32 replies to this topic

[thelostone]

I was infected with these two viruses. I seem to have managed to remove the infected files, but I can't remove 93 registry entries. They keep showing up everytime I run MBAM. Please help.

Here are the logs:


Malwarebytes' Anti-Malware 1.36
Database version: 2156
Windows 5.1.2600 Service Pack 3

20.05.2009 21:19:52
mbam-log-2009-05-20 (21-19-52).txt

Scan type: Quick Scan
Objects scanned: 76987
Time elapsed: 1 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 90
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




----------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:26:37, on 20.05.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\CACHEM~1\CachemanXP.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Plextor\PlexTool.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
D:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - D:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] d:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] d:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinVNC] "d:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Pando] "D:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\apitrap.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATI Smart ATIDcomLaunch (ATIDcomLaunch) - Unknown owner - C:\WINDOWS\system32\AddCatx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - D:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - d:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 10724 bytes

[AdvancedSetup]

STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

STEP 02

Please create a BOOTLOG

• Delete the following file if it exists. C:\Windows\ntbtlog.txt
  
• Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  
• Select "Enable Boot Logging" option and press enter.
  
• Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  
• This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
   
  If you're already running inside Windows you can enable it the following way.
   
  
• Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  
• Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  
• After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  
• From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  
• NOTE: If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.
  
• NOTE: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  
• The tab is called BOOT on Vista. Then choose Boot log

[thelostone]

I lost my net connection and had to reboot. Here are the ComboFix and hijack logs. I'll reboot and then post the bootlog.



ComboFix 09-05-20.01 - The Seeker 20.05.2009 22:36.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3050 [GMT 2:00]
Running from: c:\documents and settings\The Seeker\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {804FD0EC-FFA4-0112-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00F2-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-0103-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-0114-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-0103-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-0114-0D24-347CA8A3377C}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-20 19:15 . 2009-05-20 19:15 -------- d-----w c:\program files\Trend Micro
2009-05-20 18:19 . 2009-05-20 18:52 -------- d-----w c:\documents and settings\The Seeker\.housecall6.6
2009-05-20 17:29 . 2009-05-20 17:29 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-05-20 17:28 . 2009-05-20 17:28 -------- d-----w c:\windows\ERUNT
2009-05-20 17:24 . 2009-05-20 17:36 -------- d-----w C:\SDFix
2009-05-20 03:01 . 2009-05-20 03:01 -------- d-----w c:\documents and settings\The Seeker\Application Data\Safer Networking
2009-05-20 00:12 . 2009-05-20 00:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-20 00:12 . 2009-05-20 00:12 -------- d-----w c:\program files\Java
2009-05-19 20:23 . 2009-05-19 20:23 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-19 20:21 . 2009-05-19 20:21 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 20:21 . 2009-05-19 20:21 -------- d-----w c:\program files\Lavasoft
2009-05-19 15:53 . 2009-05-19 15:53 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-19 15:53 . 2009-05-19 15:53 -------- d-----w c:\documents and settings\The Seeker\Application Data\SUPERAntiSpyware.com
2009-05-19 15:07 . 2009-05-19 15:07 -------- d-sh--w c:\documents and settings\The Seeker\IECompatCache
2009-05-19 13:16 . 2009-05-19 14:52 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-19 13:16 . 2009-05-19 13:16 168208 ----a-w c:\windows\system32\guard32.dll
2009-05-19 13:16 . 2009-05-19 13:16 24096 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-19 13:16 . 2009-05-19 13:16 132640 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-19 11:26 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-19 11:26 . 2009-05-19 11:26 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-19 08:59 . 2009-05-19 08:59 -------- d-----w c:\documents and settings\The Seeker\Application Data\Malwarebytes
2009-05-19 08:59 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 08:59 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 08:59 . 2009-05-19 08:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 08:37 . 2009-05-19 08:37 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-16 13:52 . 2009-05-16 13:52 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-16 13:51 . 2009-05-16 13:51 -------- d-sh--w c:\documents and settings\The Seeker\IETldCache
2009-05-16 13:46 . 2009-05-16 13:46 -------- d-----w c:\windows\ie8updates
2009-05-16 13:46 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-16 13:44 . 2009-05-16 13:45 -------- dc-h--w c:\windows\ie8
2009-05-16 01:39 . 2009-05-16 01:39 32 --s-a-w c:\windows\system32\1958099454.dat
2009-05-16 01:39 . 2009-05-16 01:39 50176 --sh--r c:\windows\system32\AddCatx.exe
2009-04-21 17:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 17:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 17:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 17:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 17:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 17:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 17:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 17:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 17:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 17:21 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 17:21 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 22:39 . 2003-04-14 15:14 15080 -c--a-w c:\documents and settings\The Seeker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 19:59 . 2008-01-08 22:15 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-08 02:34 . 2004-02-06 16:05 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2002-08-29 02:41 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2001-08-23 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2002-08-29 02:41 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2001-08-23 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2002-08-29 02:40 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2002-08-29 02:40 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2002-08-29 02:39 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2001-08-23 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2001-08-23 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2002-08-29 02:41 284160 ----a-w c:\windows\system32\pdh.dll
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\{15C4476A-EA72-4E55-9C5B-1C8249466FF5}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{6D9FE517-31AD-41CC-B95E-7E733B25B9C8}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{818B1A1A-8EE2-4705-AC24-1F49A6DC3696}.dat
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\{84376A82-733B-4CCD-9FF9-C28BFC571BEF}.dat
2003-04-14 15:06 . 2003-04-14 15:06 32 -csha-w c:\windows\{8E4DB03C-5F0C-437A-AF87-464B67337438}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{DFC2EB9A-FB63-43D6-BABA-01F934AF9B6F}.dat
2009-01-16 01:05 . 2004-10-06 20:53 848 -csha-w c:\windows\system32\KGyGaAvL.sys
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\system32\{2456E9AF-34DF-4927-9EA0-60700762F576}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{506DCD5D-F167-43F5-B6FF-396974F28A4B}.dat
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\system32\{5C41B90D-26A6-4B0A-B93E-5D9992A0F14E}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{78324277-BFF3-42E5-8BB6-4DBDF03D6572}.dat
2003-04-14 15:06 . 2003-04-14 15:06 32 -csha-w c:\windows\system32\{E77C78DB-5D03-463D-8FA0-F4F6534554DE}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{EB878823-72A4-4881-8455-869B8E4D06F0}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4}]
2007-10-23 21:55 266240 ----a-w c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"Pando"="d:\program files\Pando Networks\Pando\Pando.exe" [2008-11-20 3647304]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2004-06-26 77824]
"CTSysVol"="d:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="d:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-17 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"UnlockerAssistant"="d:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"WinVNC"="d:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-20 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-19 516440]
"COMODO Internet Security"="d:\program files\Comodo\COMODO Internet Security\cfp.exe" [2009-05-19 1794320]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-01 77824]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-12-08 25600]

c:\documents and settings\The Seeker\Start Menu\Programs\Startup\
SpywareGuard.lnk - d:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-9-4 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2007-5-26 805392]
PlexTools Professional.lnk - d:\program files\Plextor\PlexTool.exe [2006-1-27 6623232]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2004-9-6 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "d:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\apitrap.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\TaskSwitch.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SlimServer 9000 tcp
"3483:UDP"= 3483:UDP:SlimServer 3483 udp
"3483:TCP"= 3483:TCP:SlimServer 3483 tcp

