To whom it may concern. My computer recently just got infected with the Spyware2009 program. I installed Malywarebytes onto my flash drive, but everytime I try to launch, nothing happens. below is my log. please let me know what i can do next. thank you!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:17 AM, on 3/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\svcho.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
E:\PortableApps\PortableApps\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061125
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061125
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBEVMON.EXE] C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE -WinLogon
O4 - HKLM\..\Run: [SafeBootTrayManager] "C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\DOCUME~1\GIFTED\LOCALS~1\Temp\E_S37.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/Ligh...loadControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165103620734
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} (MPEX Control) - https://plaympe.com/activex/PlayMPEX.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://gaoportal1.gao.gov/dana-cached/setu...perSetupSP1.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.4.cab
O18 - Filter hijack: text/html - {cfe185ef-b58c-442f-96f5-38a3b9739201} - C:\WINDOWS\system32\mst122.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: SafeBoot Client Manager (SafeBootClientManager) - SafeBoot International - C:\Program Files\SafeBoot\SbClientManager.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 14592 bytes

Please copy this to your system and run it. Rename it if you have to, or try in Safe Mode if you have to.

Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.
• When the tool is finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

here's the combo box log:


ComboFix 09-03-04.01 - GIFTED 2009-03-05 7:39:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1514 [GMT -5:00]
Running from: c:\documents and settings\GIFTED\Desktop\bandy.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\program files\ISM
c:\windows\IE4 Error Log.txt
c:\windows\sysguard.exe
c:\windows\system32\a.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekautxbxwdc.sys
c:\windows\system32\drivers\UACnebsoqju.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\senekaksunebdd.dll
c:\windows\system32\senekaniraronu.dat
c:\windows\system32\tdssservers.dat
c:\windows\system32\UACachsdvpj.dll
c:\windows\system32\UAChbqkcxvj.dat
c:\windows\system32\UAChrjaldds.log
c:\windows\system32\UACmkxxnweu.log
c:\windows\system32\UACmmaudeiy.dll
c:\windows\system32\UACoqihcmft.dll
c:\windows\system32\UACqmyiqdls.dll
c:\windows\system32\UACuwilrnno.log
c:\windows\system32\x64
c:\windows\Tasks\naqblqns.job

