2:59 pm

Hello!

Sorry about that.Take your time. Read below before you start with Combofix:

Use of P2P (Person to Person) file sharing programs

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them. Please remove it before we can continue any further. Post back when you have done it so we can continue the cleaning process.

NOTE: Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

by **dmc5jc** » May 7th, 2009, 12:50 pm

Hello again!

Thanks for your patience. This is where I'm up to now.

I've uninstalled BitTorrent and uninstalled all but one of the antivirus software. I've left Avira AntiVir Personal on. I have now ran ComboFix and created a new HijackThis log.

My computer is slow loading Internet Explorer and would not connect to Google. When I search on Google and click a link, I get redirected to clickcheck.ru sites which are just adverts. This is the first time I've connected to the internet since using ComboFix and things are running smoother than before. I have not tried following any links through Google, just came straight to this page.

Here is my HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:42:33, on 5/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1172178880\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=d ... bd=6060920
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DSLSTATEXE] "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" icon
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2742364218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553538000} - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Fac ... der4_5.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6543 bytes

by **dmc5jc** » May 7th, 2009, 12:51 pm

And here is my ComboFix report:

ComboFix 09-05-07.01 - Dan 05/07/2009 17:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2707 [GMT 1:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dan\protect.dll
c:\documents and settings\Dan\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Dan\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys
c:\windows\system32\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll
c:\windows\system32\ovfsthewcqptbtpgoeqyydqbovmwubkkavcmsi.dat
c:\windows\system32\ovfsthknbylkfqvoyewrfndetrdswhahvxrvef.dat
c:\windows\system32\ovfsthqwtqwttmernmxjptvrjxxvkbgingsnlr.dll
c:\windows\system32\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll
c:\windows\system32\vybeg.bak2
c:\windows\system32\vybeg.ini
c:\windows\system32\vybeg.ini2
c:\windows\Temp\1028409740.exe
c:\windows\Temp\1029503490.exe
c:\windows\Temp\2953286194.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthrmyvyqjxuwprqhrmlmkvxobhoomqtnsg
-------\Legacy_PACKET