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19.05.2009 22:23 64160]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [19.05.2009 15:16 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [19.05.2009 15:16 24096]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [09.02.2007 19:19 132736]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [09.02.2007 19:19 4608]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [14.05.2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14.05.2009 14:22 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [19.05.2009 13:26 108289]
R2 CachemanXPService;CachemanXP;d:\progra~1\CACHEM~1\CachemanXP.exe [13.04.2005 21:56 201728]
R2 PCC_PFW;PC-Cillin Personal Firewall;c:\windows\system32\drivers\PCC_PFW.sys [18.07.2002 17:11 56796]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [08.12.2005 13:20 16168]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [20.12.2001 13:09 175488]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [20.12.2001 13:09 18688]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [11.07.2008 22:59 6016]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [06.05.2006 03:15 97792]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [14.05.2009 14:22 7408]
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [27.08.2004 16:18 97920]
S0 trm390w;trm390w;c:\windows\system32\drivers\trm390w.sys [28.05.2002 11:24 24084]
S1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\Drivers\fwdrv.sys --> c:\windows\system32\Drivers\fwdrv.sys [?]
S2 ATIDcomLaunch;ATI Smart ATIDcomLaunch;c:\windows\system32\AddCatx.exe srv --> c:\windows\system32\AddCatx.exe srv [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09.03.2009 21:06 953168]
S3 jswmidin;jswmidin;\??\c:\docume~1\THESEE~1\LOCALS~1\Temp\jswmidin.sys --> c:\docume~1\THESEE~1\LOCALS~1\Temp\jswmidin.sys [?]
S3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [14.04.2003 17:05 13792]
S3 SUSCOM;Susteen Serial port driver;c:\windows\system32\drivers\SUSCOM.SYS [13.07.2005 01:53 40448]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = localhost
FF - ProfilePath - c:\documents and settings\The Seeker\Application Data\Mozilla\Firefox\Profiles\7h2x80vv.default\
FF - prefs.js: browser.startup.homepage - hxxp://rckflr.blogspot.com/?zx=5cc4a6187d16ec0a
FF - plugin: d:\program files\Opera7\program\plugins\np32dsw.dll
FF - plugin: d:\program files\Opera7\program\plugins\npdrmv2.dll
FF - plugin: d:\program files\Opera7\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera7\program\plugins\nppl3260.dll
FF - plugin: d:\program files\Opera7\program\plugins\nprjplug.dll
FF - plugin: d:\program files\Opera7\program\plugins\nprpjplug.dll
FF - plugin: d:\program files\Opera7\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera7\program\plugins\npupd62.dll
FF - plugin: d:\program files\Opera7\program\plugins\npwmsdrm.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 22:38
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:58,51,31,6a,e0,a3,b8,37,77,b1,c9,62,9b,84,28,26,cc,7e,2d,b8,47,26,04,
c0,a4,c7,91,45,76,94,15,9f,10,b9,0f,8e,fa,31,9c,1c,ab,b2,8d,c1,1f,63,74,b3,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,e6,77,ff,a0,0e,
91,cd,4c,e2,63,26,f1,3f,c8,ff,68,58,36,62,71,ed,d7,b3,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,7a,c0,7c,00,96,
8a,c0,63,6a,9c,d6,61,af,45,84,18,92,6a,10,a7,ea,d2,aa,74,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,52,b2,69,2d,f3,
91,0d,d5,ff,7c,85,e0,43,d4,0e,fe,3e,96,5a,16,85,27,1f,c6,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,46,78,cf,ba,ec,
12,f8,26,86,8c,21,01,be,91,eb,e7,ce,f0,ec,6b,61,70,26,2a,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,8d,fa,fa,da,38,
62,96,0a,f5,1d,4d,73,a8,13,5c,05,79,56,2f,4a,72,00,78,41,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,22,25,6f,f0,41,
c4,87,32,df,20,58,62,78,6b,cf,c8,b4,ee,bb,9e,49,76,06,d6,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,af,22,06,58,d6,
8f,fd,49,fb,a7,78,e6,12,2f,9a,ea,b2,65,5f,75,db,a9,69,01,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,24,5c,92,25,e9,
40,ed,10,01,3a,48,fc,e8,04,4a,f1,94,2f,1d,ef,84,2f,1b,65,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,17,69,12,38,f4,
64,e5,50,f6,0f,4e,58,98,5b,89,c9,3d,a5,ba,88,6b,d6,2d,14,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,22,53,67,b8,62,
af,bf,b4,3d,ce,ea,26,2d,45,aa,78,bb,4a,1a,12,11,3d,a5,21,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,84,ab,db,97,45,
c5,cc,ea,2a,b7,cc,b5,b9,7f,41,e7,eb,5a,a2,80,2a,7f,ae,49,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,37,82,54,65,46,
d9,91,79,6c,43,2d,1e,aa,22,2f,9c,ac,9c,70,62,91,b5,50,58,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\apitrap.dll
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\apitrap.dll
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(13568)
c:\windows\system32\guard32.dll
d:\program files\Logitech\SetPoint\IMHook.dll
d:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-20 22:40
ComboFix-quarantined-files.txt 2009-05-20 20:40
ComboFix2.txt 2009-05-20 13:07

Pre-Run: 4 276 928 512 bytes free
Post-Run: 4 242 530 304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
338 --- E O F --- 2009-04-21 17:26


----------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42:15, on 20.05.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\PROGRA~1\CACHEM~1\CachemanXP.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\taskswitch.exe
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - D:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] d:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] d:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinVNC] "d:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Pando] "D:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\apitrap.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATI Smart ATIDcomLaunch (ATIDcomLaunch) - Nwjoduo Cahgopuvjoq - C:\WINDOWS\system32\AddCatx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - D:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - d:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 10008 bytes

[thelostone]

Here's the bootlog:



Service Pack 3 5 20 2009 23:09:15.500
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver sptd.sys
Loaded driver \WINDOWS\System32\Drivers\WMILIB.SYS
Loaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYS
Loaded driver ACPI.sys
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver symc8xx.sys
Loaded driver trm390w.sys
Loaded driver si3112r.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver Lbd.sys
Loaded driver PxHelp20.sys
Loaded driver SiWinAcc.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver inspect.sys
Loaded driver \WINDOWS\System32\DRIVERS\NDIS.SYS
Loaded driver \WINDOWS\System32\DRIVERS\TDI.SYS
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver nv_agp.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\AmdK8.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\system32\drivers\ctoss2k.sys
Loaded driver \SystemRoot\System32\drivers\ctprxy2k.sys
Loaded driver \SystemRoot\system32\drivers\ctaud2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
Loaded driver \SystemRoot\System32\Drivers\a930zua2.SYS
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\btkrnl.sys
Loaded driver \SystemRoot\system32\DRIVERS\vncdrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\dne2000.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\drivers\btaudio.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\drivers\hap16v2k.sys
Loaded driver \SystemRoot\System32\drivers\ha10kx2k.sys
Loaded driver \SystemRoot\System32\drivers\emupia2k.sys
Loaded driver \SystemRoot\System32\drivers\ctsfm2k.sys
Loaded driver \SystemRoot\System32\drivers\ctac32k.sys
Loaded driver \SystemRoot\system32\COMMONFX.DLL
Loaded driver \SystemRoot\system32\CTAUDFX.DLL
Loaded driver \SystemRoot\system32\CTSBLFX.DLL
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cmdguard.sys
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\DRIVERS\DcCam.sys
Did not load driver \SystemRoot\System32\DRIVERS\exportit.sys
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\System32\DRIVERS\kbdhid.sys
Did not load driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\system32\DRIVERS\ext2fs.sys
Did not load driver \SystemRoot\system32\Drivers\fwdrv.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\cmdhlp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\IfsDrives.sys
Did not load driver \SystemRoot\System32\DRIVERS\serial.sys
Did not load driver \SystemRoot\System32\DRIVERS\amdk7.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys
Loaded driver \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \??\D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\Drivers\PQNTDrv.SYS
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys
Loaded driver \??\D:\Program Files\Avira\AntiVir Desktop\avgio.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbscan.sys
Loaded driver \SystemRoot\system32\DRIVERS\cxbu0wdm.sys
Loaded driver \SystemRoot\System32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\Wdf01000.sys
Loaded driver \SystemRoot\system32\DRIVERS\LHidFilt.Sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouFilt.Sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\avgntflt.sys
Loaded driver \SystemRoot\System32\drivers\Tmpreflt.sys
Loaded driver \SystemRoot\System32\drivers\Vsapint.sys
Loaded driver \SystemRoot\System32\drivers\TmXPFlt.sys
Loaded driver \SystemRoot\system32\drivers\dcfs2k.sys
Loaded driver \SystemRoot\System32\Drivers\btwusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\btport.sys
Loaded driver \SystemRoot\system32\DRIVERS\btwhid.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Did not load driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\Drivers\Aspi32.SYS
Loaded driver \??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
Loaded driver \SystemRoot\System32\Drivers\PCC_PFW.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\PfModNT.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys
Loaded driver \SystemRoot\System32\Drivers\vnccom.SYS
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \??\D:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