----- BITS: Possible infected sites -----

hxxp://vestepau.cn
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-03-04 08:32 . 2009-03-04 23:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-04 07:49 . 2009-03-04 07:49 16,896 --a------ c:\windows\syssvc.exe
2009-03-04 07:49 . 2009-03-04 07:49 16,896 --a------ c:\windows\svcho.exe
2009-03-03 20:02 . 2009-03-03 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 20:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 20:02 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 10:01 . 2009-03-03 10:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-03 10:01 . 2009-03-03 10:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 09:31 . 2009-03-03 09:31 <DIR> d-------- c:\documents and settings\test345\Application Data\Logitech
2009-03-03 09:30 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test345\Application Data\Juniper Networks
2009-03-03 09:30 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test345\Application Data\Gtek
2009-03-03 09:30 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test345\Application Data\Creative
2009-03-03 09:30 . 2009-03-03 09:30 <DIR> d-------- c:\documents and settings\test345
2009-03-03 09:09 . 2009-03-03 09:09 <DIR> d-------- c:\documents and settings\test123\Application Data\Logitech
2009-03-03 09:07 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test123\Application Data\Juniper Networks
2009-03-03 09:07 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test123\Application Data\Gtek
2009-03-03 09:07 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test123\Application Data\Creative
2009-03-03 09:07 . 2009-03-03 09:07 <DIR> d-------- c:\documents and settings\test123
2009-03-03 08:00 . 2009-03-03 08:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks
2009-03-03 07:46 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\stu2.exe
2009-03-03 07:46 . 2009-03-05 07:23 5,510 --a------ c:\windows\system32\uacinit.dll
2009-02-11 03:10 . 2009-02-11 03:10 8 --a------ c:\windows\system32\nvModes.dat
2009-02-11 03:09 . 2009-02-11 03:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-10 07:22 . 2009-03-05 07:39 <DIR> d-------- c:\program files\Common
2009-02-07 15:55 . 2009-02-07 15:56 9,662 --a------ c:\windows\EPISME00.SWB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 13:20 --------- d-----w c:\program files\Viewpoint
2009-03-03 13:15 --------- d-----w c:\program files\Dell
2009-03-03 13:15 --------- d-----w c:\program files\Common Files\AOL
2009-03-03 13:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-03 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-03 13:12 --------- d-----w c:\program files\GemMaster
2009-03-03 05:08 --------- d-----w c:\program files\World of Warcraft
2009-03-02 12:43 --------- d-----w c:\documents and settings\GIFTED\Application Data\Juniper Networks
2009-03-02 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2009-02-28 01:22 --------- d-----w c:\documents and settings\GIFTED\Application Data\Move Networks
2009-02-20 12:49 --------- d-----w c:\program files\EPSON Print CD
2009-02-11 08:09 --------- d-----w c:\program files\Google
2009-01-15 08:39 90,112 ----a-w c:\windows\DUMP64b5.tmp
2007-11-28 19:12 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:12 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:12 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:12 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:12 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2004-08-10 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-03 07:46 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SBEVMON.EXE"="c:\progra~1\SafeBoot\vdisk\SBEVMON.EXE" [2007-10-26 176128]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-25 13570048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-25 86016]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 c:\windows\system32\CTXFIHLP.EXE]
"nwiz"="nwiz.exe" [2008-07-25 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"svcho"="c:\windows\svcho.exe" [2009-03-04 16896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-03 688128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbNp5 scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Documents and Settings\\GIFTED\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\svcho.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-02-22 101647]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-07-16 44720]
R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]
R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-05 44752]
R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-02-22 6272]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-02-22 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-02-22 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-02-22 14960]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2008-02-22 356352]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~2\Tmntsrv.exe [2006-09-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2006-08-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-09-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~2\tmproxy.exe [2006-08-29 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-08-29 280392]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};\??\c:\windows\TEMP\11E.tmp --> c:\windows\TEMP\11E.tmp [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13008daa-54bf-11dd-ae7c-001676b7ead6}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\program files\Common\helper.dll
BHO-{C9C42510-9B21-41c1-9DCD-8382A2D07C61} - c:\windows\system32\iehelper.dll
HKCU-Run-system tool - c:\windows\sysguard.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\program files\Neoteris\Secure Application Manager\gapsp.dll
DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab
FF - ProfilePath - c:\documents and settings\GIFTED\Application Data\Mozilla\Firefox\Profiles\n0a54z4x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 07:48:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\c:\windows\TEMP\11E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\SbNp.DLL

- - - - - - - > 'lsass.exe'(792)
c:\program files\Neoteris\Secure Application Manager\gapsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\TRENDM~1\INTERN~2\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\bandy\hidec.exe
c:\program files\SafeBoot\VDISK\SBEVMON.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\bandy\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-03-05 7:55:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 12:54:25

Pre-Run: 83,778,756,608 bytes free
Post-Run: 84,938,457,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
286 --- E O F --- 2009-03-05 12:24:39

here is the hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:38 AM, on 3/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\svcho.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
E:\PortableApps\PortableApps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061125
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBEVMON.EXE] C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE -WinLogon
O4 - HKLM\..\Run: [SafeBootTrayManager] "C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /M "Stylus Photo R220" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} (LightSurfUploadCtl Class) - http://pictures.sprintpcs.com/activex/Ligh...loadControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1165103620734
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} (MPEX Control) - https://plaympe.com/activex/PlayMPEX.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://gaoportal1.gao.gov/dana-cached/setu...perSetupSP1.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.3.4.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: SafeBoot Client Manager (SafeBootClientManager) - SafeBoot International - C:\Program Files\SafeBoot\SbClientManager.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 13278 bytes

I was able to run malyware bytes. Below is my log. As it was doing the scan, Trend Micro detected a trojan called TROJ FAKEALER.TV inside C:\Windows\svcho.exe and C:\Windows\syssvc.exe. It was able to quarantine the syssvc.exe file, but could not take care of svcho.exe.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/5/2009 8:07:17 AM
mbam-log-2009-03-05 (08-07-17).txt

Scan type: Quick Scan
Objects scanned: 78007
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{def85c80-216a-43ab-af70-1665edbe2780} (Spyware.Sinowal) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

STEP 01
Please disable Spybot TEA TIMER. DO NOT continue until Tea Timer is disabled.
Disable Teatimer
First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

STEP 02
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disconnect from the Internet.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 03
Your version of MBAM is very old and needs to be updated.
The current database is: 1822 and you have 1749


Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log.


