14 replies to this topic

[Poisn]

ok so i have had this Security Tool fake anti-virus thing for a week or 2 now. after trying many different anti-virus/anti-malware programs none have gotten rid of it completely. I'm not really used to viruses as i have never had a virus to this extent before but i have been tryin hard to get rid of it w/o having any success. it just keeps coming backa nd im not sure what to do anymore. i can get rid of it for a short while then i catch it back in my processes and find the file reinstalled on my comp. i could really use some help about now starting to get really annoying. so any help is very much apprecated.

Thanks,

Joe

[Rosty]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[Poisn]

Rosty, on Oct 21 2009, 10:33 AM, said:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

ty for the quick response :-D i got ComboFix and ran it, the first time it ran a error msg poped up saying "Failed to Install" and during the steps a few of them failed, then when the scan was done it restarted my computer and never gave me a log so i ran it a second time and i have that log, i also checked where it said it was going to save the log in hopes that the other scan would be there but i couldnt fine either log so heres the second scan. also the second scan worked w/o any failed installs or anything like that poping up.

ComboFix 09-10-20.03 - Owner 10/21/2009 12:00.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1493 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091020-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Owner\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Owner\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\recycler\S-1-5-21-1680454281-4053965520-2534558525-500
C:\STF5ED.tmp
c:\windows\Installer\368779f.msi
c:\windows\Installer\6e91a.msi
c:\windows\kb913800.exe
c:\windows\system32\AdCache
c:\windows\system32\bapemode.exe
c:\windows\system32\bekigazi.exe
c:\windows\system32\bigifuva.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\birakuze.dll
c:\windows\system32\botanode.exe
c:\windows\system32\cache329
c:\windows\system32\dizikoli.dll
c:\windows\system32\dolaribe.dll
c:\windows\system32\dunuwofo.dll
c:\windows\system32\fotolowu.dll
c:\windows\system32\gafulono.dll
c:\windows\system32\geyubuzu.dll
c:\windows\system32\hikalofa.exe
c:\windows\system32\hikovoke.dll
c:\windows\system32\hofomoto.exe
c:\windows\system32\hurinewu.dll
c:\windows\system32\lepayuje.dll
c:\windows\system32\lokimoli.dll
c:\windows\system32\mewosije.exe
c:\windows\system32\mitonoya.exe
c:\windows\system32\naruhogo.dll
c:\windows\system32\nuar.old
c:\windows\system32\petaziwe.dll
c:\windows\system32\piladoya.exe
c:\windows\system32\raseloka.dll
c:\windows\system32\rodederi.dll
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\sefineje.dll
c:\windows\system32\sidefevi.dll
c:\windows\system32\sikatodo.exe
c:\windows\system32\sisajife.exe
c:\windows\system32\siyadoro.exe
c:\windows\system32\sovowuyi.exe
c:\windows\system32\tokupato.dll
c:\windows\system32\tutedolu.dll
c:\windows\system32\vapiraji.exe
c:\windows\system32\vavanoho.exe
c:\windows\system32\viniwuhe.dll
c:\windows\system32\wihedilu.exe
c:\windows\system32\yafilezu.dll
c:\windows\system32\zenanori.dll
c:\windows\system32\zokujole.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-21 15:58 . 2009-10-21 15:58 -------- d-----w- c:\windows\LastGood
2009-10-19 21:44 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2009-10-19 21:44 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-10-19 21:44 . 2004-08-04 02:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-10-19 21:44 . 2004-08-04 02:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-10-19 21:44 . 2001-08-17 17:57 14080 -c--a-w- c:\windows\system32\dllcache\battc.sys
2009-10-19 21:44 . 2001-08-17 17:57 14080 ----a-w- c:\windows\system32\drivers\battc.sys
2009-10-19 21:44 . 2001-08-17 17:47 13056 -c--a-w- c:\windows\system32\dllcache\inport.sys
2009-10-19 21:44 . 2001-08-17 17:47 13056 ----a-w- c:\windows\system32\drivers\inport.sys
2009-10-19 20:22 . 2009-10-19 20:33 58 ----a-w- c:\windows\wp4.dat
2009-10-19 20:22 . 2009-10-19 20:33 1 ----a-w- c:\windows\wp3.dat
2009-10-19 20:22 . 2009-10-19 20:33 559104 ----a-w- c:\windows\system32\plugie.dll
2009-10-09 13:52 . 2009-10-21 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-08 23:26 . 2009-10-08 23:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-08 23:26 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 23:25 . 2009-10-08 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 23:25 . 2009-10-08 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-08 23:25 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-08 20:34 . 2009-10-08 20:34 65792 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 13:32 . 2009-10-06 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Saitek
2009-10-06 13:32 . 2009-10-06 13:32 -------- d-----w- c:\program files\Saitek
2009-10-05 15:22 . 2009-10-05 15:22 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PunkBuster
2009-10-05 04:15 . 2009-10-05 04:15 -------- d-----w- C:\ProgramData
2009-10-05 04:15 . 2009-10-05 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-10-04 20:42 . 2009-10-04 20:45 35190 ----a-w- c:\windows\scunin.dat
2009-10-04 20:42 . 2009-10-04 20:45 967 ----a-w- c:\windows\ScUnin.pif