[AdvancedSetup]

Do not reboot your computer for now.


Create a NEW folder on your Desktop named: BadFiles


Please download the following scanning tool. GMER
[indent]

• Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.
  
• Double click on random named exe file and run it.
  
• It may take a minute to load and become available.
  
• You should see a tab on top with 3 >  >  > arrows. Click on that.
  
• Then click on the Files tab.
  
• Browse to the c:\docume~1\THESEE~1\LOCALS~1\Temp\ folder and locate the following file jswmidin.sys
  
• Then if it's there highlight it and click on the COPY button. A Save As dialog box will open.
  
• Browse to your desktop and copy the file to the new BadFiles folder you created earlier by typing in the same name but give it an extension of .bad

• Zip up all the files in the BadFiles folder and save it as Infection.zip and attach it to your reply post.
  
• DO NOT attempt to attach or upload any file directly. You MUST attach it as a .ZIP file.
  
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]

[thelostone]

jswmidin.sys is not there.

[AdvancedSetup]

No I see that because it appears to rename on the fly after a reboot.

Let's try this again now that your BOOTLOG has been setup.

Delete the bootlog file: C:\Windows\ntbtlog.txt

Then rename Combofix.exe to WIZEE.EXE and run it again. It should reboot the box as part of the scan, clean process. If it does not then let me know.

Then when it starts back up again it will produce a NEW bootlog file and a new combofix log. Post back both of them and I'll take another look.

Do not reboot the box again until I've looked at the logs.

[thelostone]

Combofix did not reboot the box. The bootlog is 178 lines.

Here are the logs:



ComboFix 09-05-20.01 - The Seeker 21.05.2009 0:49.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3022 [GMT 2:00]
Running from: c:\documents and settings\The Seeker\Desktop\WIZEE.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {804FD0EC-FFA4-0112-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00F2-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-0103-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-0114-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-0103-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-0114-0D24-347CA8A3377C}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-20 20:35 . 2009-05-20 20:41 -------- d-s---w C:\ComboFix
2009-05-20 19:15 . 2009-05-20 19:15 -------- d-----w c:\program files\Trend Micro
2009-05-20 18:19 . 2009-05-20 18:52 -------- d-----w c:\documents and settings\The Seeker\.housecall6.6
2009-05-20 17:29 . 2009-05-20 17:29 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-05-20 17:28 . 2009-05-20 17:28 -------- d-----w c:\windows\ERUNT
2009-05-20 17:24 . 2009-05-20 17:36 -------- d-----w C:\SDFix
2009-05-20 03:01 . 2009-05-20 03:01 -------- d-----w c:\documents and settings\The Seeker\Application Data\Safer Networking
2009-05-20 00:12 . 2009-05-20 00:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-20 00:12 . 2009-05-20 00:12 -------- d-----w c:\program files\Java
2009-05-19 20:23 . 2009-05-19 20:23 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-19 20:21 . 2009-05-19 20:21 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 20:21 . 2009-05-19 20:21 -------- d-----w c:\program files\Lavasoft
2009-05-19 15:53 . 2009-05-19 15:53 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-19 15:53 . 2009-05-19 15:53 -------- d-----w c:\documents and settings\The Seeker\Application Data\SUPERAntiSpyware.com
2009-05-19 15:07 . 2009-05-19 15:07 -------- d-sh--w c:\documents and settings\The Seeker\IECompatCache
2009-05-19 13:16 . 2009-05-19 14:52 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-19 13:16 . 2009-05-19 13:16 168208 ----a-w c:\windows\system32\guard32.dll
2009-05-19 13:16 . 2009-05-19 13:16 24096 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-19 13:16 . 2009-05-19 13:16 132640 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-19 11:26 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-19 11:26 . 2009-05-19 11:26 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-19 08:59 . 2009-05-19 08:59 -------- d-----w c:\documents and settings\The Seeker\Application Data\Malwarebytes
2009-05-19 08:59 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 08:59 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 08:59 . 2009-05-19 08:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 08:37 . 2009-05-19 08:37 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-16 13:52 . 2009-05-16 13:52 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-16 13:51 . 2009-05-16 13:51 -------- d-sh--w c:\documents and settings\The Seeker\IETldCache
2009-05-16 13:46 . 2009-05-16 13:46 -------- d-----w c:\windows\ie8updates
2009-05-16 13:46 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-16 13:44 . 2009-05-16 13:45 -------- dc-h--w c:\windows\ie8
2009-05-16 01:39 . 2009-05-16 01:39 32 --s-a-w c:\windows\system32\1958099454.dat
2009-05-16 01:39 . 2009-05-16 01:39 50176 --sh--r c:\windows\system32\AddCatx.exe
2009-04-21 17:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 17:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 17:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 17:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 17:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 17:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 17:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 17:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 17:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 17:21 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 17:21 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 22:39 . 2003-04-14 15:14 15080 -c--a-w c:\documents and settings\The Seeker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 19:59 . 2008-01-08 22:15 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-08 02:34 . 2004-02-06 16:05 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2002-08-29 02:41 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2001-08-23 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2002-08-29 02:41 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2001-08-23 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2002-08-29 02:40 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2002-08-29 02:40 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2002-08-29 02:39 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2001-08-23 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2001-08-23 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2002-08-29 02:41 284160 ----a-w c:\windows\system32\pdh.dll
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\{15C4476A-EA72-4E55-9C5B-1C8249466FF5}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{6D9FE517-31AD-41CC-B95E-7E733B25B9C8}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{818B1A1A-8EE2-4705-AC24-1F49A6DC3696}.dat
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\{84376A82-733B-4CCD-9FF9-C28BFC571BEF}.dat
2003-04-14 15:06 . 2003-04-14 15:06 32 -csha-w c:\windows\{8E4DB03C-5F0C-437A-AF87-464B67337438}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{DFC2EB9A-FB63-43D6-BABA-01F934AF9B6F}.dat
2009-01-16 01:05 . 2004-10-06 20:53 848 -csha-w c:\windows\system32\KGyGaAvL.sys
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\system32\{2456E9AF-34DF-4927-9EA0-60700762F576}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{506DCD5D-F167-43F5-B6FF-396974F28A4B}.dat
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\system32\{5C41B90D-26A6-4B0A-B93E-5D9992A0F14E}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{78324277-BFF3-42E5-8BB6-4DBDF03D6572}.dat
2003-04-14 15:06 . 2003-04-14 15:06 32 -csha-w c:\windows\system32\{E77C78DB-5D03-463D-8FA0-F4F6534554DE}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{EB878823-72A4-4881-8455-869B8E4D06F0}.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-05-20_20.38.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 22:00 . 2009-05-20 22:00 16384 c:\windows\temp\Perflib_Perfdata_d4.dat
+ 2009-05-20 21:10 . 2009-05-20 21:10 16384 c:\windows\temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4}]
2007-10-23 21:55 266240 ----a-w c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"Pando"="d:\program files\Pando Networks\Pando\Pando.exe" [2008-11-20 3647304]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2004-06-26 77824]
"CTSysVol"="d:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="d:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-17 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"UnlockerAssistant"="d:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"WinVNC"="d:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-20 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-19 516440]
"COMODO Internet Security"="d:\program files\Comodo\COMODO Internet Security\cfp.exe" [2009-05-19 1794320]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-01 77824]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nForce Tray Options"="sstray.exe" - c:\windows\system32\sstray.exe [2002-11-13 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-12-08 25600]