STEP 04

Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply: DDS.txt and Attach.txt

ComboFix 09-03-04.01 - GIFTED 2009-03-06 20:36:55.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1403 [GMT -5:00]
Running from: c:\documents and settings\GIFTED\Desktop\bip.exe
Command switches used :: c:\documents and settings\GIFTED\Desktop\CFscript.txt
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\DUMP64b5.tmp
c:\windows\EPISME00.SWB
c:\windows\svcho.exe
c:\windows\syssvc.exe
c:\windows\system32\nvModes.dat
c:\windows\system32\stu2.exe
c:\windows\system32\uacinit.dll
c:\windows\TEMP\11E.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\uacinit.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-05 08:24 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvuninst.exe
2009-03-05 08:24 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-03-05 08:24 . 2009-03-06 19:56 200,712 --a------ c:\windows\system32\nvapps.xml
2009-03-05 08:24 . 2008-09-17 23:55 18,394 --a------ c:\windows\system32\nvdisp.nvu
2009-03-05 08:02 . 2009-03-05 08:02 <DIR> d-------- c:\documents and settings\GIFTED\Application Data\Malwarebytes
2009-03-04 08:32 . 2009-03-04 23:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 20:02 . 2009-03-03 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 20:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 20:02 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 10:01 . 2009-03-03 10:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-03 10:01 . 2009-03-06 08:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 09:31 . 2009-03-03 09:31 <DIR> d-------- c:\documents and settings\test345\Application Data\Logitech
2009-03-03 09:30 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test345\Application Data\Juniper Networks
2009-03-03 09:30 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test345\Application Data\Gtek
2009-03-03 09:30 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test345\Application Data\Creative
2009-03-03 09:30 . 2009-03-03 09:30 <DIR> d-------- c:\documents and settings\test345
2009-03-03 09:09 . 2009-03-03 09:09 <DIR> d-------- c:\documents and settings\test123\Application Data\Logitech
2009-03-03 09:07 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test123\Application Data\Juniper Networks
2009-03-03 09:07 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test123\Application Data\Gtek
2009-03-03 09:07 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test123\Application Data\Creative
2009-03-03 09:07 . 2009-03-03 09:07 <DIR> d-------- c:\documents and settings\test123
2009-03-03 08:00 . 2009-03-03 08:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks
2009-02-11 03:09 . 2009-02-11 03:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-10 07:22 . 2009-03-05 07:39 <DIR> d-------- c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 13:20 --------- d-----w c:\program files\Viewpoint
2009-03-03 13:15 --------- d-----w c:\program files\Dell
2009-03-03 13:15 --------- d-----w c:\program files\Common Files\AOL
2009-03-03 13:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-03 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-03 13:12 --------- d-----w c:\program files\GemMaster
2009-03-03 05:08 --------- d-----w c:\program files\World of Warcraft
2009-03-02 12:43 --------- d-----w c:\documents and settings\GIFTED\Application Data\Juniper Networks
2009-03-02 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2009-02-28 01:22 --------- d-----w c:\documents and settings\GIFTED\Application Data\Move Networks
2009-02-20 12:49 --------- d-----w c:\program files\EPSON Print CD
2009-02-11 08:09 --------- d-----w c:\program files\Google
2007-11-28 19:12 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:12 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:12 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:12 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:12 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

2004-08-10 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-03 07:46 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-03-06_20.31.29.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-07 01:40:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-07 01:40:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-07 01:40:38 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"system tool"="c:\windows\sysguard.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SBEVMON.EXE"="c:\progra~1\SafeBoot\vdisk\SBEVMON.EXE" [2007-10-26 176128]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 c:\windows\system32\CTXFIHLP.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-03 688128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbNp5 scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Documents and Settings\\GIFTED\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-02-22 101647]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-07-16 44720]
R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]
R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-05 44752]
R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-02-22 6272]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-02-22 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-02-22 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-02-22 14960]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2008-02-22 356352]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~2\Tmntsrv.exe [2006-09-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2006-08-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-09-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~2\tmproxy.exe [2006-08-29 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-08-29 280392]
S0 rpgr;rpgr;c:\windows\system32\drivers\jkfrnexd.sys --> c:\windows\system32\drivers\jkfrnexd.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13008daa-54bf-11dd-ae7c-001676b7ead6}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\program files\Neoteris\Secure Application Manager\gapsp.dll
DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab
FF - ProfilePath - c:\documents and settings\GIFTED\Application Data\Mozilla\Firefox\Profiles\n0a54z4x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 20:42:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\SbNp.DLL