((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-06 18:10 . 2009-05-06 18:25 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-06 16:50 . 2009-05-06 16:50 -------- d-----w C:\rsit
2009-05-04 09:35 . 2009-05-04 09:35 -------- d-sh--w c:\documents and settings\Dan\IECompatCache
2009-05-01 17:55 . 2009-05-01 17:55 -------- d-----w c:\program files\Trend Micro
2009-05-01 17:51 . 2009-05-06 16:56 -------- d-----w C:\!KillBox
2009-05-01 17:27 . 2009-05-01 17:27 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-01 16:11 . 2009-05-01 16:11 253688 ----a-w c:\windows\system32\cssdll32.dll
2009-05-01 16:11 . 2009-05-06 16:44 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-01 16:10 . 2009-05-06 16:54 -------- d-----w c:\program files\COMODO
2009-05-01 15:28 . 2009-05-01 15:28 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-01 15:17 . 2009-05-01 16:03 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-01 15:17 . 2009-05-01 16:03 23328 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-01 15:17 . 2009-05-01 15:17 -------- d-----w c:\documents and settings\Dan\Application Data\Malwarebytes
2009-05-01 15:17 . 2009-05-01 15:17 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 15:06 . 2009-05-01 15:39 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-01 15:06 . 2009-05-01 15:39 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-01 15:06 . 2009-05-01 15:06 -------- d-----w c:\documents and settings\Dan\Local Settings\Application Data\Downloaded Installations
2009-05-01 10:17 . 2009-05-01 10:17 -------- d-sh--w c:\documents and settings\Dan\PrivacIE
2009-04-30 22:18 . 2009-04-30 22:18 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-30 22:17 . 2009-04-30 22:17 -------- d-sh--w c:\documents and settings\Dan\IETldCache
2009-04-30 22:13 . 2009-04-30 22:14 -------- dc-h--w c:\windows\ie8
2009-04-30 22:03 . 2009-04-30 22:03 -------- d-----w c:\windows\system32\XPSViewer
2009-04-30 22:03 . 2009-04-30 22:03 -------- d-----w c:\program files\MSBuild
2009-04-30 22:03 . 2009-04-30 22:03 -------- d-----w c:\program files\Reference Assemblies
2009-04-30 21:09 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-30 21:09 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-30 21:09 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-30 21:09 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-30 21:09 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-30 21:09 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-30 21:09 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-30 21:09 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-30 21:09 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-30 21:09 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-30 21:07 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-30 21:07 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-30 18:34 . 2009-04-30 18:34 -------- d-----w c:\program files\AVG
2009-04-29 20:36 . 2009-04-29 20:36 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-29 20:35 . 2009-04-29 20:35 -------- d-----w c:\program files\Common Files\iS3
2009-04-29 20:35 . 2009-04-30 15:25 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-04-21 15:15 . 2009-04-21 15:15 -------- d-----w c:\documents and settings\Dan\Application Data\YoudaGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 10:56 . 2006-09-20 18:47 -------- d-----w c:\program files\Java
2009-05-01 16:03 . 2009-05-01 15:17 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-01 16:03 . 2009-05-01 15:17 1388 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-01 10:19 . 2008-11-14 16:02 -------- d-----w c:\program files\AOL 9.0 VR
2009-05-01 10:19 . 2008-11-14 16:02 -------- d-----w c:\program files\Common Files\aolshare
2009-04-30 22:18 . 2006-09-22 17:56 114152 ----a-w c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 15:44 . 2006-09-20 19:00 -------- d-----w c:\program files\Google
2009-04-30 15:42 . 2009-01-28 16:53 -------- d-----w c:\program files\Microsoft Games
2009-04-30 15:35 . 2006-10-11 19:36 -------- d-----w c:\program files\CCleaner
2009-04-09 19:30 . 2009-03-03 15:12 -------- d-----w c:\program files\Steam
2009-03-09 04:19 . 2008-12-12 20:25 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 03:34 . 2004-08-10 11:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2004-08-10 11:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2004-08-10 11:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2004-08-10 11:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2004-08-10 11:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2004-08-10 11:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2004-08-10 11:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2004-08-10 11:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2004-08-10 11:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2004-08-10 11:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-10 11:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-10 11:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 11:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 11:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-10 11:51 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^ChkDisk.dll]
path=c:\documents and settings\Dan\Start Menu\Programs\Startup\ChkDisk.dll
backup=c:\windows\pss\ChkDisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^ChkDisk.lnk]
path=c:\documents and settings\Dan\Start Menu\Programs\Startup\ChkDisk.lnk
backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1172178880\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2009\\fm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 IndieVolume;IndieVolume Service;\??\c:\program files\IndieVolume\IndieVolume.sys --> c:\program files\IndieVolume\IndieVolume.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\gfeg3.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\2953286194.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - hxxp://85.255.114.166/1/rdgUS2404.exe
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\y899zgf2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1227612637-2555342258-2110339320-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1B66555A-2585-06D5-A108-8ABFB5872068}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"lamdbkkmdklnianhaljflfeb"=hex:63,62,63,69,67,61,66,6c,6a,6a,64,6e,6d,6f,64,66,
68,65,65,65,70,6d,6d,62,6b,6c,64,62,6d,6c,67,70,69,6e,69,66,64,6f,00,00
"lageihneoipljipfmgpihcfc"=hex:63,62,63,69,67,61,66,6c,67,6a,6f,63,6c,63,70,64,
6a,66,6b,6a,62,61,67,6d,67,66,61,6a,68,6c,63,6b,6f,6e,65,61,70,6e,00,00

[HKEY_USERS\S-1-5-21-1227612637-2555342258-2110339320-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3DAE65C6-95A9-59DD-68D1-6E271F59F0DD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1176)
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\1172178880\ee\aolsoftware.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-07 17:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 16:39

Pre-Run: 31,714,906,112 bytes free
Post-Run: 31,627,694,080 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

240 --- E O F --- 2009-05-04 16:29

by **Bio-Hazard** » May 7th, 2009, 5:30 pm

Hello!

We are making progress. Could you try your google searches now and let me know how it goes.

I'd like you to check (a file/some files) for Viruses.

Go to VirusTotal or Jotti's

c:\windows\system32\lmn_setup.exe

Copy/Paste file into the white Upload a file box.
Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Copy and Paste results in your next reply.

Run CFScript

Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:

Code: Select all

Folder::
C:\!KillBox
C:\Program Files\BitTorrent
C:\Documents and Settings\Dan\Application Data\BitTorrent
C:\Program Files\DNA
C:\Program Files\LimeWire

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^ChkDisk.dll]
[-HKLM\~\startupfolder\C:^Documents and Settings^Dan^Start Menu^Programs^Startup^ChkDisk.lnk]

DDS:
DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - hxxp://85.255.114.166/1/rdgUS2404.exe

Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

ATF-Cleaner

Please download ATF Cleaner by Atribune.

Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.

Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

ComboFix log (found at C:\Combofix.txt)
Jotti or Virustotal results
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

by **dmc5jc** » May 7th, 2009, 5:40 pm

Ok, here's the first step, the results from Virus Total for lmn_setup.exe :

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.07 Gen.Trojan!IK
AhnLab-V3 5.0.0.2 2009.05.07 Win-Trojan/Xema.variant
AntiVir 7.9.0.160 2009.05.07 -
Antiy-AVL 2.0.3.1 2009.05.07 -
Authentium 5.1.2.4 2009.05.07 -
Avast 4.8.1335.0 2009.05.06 -
AVG 8.5.0.327 2009.05.07 SHeur2.AEKE
BitDefender 7.2 2009.05.07 Gen:Trojan.Heur.1030CFE9E9
CAT-QuickHeal 10.00 2009.05.06 TrojanSpy.Agent.alfd
ClamAV 0.94.1 2009.05.07 -
Comodo 1154 2009.05.06 TrojWare.Win32.TrojanSpy.Agent.~ZL
DrWeb 5.0.0.12182 2009.05.07 Trojan.Alupko.31
eSafe 7.0.17.0 2009.05.07 Win32.GenericDropper
eTrust-Vet 31.6.6494 2009.05.07 Win32/Droplet.GM
F-Prot 4.4.4.56 2009.05.06 -
Fortinet 3.117.0.0 2009.05.07 W32/Dropper.EW!tr
GData 19 2009.05.07 Gen:Trojan.Heur.1030CFE9E9
Ikarus T3.1.1.49.0 2009.05.07 Gen.Trojan
K7AntiVirus 7.10.723 2009.05.05 -
Kaspersky 7.0.0.125 2009.05.07 Trojan-Dropper.Win32.Agent.aonj
McAfee 5607 2009.05.06 Generic Dropper.ew
McAfee+Artemis 5607 2009.05.06 Generic Dropper.ew
McAfee-GW-Edition 6.7.6 2009.05.07 -
Microsoft 1.4602 2009.05.07 TrojanDropper:Win32/Agent.DV
NOD32 4060 2009.05.07 -
Norman 6.01.05 2009.05.06 -
nProtect 2009.1.8.0 2009.05.07 -
Panda 10.0.0.14 2009.05.06 Suspicious file
PCTools 4.4.2.0 2009.05.07 -
Prevx 3.0 2009.05.07 Medium Risk Malware
Rising 21.28.32.00 2009.05.07 -
Sophos 4.41.0 2009.05.07 Mal/UnkPack-Fam
Sunbelt 3.2.1858.2 2009.05.07 -
Symantec 1.4.4.12 2009.05.07 Trojan Horse
TheHacker 6.3.4.1.320 2009.05.07 -
TrendMicro 8.950.0.1092 2009.05.07 -
VBA32 3.12.10.4 2009.05.05 suspected of Malware-Cryptor.Win32.General.3
ViRobot 2009.5.7.1723 2009.05.07 -
VirusBuster 4.6.5.0 2009.05.07 -
Additional information
Tamano archivo: 27648 bytes
MD5...: faf2951f7da13f13d8b24e8dd70200b7
SHA1..: 26c9e78d9ec95fec399401ad5622108e48c7f9fb
SHA256: fb32231b4dd3e691685bf158ebbb5c2ecab735075fbb93a5447f34e156e90624
SHA512: 4e3c9426abc6aa3d20af17028afdcb64acefe6e5ac697df2fdcc32bca97e0351
3253ec394e8bbe6159612880e6cca29ba8f9b3cfda7a4c20d0811eec42a298ce
ssdeep: 384:xQnwnYH+q9gPkjDLSE+5LLynZ2845CnN6ZSJMRJhvZ9cVAPTTD:xZ2+iggPX
+5LH3R7

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x71e0
timedatestamp.....: 0x49ff1e41 (Mon May 04 16:56:33 2009)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x640a 0x6600 6.31 27feb59b4626fbd30590a835337ac9ac
.rsrc 0x8000 0xf0 0x200 1.26 d6f7d6bfd51d7450d8c25dabdd75b521