c:\documents and settings\The Seeker\Start Menu\Programs\Startup\
SpywareGuard.lnk - d:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-9-4 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2007-5-26 805392]
PlexTools Professional.lnk - d:\program files\Plextor\PlexTool.exe [2006-1-27 6623232]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2004-9-6 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "d:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\apitrap.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\TaskSwitch.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SlimServer 9000 tcp
"3483:UDP"= 3483:UDP:SlimServer 3483 udp
"3483:TCP"= 3483:TCP:SlimServer 3483 tcp

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19.05.2009 22:23 64160]
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [27.08.2004 16:18 97920]
R0 trm390w;trm390w;c:\windows\system32\drivers\trm390w.sys [28.05.2002 11:24 24084]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [19.05.2009 15:16 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [19.05.2009 15:16 24096]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [09.02.2007 19:19 132736]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [09.02.2007 19:19 4608]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [14.05.2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14.05.2009 14:22 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [19.05.2009 13:26 108289]
R2 CachemanXPService;CachemanXP;d:\progra~1\CACHEM~1\CachemanXP.exe [13.04.2005 21:56 201728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09.03.2009 21:06 953168]
R2 PCC_PFW;PC-Cillin Personal Firewall;c:\windows\system32\drivers\PCC_PFW.sys [18.07.2002 17:11 56796]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [08.12.2005 13:20 16168]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [20.12.2001 13:09 175488]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [20.12.2001 13:09 18688]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [11.07.2008 22:59 6016]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [06.05.2006 03:15 97792]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [14.05.2009 14:22 7408]
S1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\Drivers\fwdrv.sys --> c:\windows\system32\Drivers\fwdrv.sys [?]
S2 ATIDcomLaunch;ATI Smart ATIDcomLaunch;c:\windows\system32\AddCatx.exe srv --> c:\windows\system32\AddCatx.exe srv [?]
S3 jswmidin;jswmidin;\??\c:\docume~1\THESEE~1\LOCALS~1\Temp\jswmidin.sys --> c:\docume~1\THESEE~1\LOCALS~1\Temp\jswmidin.sys [?]
S3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [14.04.2003 17:05 13792]
S3 SUSCOM;Susteen Serial port driver;c:\windows\system32\drivers\SUSCOM.SYS [13.07.2005 01:53 40448]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*Deregistered* - aujasnkj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:23]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = localhost
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\The Seeker\Application Data\Mozilla\Firefox\Profiles\7h2x80vv.default\
FF - prefs.js: browser.startup.homepage - hxxp://rckflr.blogspot.com/?zx=5cc4a6187d16ec0a
FF - plugin: d:\program files\Opera7\program\plugins\np32dsw.dll
FF - plugin: d:\program files\Opera7\program\plugins\npdrmv2.dll
FF - plugin: d:\program files\Opera7\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera7\program\plugins\nppl3260.dll
FF - plugin: d:\program files\Opera7\program\plugins\nprjplug.dll
FF - plugin: d:\program files\Opera7\program\plugins\nprpjplug.dll
FF - plugin: d:\program files\Opera7\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera7\program\plugins\npupd62.dll
FF - plugin: d:\program files\Opera7\program\plugins\npwmsdrm.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 00:51
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:58,51,31,6a,e0,a3,b8,37,77,b1,c9,62,9b,84,28,26,cc,7e,2d,b8,47,26,04,
c0,a4,c7,91,45,76,94,15,9f,10,b9,0f,8e,fa,31,9c,1c,ab,b2,8d,c1,1f,63,74,b3,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,e6,77,ff,a0,0e,
91,cd,4c,e2,63,26,f1,3f,c8,ff,68,58,36,62,71,ed,d7,b3,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,7a,c0,7c,00,96,
8a,c0,63,6a,9c,d6,61,af,45,84,18,92,6a,10,a7,ea,d2,aa,74,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,52,b2,69,2d,f3,
91,0d,d5,ff,7c,85,e0,43,d4,0e,fe,3e,96,5a,16,85,27,1f,c6,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,46,78,cf,ba,ec,
12,f8,26,86,8c,21,01,be,91,eb,e7,ce,f0,ec,6b,61,70,26,2a,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,8d,fa,fa,da,38,
62,96,0a,f5,1d,4d,73,a8,13,5c,05,79,56,2f,4a,72,00,78,41,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,22,25,6f,f0,41,
c4,87,32,df,20,58,62,78,6b,cf,c8,b4,ee,bb,9e,49,76,06,d6,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,af,22,06,58,d6,
8f,fd,49,fb,a7,78,e6,12,2f,9a,ea,b2,65,5f,75,db,a9,69,01,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,24,5c,92,25,e9,
40,ed,10,01,3a,48,fc,e8,04,4a,f1,94,2f,1d,ef,84,2f,1b,65,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,17,69,12,38,f4,
64,e5,50,f6,0f,4e,58,98,5b,89,c9,3d,a5,ba,88,6b,d6,2d,14,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,22,53,67,b8,62,
af,bf,b4,3d,ce,ea,26,2d,45,aa,78,bb,4a,1a,12,11,3d,a5,21,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,84,ab,db,97,45,
c5,cc,ea,2a,b7,cc,b5,b9,7f,41,e7,eb,5a,a2,80,2a,7f,ae,49,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,37,82,54,65,46,
d9,91,79,6c,43,2d,1e,aa,22,2f,9c,ac,9c,70,62,91,b5,50,58,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\apitrap.dll
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\apitrap.dll
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(13504)
c:\windows\system32\guard32.dll
d:\program files\Logitech\SetPoint\IMHook.dll
d:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-20 0:53
ComboFix-quarantined-files.txt 2009-05-20 22:53
ComboFix2.txt 2009-05-20 20:40
ComboFix3.txt 2009-05-20 13:07

Pre-Run: 4 317 458 432 bytes free
Post-Run: 4 279 836 672 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
356 --- E O F --- 2009-04-21 17:26