- - - - - - - > 'lsass.exe'(784)
c:\program files\Neoteris\Secure Application Manager\gapsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\TRENDM~1\INTERN~2\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\SafeBoot\VDISK\SBEVMON.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-03-06 20:50:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-07 01:50:52
ComboFix2.txt 2009-03-07 01:33:16
ComboFix3.txt 2009-03-05 12:55:44

Pre-Run: 84,690,288,640 bytes free
Post-Run: 84,664,578,048 bytes free

260 --- E O F --- 2009-03-06 08:00:28

Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 3

3/6/2009 9:01:37 PM
mbam-log-2009-03-06 (21-01-37).txt

Scan type: Quick Scan
Objects scanned: 80302
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{cfe185ef-b58c-442f-96f5-38a3b9739201} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mst122.dll (Trojan.Agent) -> Quarantined and deleted successfully.

DDS (Ver_09-02-01.01) - NTFSx86
Run by GIFTED at 21:04:12.31 on Fri 03/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -5:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\GIFTED\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
uRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /M "Stylus Photo R220" /EF "HKCU"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R220"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBEVMON.EXE] c:\progra~1\safeboot\vdisk\SBEVMON.EXE -WinLogon
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\neoteris\secure application manager\gapsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165103620734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://gaoportal1.gao.gov/dana-cached/setup/JuniperSetupSP1.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.4.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = SbNp5 scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gifted\applic~1\mozilla\firefox\profiles\n0a54z4x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-2-22 101647]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44720]
R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]
R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-5 44752]
R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-2-22 6272]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-2-22 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-2-22 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-2-22 14960]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-2-22 356352]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~2\Tmntsrv.exe [2006-9-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2006-8-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~2\tmproxy.exe [2006-8-29 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]
S0 rpgr;rpgr;c:\windows\system32\drivers\jkfrnexd.sys --> c:\windows\system32\drivers\jkfrnexd.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-03-06 20:36 <DIR> --d----- C:\bip
2009-03-05 08:24 200,712 a------- c:\windows\system32\nvapps.xml
2009-03-05 08:24 453,152 a------- c:\windows\system32\nvuninst.exe
2009-03-05 08:24 453,152 a------- c:\windows\system32\nvudisp.exe
2009-03-05 08:24 18,394 a------- c:\windows\system32\nvdisp.nvu
2009-03-05 08:02 <DIR> --d----- c:\docume~1\gifted\applic~1\Malwarebytes
2009-03-05 07:30 <DIR> a-dshr-- C:\cmdcons
2009-03-05 07:28 161,792 a------- c:\windows\SWREG.exe
2009-03-05 07:28 98,816 a------- c:\windows\sed.exe
2009-03-04 08:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 20:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-03 20:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-03 10:01 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-03 10:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-10 07:22 <DIR> --d----- c:\program files\Common