2009-10-04 20:42 . 2009-10-04 20:45 94208 ----a-w- c:\windows\ScUnin.exe
2009-10-04 18:10 . 2009-10-04 18:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Risen
2009-09-29 12:31 . 2009-09-29 12:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-09-27 13:43 . 2009-10-02 14:48 -------- d-----w- c:\program files\Kazaa
2009-09-27 00:02 . 2009-09-27 00:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!
2009-09-24 19:34 . 2009-07-31 19:23 411368 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 15:49 . 2009-07-08 04:48 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-10-21 01:38 . 2007-10-28 09:39 -------- d-----w- c:\program files\Steam
2009-10-21 01:30 . 2009-04-25 23:46 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2009-10-20 13:52 . 2009-07-08 04:48 -------- d-----w- c:\program files\DNA
2009-10-15 19:06 . 2007-08-14 11:42 139640 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-15 19:06 . 2007-08-14 11:41 190216 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-10-13 19:58 . 2008-08-07 03:10 -------- d-----w- c:\program files\World of Warcraft
2009-10-10 00:06 . 2007-04-29 08:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-10 00:03 . 2007-06-26 13:31 64672 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 22:07 . 2008-02-06 05:29 -------- d-----w- c:\program files\Starcraft
2009-10-05 15:25 . 2007-08-14 11:41 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-05 13:26 . 2008-06-17 10:54 -------- d-----w- c:\program files\EA GAMES
2009-10-05 04:15 . 2009-03-18 20:46 -------- d-----w- c:\program files\Electronic Arts
2009-09-24 19:35 . 2007-04-29 08:36 -------- d-----w- c:\program files\Java
2009-09-24 19:34 . 2008-01-15 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-24 18:26 . 2008-01-06 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-24 18:26 . 2007-09-21 19:47 -------- d-----w- c:\program files\Yahoo!
2009-09-15 10:59 . 2008-04-12 05:02 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 10:56 . 2008-04-12 05:03 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 10:56 . 2008-04-12 05:03 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 10:55 . 2008-04-12 05:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 10:55 . 2008-04-12 05:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 10:54 . 2008-04-12 05:03 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 10:54 . 2008-04-12 05:03 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 10:53 . 2008-04-12 05:03 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 10:53 . 2008-04-12 05:03 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-13 01:52 . 2007-05-25 18:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 01:51 . 2007-09-06 22:42 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-13 01:50 . 2008-08-27 16:54 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-13 01:50 . 2008-08-27 16:54 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-12 04:01 . 2007-06-19 17:49 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-12 03:40 . 2009-09-12 03:40 -------- d-----w- c:\program files\Sierra
2009-09-10 07:11 . 2008-09-18 01:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-07 02:25 . 2007-11-26 21:17 43520 -c--a-w- c:\windows\system32\CmdLineExt03.dll
2009-09-07 02:19 . 2009-09-07 02:19 -------- d-----w- c:\program files\Starbreeze Studios
2009-09-06 21:28 . 2009-09-06 21:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Ace
2009-09-06 16:20 . 2009-09-06 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Wideload
2009-09-05 17:01 . 2009-09-05 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-09-05 04:04 . 2009-09-05 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\NationRed
2009-09-04 19:30 . 2009-09-04 19:30 -------- d-----w- c:\program files\Z8Games
2009-09-01 01:39 . 2009-09-01 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Fallout3
2009-09-01 01:39 . 2009-03-02 01:40 -------- d-----w- c:\program files\Bethesda Softworks
2009-08-31 02:23 . 2009-08-27 04:17 -------- d-----w- c:\program files\Full Tilt Poker.Net
2009-08-05 09:11 . 2006-02-23 03:44 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]
2009-10-19 20:33 559104 ----a-w- c:\windows\system32\plugie.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-18 339968]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"Tarantula"="c:\program files\Razer\Tarantula\razerhid.exe" [2007-05-07 159744]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 237568]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 131072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\Mbam1.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-11-17 86016]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1177835852\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\poisn119\\source sdk base\\hl2.exe"=
"c:\\Program Files\\IP Hider\\IP Hider.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\XBlades\\xblades.exe"=
"c:\\Program Files\\XBlades\\launcher.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\zombie shooter demo\\ZombieShooterDemo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\ijjigame\\PLauncher.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer The First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\baboinvasion_trial\\BaboInvasionTrial.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"1716:TCP"= 1716:TCP:AA Server 1
"1716:UDP"= 1716:UDP:AA Server 2