------------- Bootlog



Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \??\C:\DOCUME~1\THESEE~1\LOCALS~1\Temp\catchme.sys
Loaded driver \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Service Pack 3 5 21 2009 00:57:54.500
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver sptd.sys
Loaded driver \WINDOWS\System32\Drivers\WMILIB.SYS
Loaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYS
Loaded driver ACPI.sys
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver symc8xx.sys
Loaded driver trm390w.sys
Loaded driver si3112r.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver Lbd.sys
Loaded driver PxHelp20.sys
Loaded driver SiWinAcc.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver inspect.sys
Loaded driver \WINDOWS\System32\DRIVERS\NDIS.SYS
Loaded driver \WINDOWS\System32\DRIVERS\TDI.SYS
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver nv_agp.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\AmdK8.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\system32\drivers\ctoss2k.sys
Loaded driver \SystemRoot\System32\drivers\ctprxy2k.sys
Loaded driver \SystemRoot\system32\drivers\ctaud2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
Loaded driver \SystemRoot\System32\Drivers\awikb0y5.SYS
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\btkrnl.sys
Loaded driver \SystemRoot\system32\DRIVERS\vncdrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\dne2000.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\drivers\btaudio.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\drivers\hap16v2k.sys
Loaded driver \SystemRoot\System32\drivers\ha10kx2k.sys
Loaded driver \SystemRoot\System32\drivers\emupia2k.sys
Loaded driver \SystemRoot\System32\drivers\ctsfm2k.sys
Loaded driver \SystemRoot\System32\drivers\ctac32k.sys
Loaded driver \SystemRoot\system32\COMMONFX.DLL
Loaded driver \SystemRoot\system32\CTAUDFX.DLL
Loaded driver \SystemRoot\system32\CTSBLFX.DLL
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cmdguard.sys
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\DRIVERS\DcCam.sys
Did not load driver \SystemRoot\System32\DRIVERS\exportit.sys
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\System32\DRIVERS\kbdhid.sys
Did not load driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\system32\DRIVERS\ext2fs.sys
Did not load driver \SystemRoot\system32\Drivers\fwdrv.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\cmdhlp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\IfsDrives.sys
Did not load driver \SystemRoot\System32\DRIVERS\serial.sys
Did not load driver \SystemRoot\System32\DRIVERS\amdk7.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys
Loaded driver \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \??\D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\Drivers\PQNTDrv.SYS
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys
Loaded driver \??\D:\Program Files\Avira\AntiVir Desktop\avgio.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbscan.sys
Loaded driver \SystemRoot\system32\DRIVERS\cxbu0wdm.sys
Loaded driver \SystemRoot\System32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\Wdf01000.sys
Loaded driver \SystemRoot\system32\DRIVERS\LHidFilt.Sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouFilt.Sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\avgntflt.sys
Loaded driver \SystemRoot\System32\drivers\Tmpreflt.sys
Loaded driver \SystemRoot\System32\drivers\Vsapint.sys
Loaded driver \SystemRoot\System32\drivers\TmXPFlt.sys
Loaded driver \SystemRoot\system32\drivers\dcfs2k.sys
Loaded driver \SystemRoot\System32\Drivers\btwusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\btport.sys
Loaded driver \SystemRoot\system32\DRIVERS\btwhid.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Did not load driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\Drivers\Aspi32.SYS
Did not load driver \SystemRoot\system32\DRIVERS\avgntflt.sys
Loaded driver \??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
Loaded driver \SystemRoot\System32\Drivers\PCC_PFW.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\PfModNT.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys
Loaded driver \SystemRoot\System32\Drivers\vnccom.SYS
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \??\D:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

[AdvancedSetup]

Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
jswmidin
awikb0y5.SYS
awikb0y5

File::
c:\docume~1\THESEE~1\LOCALS~1\Temp\jswmidin.sys
c:\windows\System32\Drivers\awikb0y5.SYS

RegLock::
[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
RegNull:
[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
RegLock::
[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

[thelostone]

Thanks a lot. That seems to have done the trick. Both Avira and Comodo showed up in the system tray. Spywareguard will not start however.

Here's the log:



ComboFix 09-05-20.09 - The Seeker 21.05.2009 2:07.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3019 [GMT 2:00]
Running from: c:\documents and settings\The Seeker\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\The Seeker\Desktop\CFscript.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {804FD0EC-FFA4-0112-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00F2-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-0103-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-0114-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-0103-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-0114-0D24-347CA8A3377C}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
c:\docume~1\THESEE~1\LOCALS~1\Temp\jswmidin.sys
c:\windows\System32\Drivers\awikb0y5.SYS
.
/wow section - STAGE 32A


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JSWMIDIN
-------\Service_awikb0y5
-------\Service_jswmidin


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-20 19:15 . 2009-05-20 19:15 -------- d-----w c:\program files\Trend Micro
2009-05-20 18:19 . 2009-05-20 18:52 -------- d-----w c:\documents and settings\The Seeker\.housecall6.6
2009-05-20 17:29 . 2009-05-20 17:29 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-05-20 17:28 . 2009-05-20 17:28 -------- d-----w c:\windows\ERUNT
2009-05-20 17:24 . 2009-05-20 17:36 -------- d-----w C:\SDFix
2009-05-20 03:01 . 2009-05-20 03:01 -------- d-----w c:\documents and settings\The Seeker\Application Data\Safer Networking
2009-05-20 00:12 . 2009-05-20 00:12 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-20 00:12 . 2009-05-20 00:12 -------- d-----w c:\program files\Java
2009-05-19 20:23 . 2009-05-19 20:23 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-19 20:21 . 2009-05-19 20:21 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 20:21 . 2009-05-19 20:21 -------- d-----w c:\program files\Lavasoft
2009-05-19 15:53 . 2009-05-19 15:53 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-19 15:53 . 2009-05-19 15:53 -------- d-----w c:\documents and settings\The Seeker\Application Data\SUPERAntiSpyware.com
2009-05-19 15:07 . 2009-05-19 15:07 -------- d-sh--w c:\documents and settings\The Seeker\IECompatCache
2009-05-19 13:16 . 2009-05-19 14:52 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-19 13:16 . 2009-05-19 13:16 168208 ----a-w c:\windows\system32\guard32.dll
2009-05-19 13:16 . 2009-05-19 13:16 24096 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-19 13:16 . 2009-05-19 13:16 132640 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-19 11:26 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-19 11:26 . 2009-05-19 11:26 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-05-19 08:59 . 2009-05-19 08:59 -------- d-----w c:\documents and settings\The Seeker\Application Data\Malwarebytes
2009-05-19 08:59 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-19 08:59 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 08:59 . 2009-05-19 08:59 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-19 08:37 . 2009-05-19 08:37 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-16 13:52 . 2009-05-16 13:52 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-16 13:51 . 2009-05-16 13:51 -------- d-sh--w c:\documents and settings\The Seeker\IETldCache
2009-05-16 13:46 . 2009-05-16 13:46 -------- d-----w c:\windows\ie8updates
2009-05-16 13:46 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-16 13:44 . 2009-05-16 13:45 -------- dc-h--w c:\windows\ie8
2009-05-16 01:39 . 2009-05-16 01:39 32 --s-a-w c:\windows\system32\1958099454.dat
2009-05-16 01:39 . 2009-05-16 01:39 50176 --sh--r c:\windows\system32\AddCatx.exe
2009-04-21 17:21 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 17:21 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 17:21 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 17:21 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 17:21 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 17:21 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 17:21 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 17:21 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 17:21 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 17:21 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 17:21 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 22:39 . 2003-04-14 15:14 15080 -c--a-w c:\documents and settings\The Seeker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 19:59 . 2008-01-08 22:15 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-08 02:34 . 2004-02-06 16:05 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2002-08-29 02:41 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2001-08-23 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2002-08-29 02:41 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2001-08-23 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2002-08-29 02:40 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2002-08-29 02:40 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2002-08-29 02:39 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2001-08-23 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2001-08-23 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2002-08-29 02:41 284160 ----a-w c:\windows\system32\pdh.dll
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\{15C4476A-EA72-4E55-9C5B-1C8249466FF5}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{6D9FE517-31AD-41CC-B95E-7E733B25B9C8}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{818B1A1A-8EE2-4705-AC24-1F49A6DC3696}.dat
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\{84376A82-733B-4CCD-9FF9-C28BFC571BEF}.dat
2003-04-14 15:06 . 2003-04-14 15:06 32 -csha-w c:\windows\{8E4DB03C-5F0C-437A-AF87-464B67337438}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\{DFC2EB9A-FB63-43D6-BABA-01F934AF9B6F}.dat
2009-01-16 01:05 . 2004-10-06 20:53 848 -csha-w c:\windows\system32\KGyGaAvL.sys
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\system32\{2456E9AF-34DF-4927-9EA0-60700762F576}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{506DCD5D-F167-43F5-B6FF-396974F28A4B}.dat
2003-04-14 15:07 . 2003-04-14 15:07 32 -csha-w c:\windows\system32\{5C41B90D-26A6-4B0A-B93E-5D9992A0F14E}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{78324277-BFF3-42E5-8BB6-4DBDF03D6572}.dat
2003-04-14 15:06 . 2003-04-14 15:06 32 -csha-w c:\windows\system32\{E77C78DB-5D03-463D-8FA0-F4F6534554DE}.dat
2003-04-14 15:05 . 2003-04-14 15:05 32 -csha-w c:\windows\system32\{EB878823-72A4-4881-8455-869B8E4D06F0}.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-05-20_20.38.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 00:11 . 2009-05-21 00:11 16384 c:\windows\temp\Perflib_Perfdata_2ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4}]
2007-10-23 21:55 266240 ----a-w c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"Pando"="d:\program files\Pando Networks\Pando\Pando.exe" [2008-11-20 3647304]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2004-06-26 77824]
"CTSysVol"="d:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="d:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-17 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"UnlockerAssistant"="d:\program files\Unlocker\UnlockerAssistant.exe" [2008-03-01 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"WinVNC"="d:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-20 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-19 516440]
"COMODO Internet Security"="d:\program files\Comodo\COMODO Internet Security\cfp.exe" [2009-05-19 1794320]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-01 77824]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nForce Tray Options"="sstray.exe" - c:\windows\system32\sstray.exe [2002-11-13 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-12-08 25600]