( 3 imports )
> KERNEL32.dll: WriteFile, CreateFileA, lstrcpyA, lstrcatA, GetProcAddress, CloseHandle, GetVersionExA, GetSystemInfo, GetModuleHandleA, GetLastError, LoadLibraryA, lstrlenA
> USER32.dll: SendMessageA, EndPaint, BeginPaint, SetFocus, TranslateMessage, SetWindowTextA
> ADVAPI32.dll: RegCreateKeyA

( 0 exports )

by **dmc5jc** » May 7th, 2009, 5:53 pm

Here is the CFScript Log:

ComboFix 09-05-07.06 - Dan 05/07/2009 22:43.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2656 [GMT 1:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\!KillBox
c:\!killbox\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll
c:\!killbox\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll( 1)
c:\!killbox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll
c:\!killbox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll( 1)
c:\!killbox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll( 2)
c:\!killbox\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys
c:\!killbox\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys( 3)

.
((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-06 18:10 . 2009-05-06 18:25 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-06 16:50 . 2009-05-06 16:50 -------- d-----w C:\rsit
2009-05-04 09:35 . 2009-05-04 09:35 -------- d-sh--w c:\documents and settings\Dan\IECompatCache
2009-05-01 17:55 . 2009-05-01 17:55 -------- d-----w c:\program files\Trend Micro
2009-05-01 17:27 . 2009-05-01 17:27 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-01 16:11 . 2009-05-01 16:11 253688 ----a-w c:\windows\system32\cssdll32.dll
2009-05-01 16:11 . 2009-05-06 16:44 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-01 16:10 . 2009-05-06 16:54 -------- d-----w c:\program files\COMODO
2009-05-01 15:28 . 2009-05-01 15:28 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-01 15:17 . 2009-05-01 16:03 32 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-01 15:17 . 2009-05-01 16:03 23328 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-01 15:17 . 2009-05-01 15:17 -------- d-----w c:\documents and settings\Dan\Application Data\Malwarebytes
2009-05-01 15:17 . 2009-05-01 15:17 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 15:06 . 2009-05-01 15:39 -------- d-----w c:\program files\Common Files\ParetoLogic
2009-05-01 15:06 . 2009-05-01 15:39 -------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-05-01 15:06 . 2009-05-01 15:06 -------- d-----w c:\documents and settings\Dan\Local Settings\Application Data\Downloaded Installations
2009-05-01 10:17 . 2009-05-01 10:17 -------- d-sh--w c:\documents and settings\Dan\PrivacIE
2009-04-30 22:18 . 2009-04-30 22:18 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-30 22:17 . 2009-04-30 22:17 -------- d-sh--w c:\documents and settings\Dan\IETldCache
2009-04-30 22:13 . 2009-04-30 22:14 -------- dc-h--w c:\windows\ie8
2009-04-30 22:03 . 2009-04-30 22:03 -------- d-----w c:\windows\system32\XPSViewer
2009-04-30 22:03 . 2009-04-30 22:03 -------- d-----w c:\program files\MSBuild
2009-04-30 22:03 . 2009-04-30 22:03 -------- d-----w c:\program files\Reference Assemblies
2009-04-30 21:09 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-30 21:09 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-30 21:09 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-30 21:09 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-30 21:09 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-30 21:09 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-30 21:09 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-30 21:09 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-30 21:09 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-30 21:09 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-30 21:07 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-30 21:07 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-30 18:34 . 2009-04-30 18:34 -------- d-----w c:\program files\AVG
2009-04-29 20:36 . 2009-04-29 20:36 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-29 20:35 . 2009-04-29 20:35 -------- d-----w c:\program files\Common Files\iS3
2009-04-29 20:35 . 2009-04-30 15:25 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-04-21 15:15 . 2009-04-21 15:15 -------- d-----w c:\documents and settings\Dan\Application Data\YoudaGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 10:56 . 2006-09-20 18:47 -------- d-----w c:\program files\Java
2009-05-01 16:03 . 2009-05-01 15:17 32 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-01 16:03 . 2009-05-01 15:17 1388 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-01 10:19 . 2008-11-14 16:02 -------- d-----w c:\program files\AOL 9.0 VR
2009-05-01 10:19 . 2008-11-14 16:02 -------- d-----w c:\program files\Common Files\aolshare
2009-04-30 22:18 . 2006-09-22 17:56 114152 ----a-w c:\documents and settings\Dan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-30 15:44 . 2006-09-20 19:00 -------- d-----w c:\program files\Google
2009-04-30 15:42 . 2009-01-28 16:53 -------- d-----w c:\program files\Microsoft Games
2009-04-30 15:35 . 2006-10-11 19:36 -------- d-----w c:\program files\CCleaner
2009-04-09 19:30 . 2009-03-03 15:12 -------- d-----w c:\program files\Steam
2009-03-09 04:19 . 2008-12-12 20:25 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 03:34 . 2004-08-10 11:51 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2004-08-10 11:51 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2004-08-10 11:50 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2004-08-10 11:51 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2004-08-10 11:50 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2004-08-10 11:51 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2004-08-10 11:51 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2004-08-10 11:51 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2004-08-10 11:51 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2004-08-10 11:51 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-10 11:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-10 11:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 11:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 11:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-10 11:51 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dell Network Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dell Network Assistant.lnk
backup=c:\windows\pss\Dell Network Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1172178880\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\football manager 2009\\fm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