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/12/2008 1:03 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/12/2008 1:03 AM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/3/2008 5:21 AM 24652]
R3 SaiH0460;SaiH0460;c:\windows\system32\drivers\SaiH0460.sys [11/24/2008 12:12 PM 137600]
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [5/2/2007 9:58 PM 45440]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 WDefend;WDefend;c:\windows\svohost.exe --> c:\windows\svohost.exe [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [8/29/2006 1:54 AM 10664]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva039;XDva039;\??\c:\windows\system32\XDva039.sys --> c:\windows\system32\XDva039.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 18:42]

2009-10-13 c:\windows\Tasks\dfrg.job
- c:\windows\System32\defrag.exe [2006-02-23 19:00]

2009-10-12 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2006-02-23 19:00]

2009-10-17 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1\McSpy.exe [2004-11-17 08:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
mStart Page = hxxp://www.gatewaybiz.com
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Video Converter... - c:\program files\MP3 Player Utilities 5.10\AVIConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nx0hkpp2.default\
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, );user_pref(yahoo.homepage.dontask, true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TheStubware - c:\program files\TheStubware\TheStubware.exe
AddRemove-jujjxoujedvxvymeo - c:\windows\system32\jujjxoujedvxvymeo.exe
AddRemove-ijji.com - c:\ijji\ENGLISH\ijjiUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 12:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-139688342-1621953222-2771545461-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:75,cc,a1,2b,15,1b,33,a0,a2,ce,8f,19,40,53,41,0a,60,6e,ca,6b,f5,b5,e6,
51,a5,b2,3e,00,dc,cb,a9,a2,72,4c,f5,74,57,3a,ea,15,03,42,c5,53,92,3c,ba,19,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
"????????????????????????"=hex:78,5d,d3,6d,5b,4f,6a,a2,0d,86,20,b5,7b,88,6e,06,
cd,ca,24,cd,24,30,e9,e9,7e,08,92,e9,24,cd,7e,7e,00,00,00,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-139688342-1621953222-2771545461-1006\Software\SecuROM\License information*]
"datasecu"=hex:28,0a,50,e1,9b,97,ad,bc,90,dc,b5,02,2c,54,6e,07,e4,5a,00,d2,96,
a2,c7,f5,9e,7e,e6,71,95,40,53,75,e3,d6,1c,a6,f6,41,47,01,51,48,b9,2f,f7,ff,\
"rkeysecu"=hex:47,97,85,4f,a3,44,76,ce,6d,4c,69,16,75,d0,49,71
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2604)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-21 12:11
ComboFix-quarantined-files.txt 2009-10-21 16:11