c:\documents and settings\The Seeker\Start Menu\Programs\Startup\
SpywareGuard.lnk - d:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-9-4 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-29 561213]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2007-5-26 805392]
PlexTools Professional.lnk - d:\program files\Plextor\PlexTool.exe [2006-1-27 6623232]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2004-9-6 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "d:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\apitrap.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\TaskSwitch.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SlimServer 9000 tcp
"3483:UDP"= 3483:UDP:SlimServer 3483 udp
"3483:TCP"= 3483:TCP:SlimServer 3483 tcp

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [19.05.2009 22:23 64160]
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [27.08.2004 16:18 97920]
R0 trm390w;trm390w;c:\windows\system32\drivers\trm390w.sys [28.05.2002 11:24 24084]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [19.05.2009 15:16 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [19.05.2009 15:16 24096]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [09.02.2007 19:19 132736]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [09.02.2007 19:19 4608]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [14.05.2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14.05.2009 14:22 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [19.05.2009 13:26 108289]
R2 CachemanXPService;CachemanXP;d:\progra~1\CACHEM~1\CachemanXP.exe [13.04.2005 21:56 201728]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09.03.2009 21:06 953168]
R2 PCC_PFW;PC-Cillin Personal Firewall;c:\windows\system32\drivers\PCC_PFW.sys [18.07.2002 17:11 56796]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [08.12.2005 13:20 16168]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [20.12.2001 13:09 175488]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [20.12.2001 13:09 18688]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [11.07.2008 22:59 6016]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [06.05.2006 03:15 97792]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [14.05.2009 14:22 7408]
S1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\Drivers\fwdrv.sys --> c:\windows\system32\Drivers\fwdrv.sys [?]
S2 ATIDcomLaunch;ATI Smart ATIDcomLaunch;c:\windows\system32\AddCatx.exe srv --> c:\windows\system32\AddCatx.exe srv [?]
S3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [14.04.2003 17:05 13792]
S3 SUSCOM;Susteen Serial port driver;c:\windows\system32\drivers\SUSCOM.SYS [13.07.2005 01:53 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 20:23]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = localhost
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\The Seeker\Application Data\Mozilla\Firefox\Profiles\7h2x80vv.default\
FF - prefs.js: browser.startup.homepage - hxxp://rckflr.blogspot.com/?zx=5cc4a6187d16ec0a
FF - plugin: d:\program files\Opera7\program\plugins\np32dsw.dll
FF - plugin: d:\program files\Opera7\program\plugins\npdrmv2.dll
FF - plugin: d:\program files\Opera7\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera7\program\plugins\nppl3260.dll
FF - plugin: d:\program files\Opera7\program\plugins\nprjplug.dll
FF - plugin: d:\program files\Opera7\program\plugins\nprpjplug.dll
FF - plugin: d:\program files\Opera7\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera7\program\plugins\npupd62.dll
FF - plugin: d:\program files\Opera7\program\plugins\npwmsdrm.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: d:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 02:11
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1275210071-920026266-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:58,51,31,6a,e0,a3,b8,37,77,b1,c9,62,9b,84,28,26,cc,7e,2d,b8,47,26,04,
c0,a4,c7,91,45,76,94,15,9f,10,b9,0f,8e,fa,31,9c,1c,ab,b2,8d,c1,1f,63,74,b3,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,e6,77,ff,a0,0e,
91,cd,4c,e2,63,26,f1,3f,c8,ff,68,58,36,62,71,ed,d7,b3,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,7a,c0,7c,00,96,
8a,c0,63,6a,9c,d6,61,af,45,84,18,92,6a,10,a7,ea,d2,aa,74,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,52,b2,69,2d,f3,
91,0d,d5,ff,7c,85,e0,43,d4,0e,fe,3e,96,5a,16,85,27,1f,c6,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,46,78,cf,ba,ec,
12,f8,26,86,8c,21,01,be,91,eb,e7,ce,f0,ec,6b,61,70,26,2a,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,8d,fa,fa,da,38,
62,96,0a,f5,1d,4d,73,a8,13,5c,05,79,56,2f,4a,72,00,78,41,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,22,25,6f,f0,41,
c4,87,32,df,20,58,62,78,6b,cf,c8,b4,ee,bb,9e,49,76,06,d6,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,af,22,06,58,d6,
8f,fd,49,fb,a7,78,e6,12,2f,9a,ea,b2,65,5f,75,db,a9,69,01,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,24,5c,92,25,e9,
40,ed,10,01,3a,48,fc,e8,04,4a,f1,94,2f,1d,ef,84,2f,1b,65,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,17,69,12,38,f4,
64,e5,50,f6,0f,4e,58,98,5b,89,c9,3d,a5,ba,88,6b,d6,2d,14,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,22,53,67,b8,62,
af,bf,b4,3d,ce,ea,26,2d,45,aa,78,bb,4a,1a,12,11,3d,a5,21,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,84,ab,db,97,45,
c5,cc,ea,2a,b7,cc,b5,b9,7f,41,e7,eb,5a,a2,80,2a,7f,ae,49,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,37,82,54,65,46,
d9,91,79,6c,43,2d,1e,aa,22,2f,9c,ac,9c,70,62,91,b5,50,58,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1008)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(7072)
c:\windows\system32\guard32.dll
d:\program files\Unlocker\UnlockerHook.dll
d:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
d:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
d:\program files\Comodo\COMODO Internet Security\cmdagent.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\scardsvr.exe
d:\program files\Avira\AntiVir Desktop\avguard.exe
d:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\ScsiAccess.EXE
d:\progra~1\NORTON~1\SPEEDD~1\NOPDB.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
d:\program files\SpywareGuard\sgbhp.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-05-21 2:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 00:18
ComboFix2.txt 2009-05-20 22:53
ComboFix3.txt 2009-05-20 20:40
ComboFix4.txt 2009-05-20 13:07

Pre-Run: 4 273 750 016 bytes free
Post-Run: 4 198 965 248 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
389 --- E O F --- 2009-04-21 17:26

[AdvancedSetup]

Please run the following

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.