S3 IndieVolume;IndieVolume Service;\??\c:\program files\IndieVolume\IndieVolume.sys --> c:\program files\IndieVolume\IndieVolume.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
TCP: {7BDE5B84-A84A-44A0-9087-CD85E24FF419} = 92.31.241.20 92.31.241.21
DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\y899zgf2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 22:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1227612637-2555342258-2110339320-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1B66555A-2585-06D5-A108-8ABFB5872068}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"lamdbkkmdklnianhaljflfeb"=hex:63,62,63,69,67,61,66,6c,6a,6a,64,6e,6d,6f,64,66,
68,65,65,65,70,6d,6d,62,6b,6c,64,62,6d,6c,67,70,69,6e,69,66,64,6f,00,00
"lageihneoipljipfmgpihcfc"=hex:63,62,63,69,67,61,66,6c,67,6a,6f,63,6c,63,70,64,
6a,66,6b,6a,62,61,67,6d,67,66,61,6a,68,6c,63,6b,6f,6e,65,61,70,6e,00,00

[HKEY_USERS\S-1-5-21-1227612637-2555342258-2110339320-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3DAE65C6-95A9-59DD-68D1-6E271F59F0DD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-05-07 22:46
ComboFix-quarantined-files.txt 2009-05-07 21:46

Pre-Run: 31,596,216,320 bytes free
Post-Run: 31,585,619,968 bytes free

188 --- E O F --- 2009-05-04 16:29

by **dmc5jc** » May 7th, 2009, 8:06 pm

Kaspersky Scan Results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 07, 2009 22:07:56
Records in database: 2142072
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 124805
Threat name: 7
Infected objects: 39
Suspicious objects: 0
Duration of the scan: 01:52:27

File name / Threat name / Threats count
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll1 Infected: Trojan.Win32.Tdss.aalg 1
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll2 Infected: Trojan.Win32.Tdss.aalg 1
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll Infected: Trojan.Win32.Tdss.aald 1
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll1 Infected: Trojan.Win32.Tdss.aald 1
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll2 Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\!KillBox\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll( 1).vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\!KillBox\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\!KillBox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll( 1).vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\!KillBox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll( 2).vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\!KillBox\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\!KillBox\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys( 3).vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\!KillBox\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\Documents and Settings\Dan\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\Documents and Settings\Dan\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthyomuamieewirklyxyllqtilqjlkbqbpp.sys.vir Infected: Trojan.Win32.Tdss.aalf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthcottbdxxqqvmiecepksjlbutblpyppqh.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthqwtqwttmernmxjptvrjxxvkbgingsnlr.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthwhkmrrhnmvtuxkxbaoeeuxtynapnpldf.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1028409740.exe.vir Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\1029503490.exe.vir Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\Qoobox\Quarantine\C\WINDOWS\Temp\2953286194.exe.vir Infected: Trojan-Downloader.Win32.Agent.bvpv 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081151.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081152.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081153.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081154.dll Infected: Trojan.Win32.Tdss.aald 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081174.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081175.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081177.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081178.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP518\A0081180.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP519\A0081355.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP519\A0081356.dll Infected: Trojan.Win32.Tdss.aald 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP519\A0081357.sys Infected: Trojan.Win32.Tdss.aalf 1
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll Infected: Trojan-Spy.Win32.Agent.aoox 1
C:\WINDOWS\system32\lmn_setup.exe Infected: Trojan-Dropper.Win32.Agent.aonj 1

The selected area was scanned.

Free Malware Removal Forum

HijackThis Log Help - Google Redirect

HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Re: HijackThis Log Help - Google Redirect

Who is online