Pre-Run: 98,948,771,840 bytes free
Post-Run: 98,909,356,032 bytes free

- - End Of File - - 85945ADB9A19F8AE14F6E33403231CFE

[Rosty]

1. Please open Notepad

• Click Start , then Run
  
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
c:\windows\wp4.dat
c:\windows\wp3.dat
c:\windows\system32\plugie.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.

[Poisn]

Rosty, on Oct 21 2009, 02:49 PM, said:

1. Please open Notepad

• Click Start , then Run
  
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.

ok got them both done as requested :-D ty so much for allt he help

ComboFix 09-10-20.03 - Owner 10/21/2009 17:37.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1473 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091021-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\plugie.dll"
"c:\windows\wp3.dat"
"c:\windows\wp4.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\plugie.dll
c:\windows\wp3.dat
c:\windows\wp4.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-21 15:58 . 2009-10-21 15:58 -------- d-----w- c:\windows\LastGood
2009-10-19 21:44 . 2004-08-04 03:00 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2009-10-19 21:44 . 2004-08-04 03:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2009-10-19 21:44 . 2004-08-04 02:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-10-19 21:44 . 2004-08-04 02:59 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2009-10-19 21:44 . 2001-08-17 17:57 14080 -c--a-w- c:\windows\system32\dllcache\battc.sys
2009-10-19 21:44 . 2001-08-17 17:57 14080 ----a-w- c:\windows\system32\drivers\battc.sys
2009-10-19 21:44 . 2001-08-17 17:47 13056 -c--a-w- c:\windows\system32\dllcache\inport.sys
2009-10-19 21:44 . 2001-08-17 17:47 13056 ----a-w- c:\windows\system32\drivers\inport.sys
2009-10-09 13:52 . 2009-10-21 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-08 23:26 . 2009-10-08 23:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-10-08 23:26 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 23:25 . 2009-10-08 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 23:25 . 2009-10-08 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-08 23:25 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-08 20:34 . 2009-10-08 20:34 65792 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 13:32 . 2009-10-06 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Saitek
2009-10-06 13:32 . 2009-10-06 13:32 -------- d-----w- c:\program files\Saitek
2009-10-05 15:22 . 2009-10-05 15:22 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PunkBuster
2009-10-05 04:15 . 2009-10-05 04:15 -------- d-----w- C:\ProgramData
2009-10-05 04:15 . 2009-10-05 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-10-04 20:42 . 2009-10-04 20:45 35190 ----a-w- c:\windows\scunin.dat
2009-10-04 20:42 . 2009-10-04 20:45 967 ----a-w- c:\windows\ScUnin.pif
2009-10-04 20:42 . 2009-10-04 20:45 94208 ----a-w- c:\windows\ScUnin.exe
2009-10-04 18:10 . 2009-10-04 18:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Risen
2009-09-29 12:31 . 2009-09-29 12:31 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2009-09-27 13:43 . 2009-10-02 14:48 -------- d-----w- c:\program files\Kazaa
2009-09-27 00:02 . 2009-09-27 00:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!
2009-09-24 19:34 . 2009-07-31 19:23 411368 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 17:47 . 2009-04-25 23:46 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2009-10-21 15:49 . 2009-07-08 04:48 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-10-21 01:38 . 2007-10-28 09:39 -------- d-----w- c:\program files\Steam
2009-10-20 13:52 . 2009-07-08 04:48 -------- d-----w- c:\program files\DNA
2009-10-15 19:06 . 2007-08-14 11:42 139640 -c--a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-15 19:06 . 2007-08-14 11:41 190216 -c--a-w- c:\windows\system32\PnkBstrB.exe
2009-10-13 19:58 . 2008-08-07 03:10 -------- d-----w- c:\program files\World of Warcraft
2009-10-10 00:06 . 2007-04-29 08:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-10 00:03 . 2007-06-26 13:31 64672 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 22:07 . 2008-02-06 05:29 -------- d-----w- c:\program files\Starcraft
2009-10-05 15:25 . 2007-08-14 11:41 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-10-05 13:26 . 2008-06-17 10:54 -------- d-----w- c:\program files\EA GAMES
2009-10-05 04:15 . 2009-03-18 20:46 -------- d-----w- c:\program files\Electronic Arts