Then run this and post its logs

[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

[thelostone]

Hijackthis won't open, so I'm just posting the MBAM log. I'll wait for an reply from you before I do anything else.


Malwarebytes' Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 3

21.05.2009 03:09:13
mbam-log-2009-05-21 (03-09-13).txt

Scan type: Quick Scan
Objects scanned: 77121
Time elapsed: 2 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[AdvancedSetup]

DDS won't run either?

I'm leaving soon so may not get back till later tonight or tomorrow.

Let's run another AV product then to check the system.



Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
• On the Log file tab leave the Log to file checked.
  
• Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
  
• Log mode = Append
  
• Encoding = ANSI
  
• Details Leave Names of file packers and Statistics checked.
  
• Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
  
• On the General tab leave the Scan Priority on High
  
• Click the Apply button at the bottom, and then the OK button.
  
• On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
  
• In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
  
• The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
  
• When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
  
• Click 'Yes to all' if it asks if you want to cure/move the files.
  
• This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
  [indent][/indent]

[thelostone]

The computer decided to hang for a while, so I had no choice but to shut it down. I'm attaching logs from MBAM , hijackthis, and dds. Then I'm going to try to run Dr.Web CureIt, and post that log in a new reply. I hope I didn't mess everything up...


Malwarebytes' Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 3

21.05.2009 04:55:39
mbam-log-2009-05-21 (04-55-39).txt

Scan type: Quick Scan
Objects scanned: 76926
Time elapsed: 18 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 90
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



----------- Hijackthis



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:05:52, on 21.05.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Plextor\PlexTool.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - D:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] d:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] d:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinVNC] "d:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Pando] "D:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\apitrap.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATI Smart ATIDcomLaunch (ATIDcomLaunch) - Unknown owner - C:\WINDOWS\system32\AddCatx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - D:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - d:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 10383 bytes



------------------ DDS




DDS (Ver_09-05-14.01) - NTFSx86
Run by The Seeker at 5:08:04,28 on 21.05.2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2953 [GMT 2:00]

AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-0114-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Updated) {804FD0EC-FFA4-0112-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-0103-0D24-347CA8A3377C}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD2B8-FFA4-0114-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-00F2-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated) {804FD0EC-FFA4-0103-0D24-347CA8A3377C}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe "C:\WINDOWS\system32\AddCatx.exe"
svchost.exe
D:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
d:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Plextor\PlexTool.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\The Seeker\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = localhost
uURLSearchHooks: N/A: {06663b56-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: CInterceptor Object: {38d3fe60-3d53-4f37-bb0e-c7a97a26a156} - d:\program files\pando networks\pando\PandoIEPlugin.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - d:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Pando Toolbar BHO: {e3ea4fd1-cade-4ae5-84f7-086eee888be4} - c:\program files\pandobar\bar\1.bin\PANDOBAR.DLL
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Pando Toolbar: {e3ea4fd9-cade-4ae5-84f7-086eee888be4} - c:\program files\pandobar\bar\1.bin\PANDOBAR.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools] "d:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [Pando] "d:\program files\pando networks\pando\Pando.exe" /Minimized
uRun: [SUPERAntiSpyware] d:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CTSysVol] d:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] d:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDet.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [UnlockerAssistant] "d:\program files\unlocker\UnlockerAssistant.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [WinVNC] "d:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [avgnt] "d:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [nForce Tray Options] sstray.exe /r
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\docume~1\thesee~1\startm~1\programs\startup\spywar~1.lnk - d:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - d:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\plexto~1.lnk - d:\program files\plextor\PlexTool.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37864.3978240741
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\windows\system32\apitrap.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - d:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - d:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thesee~1\applic~1\mozilla\firefox\profiles\7h2x80vv.default\
FF - prefs.js: browser.startup.homepage - hxxp://rckflr.blogspot.com/?zx=5cc4a6187d16ec0a
FF - plugin: d:\program files\opera7\program\plugins\np32dsw.dll
FF - plugin: d:\program files\opera7\program\plugins\npdrmv2.dll
FF - plugin: d:\program files\opera7\program\plugins\npdsplay.dll
FF - plugin: d:\program files\opera7\program\plugins\nppl3260.dll
FF - plugin: d:\program files\opera7\program\plugins\nprjplug.dll
FF - plugin: d:\program files\opera7\program\plugins\nprpjplug.dll
FF - plugin: d:\program files\opera7\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\opera7\program\plugins\npupd62.dll
FF - plugin: d:\program files\opera7\program\plugins\npwmsdrm.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: d:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: d:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: d:\program files\videolan\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-19 64160]
R1 avgio;avgio;d:\program files\avira\antivir desktop\avgio.sys [2009-5-19 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-5-19 132640]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-5-19 24096]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2007-2-9 132736]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [2007-2-9 4608]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\avira\antivir desktop\sched.exe [2009-5-19 108289]
R2 AntiVirService;Avira AntiVir Guard;d:\program files\avira\antivir desktop\avguard.exe [2009-5-19 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-19 55640]
R2 CachemanXPService;CachemanXP;d:\progra~1\cachem~1\CachemanXP.exe [2005-4-13 201728]
R2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo\comodo internet security\cmdagent.exe [2009-5-19 692496]
R2 PCC_PFW;PC-Cillin Personal Firewall;c:\windows\system32\drivers\PCC_PFW.sys [2002-7-18 56796]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2005-12-8 16168]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2001-12-20 175488]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2001-12-20 18688]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-7-11 6016]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [2006-5-6 97792]
R3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-8-27 97920]
S0 trm390w;trm390w;c:\windows\system32\drivers\trm390w.sys [2002-5-28 24084]
S1 fwdrv;Kerio Personal Firewall Driver;c:\windows\system32\drivers\fwdrv.sys --> c:\windows\system32\drivers\fwdrv.sys [?]
S2 ATIDcomLaunch;ATI Smart ATIDcomLaunch;c:\windows\system32\addcatx.exe srv --> c:\windows\system32\AddCatx.exe srv [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
S3 QDFSDRV;QDFSDRV;c:\windows\system32\drivers\qdfsdrv.sys [2003-4-14 13792]
S3 SUSCOM;Susteen Serial port driver;c:\windows\system32\drivers\SUSCOM.SYS [2005-7-13 40448]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2009-05-21 02:06 130,048 a------- c:\windows\PEV.exe
2009-05-20 22:36 <DIR> a-dshr-- C:\cmdcons
2009-05-20 22:35 161,792 a------- c:\windows\SWREG.exe
2009-05-20 22:35 98,816 a------- c:\windows\sed.exe
2009-05-20 21:15 <DIR> --d----- c:\program files\Trend Micro
2009-05-20 20:19 <DIR> --d----- c:\documents and settings\the seeker\.housecall6.6
2009-05-20 19:29 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-05-20 19:28 <DIR> --d----- c:\windows\ERUNT
2009-05-20 19:24 <DIR> --d----- C:\SDFix
2009-05-20 05:01 <DIR> --d----- c:\docume~1\thesee~1\applic~1\Safer Networking
2009-05-20 02:12 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-20 02:12 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-19 22:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-19 22:21 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-19 22:21 <DIR> --d----- c:\program files\Lavasoft
2009-05-19 21:11 4,958,588 a------- c:\windows\{00000002-00000000-00000008-00001102-00000004-20021102}.BAK
2009-05-19 17:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-19 17:53 <DIR> --d----- c:\docume~1\thesee~1\applic~1\SUPERAntiSpyware.com
2009-05-19 17:07 <DIR> --dsh--- c:\documents and settings\the seeker\IECompatCache
2009-05-19 16:55 130 a------- c:\windows\cfplogvw.INI
2009-05-19 15:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-05-19 15:16 168,208 a------- c:\windows\system32\guard32.dll
2009-05-19 15:16 132,640 a------- c:\windows\system32\drivers\cmdguard.sys
2009-05-19 15:16 24,096 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-05-19 13:26 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-19 13:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-19 10:59 <DIR> --d----- c:\docume~1\thesee~1\applic~1\Malwarebytes
2009-05-19 10:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-19 10:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-19 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-16 15:51 <DIR> --dsh--- c:\documents and settings\the seeker\IETldCache
2009-05-16 15:48 118 a------- c:\windows\system32\MRT.INI
2009-05-16 15:46 <DIR> --d----- c:\windows\ie8updates
2009-05-16 15:46 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-16 15:44 <DIR> -cd-h--- c:\windows\ie8
2009-05-16 03:39 32 a--s---- c:\windows\system32\1958099454.dat
2009-05-16 03:39 50,176 ---shr-- c:\windows\system32\AddCatx.exe
2009-04-21 19:21 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-21 19:21 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-21 19:21 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-21 19:21 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 19:21 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-21 19:21 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 19:21 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-21 19:21 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-21 19:21 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 19:21 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-21 19:21 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-21 19:21 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 16:22 284,160 a------- c:\windows\system32\pdh.dll
2003-04-14 17:07 32 ac-sh--- c:\windows\{15C4476A-EA72-4E55-9C5B-1C8249466FF5}.dat
2003-04-14 17:05 32 ac-sh--- c:\windows\{6D9FE517-31AD-41CC-B95E-7E733B25B9C8}.dat
2003-04-14 17:05 32 ac-sh--- c:\windows\{818B1A1A-8EE2-4705-AC24-1F49A6DC3696}.dat
2003-04-14 17:07 32 ac-sh--- c:\windows\{84376A82-733B-4CCD-9FF9-C28BFC571BEF}.dat
2003-04-14 17:06 32 ac-sh--- c:\windows\{8E4DB03C-5F0C-437A-AF87-464B67337438}.dat
2003-04-14 17:05 32 ac-sh--- c:\windows\{DFC2EB9A-FB63-43D6-BABA-01F934AF9B6F}.dat
2009-01-16 03:05 848 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2003-04-14 17:07 32 ac-sh--- c:\windows\system32\{2456E9AF-34DF-4927-9EA0-60700762F576}.dat
2003-04-14 17:05 32 ac-sh--- c:\windows\system32\{506DCD5D-F167-43F5-B6FF-396974F28A4B}.dat
2003-04-14 17:07 32 ac-sh--- c:\windows\system32\{5C41B90D-26A6-4B0A-B93E-5D9992A0F14E}.dat
2003-04-14 17:05 32 ac-sh--- c:\windows\system32\{78324277-BFF3-42E5-8BB6-4DBDF03D6572}.dat
2003-04-14 17:06 32 ac-sh--- c:\windows\system32\{E77C78DB-5D03-463D-8FA0-F4F6534554DE}.dat
2003-04-14 17:05 32 ac-sh--- c:\windows\system32\{EB878823-72A4-4881-8455-869B8E4D06F0}.dat
2009-01-16 04:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009011620090117\index.dat