2009-09-24 19:35 . 2007-04-29 08:36 -------- d-----w- c:\program files\Java
2009-09-24 19:34 . 2008-01-15 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-24 18:26 . 2008-01-06 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-24 18:26 . 2007-09-21 19:47 -------- d-----w- c:\program files\Yahoo!
2009-09-15 10:59 . 2008-04-12 05:02 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 10:56 . 2008-04-12 05:03 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 10:56 . 2008-04-12 05:03 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 10:55 . 2008-04-12 05:03 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 10:55 . 2008-04-12 05:03 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 10:54 . 2008-04-12 05:03 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 10:54 . 2008-04-12 05:03 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 10:53 . 2008-04-12 05:03 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 10:53 . 2008-04-12 05:03 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-13 01:52 . 2007-05-25 18:41 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 01:51 . 2007-09-06 22:42 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-13 01:50 . 2008-08-27 16:54 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-13 01:50 . 2008-08-27 16:54 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-12 04:01 . 2007-06-19 17:49 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-12 03:40 . 2009-09-12 03:40 -------- d-----w- c:\program files\Sierra
2009-09-10 07:11 . 2008-09-18 01:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-07 02:25 . 2007-11-26 21:17 43520 -c--a-w- c:\windows\system32\CmdLineExt03.dll
2009-09-07 02:19 . 2009-09-07 02:19 -------- d-----w- c:\program files\Starbreeze Studios
2009-09-06 21:28 . 2009-09-06 21:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Ace
2009-09-06 16:20 . 2009-09-06 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Wideload
2009-09-05 17:01 . 2009-09-05 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-09-05 04:04 . 2009-09-05 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\NationRed
2009-09-04 19:30 . 2009-09-04 19:30 -------- d-----w- c:\program files\Z8Games
2009-09-01 01:39 . 2009-09-01 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Fallout3
2009-09-01 01:39 . 2009-03-02 01:40 -------- d-----w- c:\program files\Bethesda Softworks
2009-08-31 02:23 . 2009-08-27 04:17 -------- d-----w- c:\program files\Full Tilt Poker.Net
2009-08-05 09:11 . 2006-02-23 03:44 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_16.08.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-21 16:38 . 2009-10-21 16:38 16384 c:\windows\Temp\Perflib_Perfdata_91c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-18 339968]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"Tarantula"="c:\program files\Razer\Tarantula\razerhid.exe" [2007-05-07 159744]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 237568]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 131072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\Mbam1.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2007-10-12 439568]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-11-17 86016]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
backup=c:\windows\pss\Install Pending Files.LNKCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1177835852\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Aspyr\\Guitar Hero III\\GH3.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\redragon119\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\poisn119\\source sdk base\\hl2.exe"=
"c:\\Program Files\\IP Hider\\IP Hider.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\XBlades\\xblades.exe"=
"c:\\Program Files\\XBlades\\launcher.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"c:\\ijji\\ENGLISH\\u_skid.exe"=
"c:\\Program Files\\DriftCity\\DriftCity.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\zombie shooter demo\\ZombieShooterDemo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\ijjigame\\PLauncher.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\ijji\\ENGLISH\\u_gunz.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer The First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\baboinvasion_trial\\BaboInvasionTrial.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"1716:TCP"= 1716:TCP:AA Server 1
"1716:UDP"= 1716:UDP:AA Server 2

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/12/2008 1:03 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/12/2008 1:03 AM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/3/2008 5:21 AM 24652]
R3 SaiH0460;SaiH0460;c:\windows\system32\drivers\SaiH0460.sys [11/24/2008 12:12 PM 137600]
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [5/2/2007 9:58 PM 45440]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 WDefend;WDefend;c:\windows\svohost.exe --> c:\windows\svohost.exe [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [8/29/2006 1:54 AM 10664]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva039;XDva039;\??\c:\windows\system32\XDva039.sys --> c:\windows\system32\XDva039.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 18:42]

2009-10-13 c:\windows\Tasks\dfrg.job
- c:\windows\System32\defrag.exe [2006-02-23 19:00]

2009-10-12 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2006-02-23 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/
mStart Page = hxxp://www.gatewaybiz.com
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Video Converter... - c:\program files\MP3 Player Utilities 5.10\AVIConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nx0hkpp2.default\
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, );user_pref(yahoo.homepage.dontask, true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 17:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-139688342-1621953222-2771545461-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:75,cc,a1,2b,15,1b,33,a0,a2,ce,8f,19,40,53,41,0a,60,6e,ca,6b,f5,b5,e6,
51,a5,b2,3e,00,dc,cb,a9,a2,72,4c,f5,74,57,3a,ea,15,03,42,c5,53,92,3c,ba,19,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
"????????????????????????"=hex:78,5d,d3,6d,5b,4f,6a,a2,0d,86,20,b5,7b,88,6e,06,
cd,ca,24,cd,24,30,e9,e9,7e,08,92,e9,24,cd,7e,7e,00,00,00,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-139688342-1621953222-2771545461-1006\Software\SecuROM\License information*]
"datasecu"=hex:28,0a,50,e1,9b,97,ad,bc,90,dc,b5,02,2c,54,6e,07,e4,5a,00,d2,96,
a2,c7,f5,9e,7e,e6,71,95,40,53,75,e3,d6,1c,a6,f6,41,47,01,51,48,b9,2f,f7,ff,\
"rkeysecu"=hex:47,97,85,4f,a3,44,76,ce,6d,4c,69,16,75,d0,49,71
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-21 17:49
ComboFix-quarantined-files.txt 2009-10-21 21:49
ComboFix2.txt 2009-10-21 16:11

Pre-Run: 98,933,661,696 bytes free
Post-Run: 98,916,036,608 bytes free

- - End Of File - - 477B7807B5F20F3D583B96F4FFFADC78



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:41 PM, on 10/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Razer\Tarantula\razerhid.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Razer\Tarantula\razertra.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {60BF5EE3-0105-4858-AD98-17C19F86B042} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\Mbam1.exe" /runcleanupscript
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08da -f video -m logitech -d 11.5.0.1145 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08da -f video -m logitech -d 11.5.0.1145 (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Video Converter... - C:\Program Files\MP3 Player Utilities 5.10\AVIConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WDefend - Unknown owner - C:\WINDOWS\svohost.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11830 bytes

[Dara]

I had the same stupid virus -- found these boards with the combofix instructions.. It wouldn't run in normal mode - I had to go into SAFE mode & run it - it worked like a charm.!!!

Thanks again malwarebytes!!!

[Rosty]

Hi Poisn,

how are things running know?

[Poisn]

Rosty, on Oct 22 2009, 10:14 AM, said:

Hi Poisn,

how are things running know?

hey Rosty things are running great :-D 10x better then before and so far i haven't seen Security tools come back it usually comes back every few hours and nothing so far

[Rosty]

Your computer now seems to be clean.

The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.

• Go to Start
  
• Click on Run
  
• Type ComboFix /u (Note: This command is case sensitive.)
  

• Clean out Temporary Files etc.
  This program is for Vista, XP and Windows 2000 only
  Please download ATF Cleaner by Atribune.
  
  • Double-click ATF-Cleaner.exe to run the program.
    
  • Under Main choose: Select All. Then remove the check mark for cookies
    
  • Click the Empty Selected button.
  If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    
  • Click the Empty Selected button.
    
  • Remove the check mark for Cookies
    
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt if asked .
  If you use Opera browser
  • Click Opera at the top and
    
  • choose: Select All.
    