============= FINISH: 5:08:29,57 ===============

Attached Files

•  Attach.zip   5.28K   26 downloads

[thelostone]

I got Dr. Web up and running... at least for a while - then I had a blue screen an hour or so into the full scan. It managed to delete and move some files before windows crashed. I rebooted and am now running it for the second time. This is posted from another pc running Ubuntu.

It also turns out my windows-pc was sending quite a bit of spam out according to a mail I got from my ISP.

[AdvancedSetup]

Okay, if it dies again let me know and we can try another routine.

[thelostone]

Dr.Web CureIt will be scanning for at least 14 more hours by my estimates...

[AdvancedSetup]

Any update on this? How's it going?

[thelostone]

It's finished. Here's the new Hijakthis log & DrWeb.csv:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:55, on 22.05.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Plextor\PlexTool.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {06663B56-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - D:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTSysVol] d:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] d:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinVNC] "d:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "d:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Pando] "D:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PlexTools Professional.lnk = D:\Program Files\Plextor\PlexTool.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\apitrap.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - D:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - d:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 10573 bytes



----------------------DrWeb.csv



A0000294.bat;C:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2;Probably BATCH.Virus;Incurable.Moved.;
A0000405.bat;C:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2;Probably BATCH.Virus;Incurable.Moved.;
AddCatx.exe;C:\WINDOWS\system32;BackDoor.IRC.Bot.114;Deleted.;
UltraVNC-102-Setup.exe\data014;D:\Download\UltraVNC\UltraVNC-102-Setup.exe;Program.RemoteAdmin.37;;
UltraVNC-102-Setup.exe;D:\Download\UltraVNC;Archive contains infected objects;Moved.;
VNCHooks.dll;D:\Program Files\TightVNC;Program.RemoteAdmin;Moved.;
WinVNC.exe;D:\Program Files\TightVNC;Program.RemoteAdmin;Moved.;
A0001544.exe\data014;D:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2\A0001544.exe;Program.RemoteAdmin.37;;
A0001544.exe;D:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2;Archive contains infected objects;Moved.;
A0001545.dll;D:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2;Program.RemoteAdmin;Moved.;
A0001546.exe;D:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2;Program.RemoteAdmin;Moved.;
BWA_5.0.0.21_Patch.exe;F:\tmp\Blindwrite Suite v5.05.122\30.12 BlindWrite Suite v5.05.122\ BWA Builder 5.0.0.21 Patch;Tool.ASEye.2;Moved.;
bw507112.exe;F:\tmp\Blindwrite Suite v5.05.122\30.12 BlindWrite Suite v5.05.122\BlindWrite 5.07.122 Patch;Tool.ASEye.2;Moved.;
tightvnc-1.2.9-setup.exe\data002;N:\Download\TightVNC\tightvnc-1.2.9-setup.exe;Program.RemoteAdmin;;
tightvnc-1.2.9-setup.exe\data003;N:\Download\TightVNC\tightvnc-1.2.9-setup.exe;Program.RemoteAdmin;;
tightvnc-1.2.9-setup.exe;N:\Download\TightVNC;Archive contains infected objects;Moved.;
A0001547.exe\data002;N:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2\A0001547.exe;Program.RemoteAdmin;;
A0001547.exe\data003;N:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2\A0001547.exe;Program.RemoteAdmin;;
A0001547.exe;N:\System Volume Information\_restore{A492E7D6-8213-4C23-A563-D3B1691866E5}\RP2;Archive contains infected objects;Moved.;

[AdvancedSetup]

Well that looks pretty good then. You can probably move back those files that Dr Web did move that were not in the System Restore area. They were flagged probably due to their potential for bad use and not that they were infected.


Please update MBAM again and do a Quick Scan and post back the log.