  • Remove the check mark for Cookies
    
  • Click the Empty Selected button.
  It is a good idea to do this every few weeks as a lot of junk collects there over time.
  
  
  
• Create a new, clean System Restore point which you can use in case of future system problems:
  Press Start->All Programs->Accessories->System Tools->System Restore
  Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  
  Now remove old, infected System Restore points:
  Next click Start->Run and type cleanmgr in the box and press OK
  Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  Press OK and Yes to confirm
  
  
  
• Set correct settings for files that should be hidden in Windows XP
  
  • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    
  • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    
  • If unchecked please checkHide protected operating system files (Recommended)
    
  • If necessary check "Display content of system folders"
    
  • If necessary Uncheck Hide file extensions for known file types.
    
  • Click OK
  
  
  
• Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  
  
• Download and install the free version of Malwarebytes' Anti-Malware to your desktop. Check for the latest updates and perform a full system scan. This is an on-demand scanner and runs very well with Winpatrol.
  
  
• if you are using Internet Explorer v. 6
  Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
    
  • Click once on the Security tab
    
  • Click once on the Internet icon so it becomes highlighted.
    
  • Click once on the Custom Level button.
    
    • Change the Download signed ActiveX controls to Prompt
      
    • Change the Download unsigned ActiveX controls to Disable
      
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
      
    • Change the Installation of desktop items to Prompt
      
    • Change the Launching programs and files in an IFRAME to Prompt
      
    • Change the Navigate sub-frames across different domains to Prompt
      
    • When all these settings have been made, click on the OK button.
      
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  There are good reasons to upgrade to Internet Explorer v. 7. Do look into this. You can find a lot of information about it on Microsoft's website.
  
  
• Update your Anti Virus Software - It is imperative that you update your Anti virus software at least a few times a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recommended.
  Be restrictive with granting access to the Internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.
  
  
• Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.
  
  
• Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  
  
• Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html that will give you more information on some of the points above.
  
  
  
• Please check out Tony Klein's article "How did I get infected in the first place?"

Follow this list and your potential for being infected again will reduce dramatically. (preventionspeech by Elrond)


Regards,

Rosty.

[Poisn]

Thank you SOOOOOOOOO much Rosty ima get on all that right now :-D thank you for your time and for all the help :-) couldnt have done it w/o you thats for sure :-P cant tell ya how thankful i am lol

Thanks again :-P,

Poisn

[Poisn]

ok got most of that done :-D just need to scan now but seeing as that takes awhile i figured i would post here really quick, was reading thought the steps and saw windows firewall was not recommended just wanted to know if you had any seggestions for a free firewall? or if there are any good ones, also i loaded up the WinPatrol and was looking though it and found C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ETILQS_JM4FUTI7YU1QTQGYBO1G hidden? says its being used by my system but it reminds me alot of the random numbers/letters the virus always installed under and got me a little worried lol

Thanks,

Poisn

[Poisn]

ok got my scan done came up with one thing i dunno if its somethin that will come back or not but here it is :-)

Malwarebytes' Anti-Malware 1.41
Database version: 3012
Windows 5.1.2600 Service Pack 2

10/22/2009 4:31:54 PM
mbam-log-2009-10-22 (16-31-54).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 338292
Time elapsed: 1 hour(s), 30 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WDefend (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks for all the help,

Poisn

[Rosty]

Looks like MBAM found and deleted it. Try the quick scan from MBAM please?

[Poisn]

Rosty, on Oct 22 2009, 04:55 PM, said:

Looks like MBAM found and deleted it. Try the quick scan from MBAM please?

all clean :-D

Malwarebytes' Anti-Malware 1.41
Database version: 3012
Windows 5.1.2600 Service Pack 2

10/22/2009 6:49:27 PM
mbam-log-2009-10-22 (18-49-27).txt

Scan type: Quick Scan
Objects scanned: 124685
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


lol so nice to be virus free ^.^ thanks so much

[Rosty]

Gladd I could help!