==================== Find3M ====================

2009-03-03 07:46 17,920 a------- c:\windows\system32\userinit.exe
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 21:04:25.51 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/2/2006 6:28:06 PM
System Uptime: 3/6/2009 8:40:11 PM (1 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | Microprocessor | 2128/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 78.867 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP755: 12/6/2008 8:13:36 PM - System Checkpoint
RP756: 12/7/2008 10:21:33 PM - System Checkpoint
RP757: 12/9/2008 1:19:23 AM - System Checkpoint
RP758: 12/10/2008 1:51:41 AM - System Checkpoint
RP759: 12/11/2008 12:09:58 AM - Restore Operation
RP760: 12/12/2008 2:05:50 AM - System Checkpoint
RP761: 12/13/2008 2:27:47 AM - System Checkpoint
RP762: 12/13/2008 3:00:14 AM - Software Distribution Service 3.0
RP763: 12/14/2008 3:12:36 AM - System Checkpoint
RP764: 12/15/2008 4:12:37 AM - System Checkpoint
RP765: 12/16/2008 5:12:42 AM - System Checkpoint
RP766: 12/17/2008 5:24:38 AM - System Checkpoint
RP767: 12/18/2008 3:00:16 AM - Software Distribution Service 3.0
RP768: 12/19/2008 3:04:19 AM - System Checkpoint
RP769: 12/20/2008 3:13:23 AM - System Checkpoint
RP770: 12/21/2008 4:13:26 AM - System Checkpoint
RP771: 12/21/2008 5:22:52 PM - Removed Scratch LIVE 1.8.1 (18120)
RP772: 12/21/2008 5:23:11 PM - Installed Scratch LIVE 1.8.2 (18221)
RP773: 12/22/2008 5:25:25 PM - System Checkpoint
RP774: 12/23/2008 6:13:26 PM - System Checkpoint
RP775: 12/24/2008 7:13:24 PM - System Checkpoint
RP776: 12/25/2008 7:25:28 PM - System Checkpoint
RP777: 12/26/2008 8:25:29 PM - System Checkpoint
RP778: 12/27/2008 11:07:02 PM - System Checkpoint
RP779: 12/29/2008 1:24:00 AM - System Checkpoint
RP780: 12/30/2008 1:25:34 AM - System Checkpoint
RP781: 12/31/2008 2:13:33 AM - System Checkpoint
RP782: 1/1/2009 2:25:33 AM - System Checkpoint
RP783: 1/2/2009 3:25:38 AM - System Checkpoint
RP784: 1/3/2009 4:13:40 AM - System Checkpoint
RP785: 1/3/2009 7:23:35 PM - Installed Windows XP Wdf01005.
RP786: 1/5/2009 1:18:00 AM - System Checkpoint
RP787: 1/6/2009 1:30:13 AM - System Checkpoint
RP788: 1/7/2009 2:30:11 AM - System Checkpoint
RP789: 1/8/2009 2:42:13 AM - System Checkpoint
RP790: 1/9/2009 3:42:14 AM - System Checkpoint
RP791: 1/10/2009 4:30:15 AM - System Checkpoint
RP792: 1/11/2009 5:30:16 AM - System Checkpoint
RP793: 1/12/2009 6:30:17 AM - System Checkpoint
RP794: 1/13/2009 7:30:19 AM - System Checkpoint
RP795: 1/14/2009 8:55:26 AM - System Checkpoint
RP796: 1/15/2009 3:00:14 AM - Software Distribution Service 3.0
RP797: 1/16/2009 3:47:37 AM - System Checkpoint
RP798: 1/17/2009 4:47:39 AM - System Checkpoint
RP799: 1/18/2009 5:47:38 AM - System Checkpoint
RP800: 1/19/2009 6:47:40 AM - System Checkpoint
RP801: 1/20/2009 7:47:43 AM - System Checkpoint
RP802: 1/21/2009 7:59:44 AM - System Checkpoint
RP803: 1/22/2009 8:52:56 AM - System Checkpoint
RP804: 1/23/2009 9:48:50 AM - System Checkpoint
RP805: 1/24/2009 12:06:37 PM - System Checkpoint
RP806: 1/25/2009 4:39:33 PM - System Checkpoint
RP807: 1/26/2009 4:59:31 PM - System Checkpoint
RP808: 1/27/2009 5:47:50 PM - System Checkpoint
RP809: 1/28/2009 6:47:50 PM - System Checkpoint
RP810: 1/29/2009 6:59:52 PM - System Checkpoint
RP811: 1/30/2009 7:47:53 PM - System Checkpoint
RP812: 1/31/2009 8:47:54 PM - System Checkpoint
RP813: 2/1/2009 8:59:56 PM - System Checkpoint
RP814: 2/2/2009 11:50:52 PM - System Checkpoint
RP815: 2/3/2009 11:59:59 PM - System Checkpoint
RP816: 2/5/2009 1:18:33 AM - System Checkpoint
RP817: 2/6/2009 1:49:54 AM - System Checkpoint
RP818: 2/7/2009 2:00:06 AM - System Checkpoint
RP819: 2/8/2009 2:48:08 AM - System Checkpoint
RP820: 2/9/2009 3:50:48 AM - System Checkpoint
RP821: 2/10/2009 4:48:08 AM - System Checkpoint
RP822: 2/11/2009 3:00:14 AM - Software Distribution Service 3.0
RP823: 2/12/2009 3:13:27 AM - System Checkpoint
RP824: 2/13/2009 4:13:27 AM - System Checkpoint
RP825: 2/14/2009 5:13:28 AM - System Checkpoint
RP826: 2/15/2009 6:13:29 AM - System Checkpoint
RP827: 2/16/2009 7:44:11 AM - System Checkpoint
RP828: 2/17/2009 8:33:53 AM - System Checkpoint
RP829: 2/18/2009 8:57:03 AM - System Checkpoint
RP830: 2/19/2009 9:02:25 AM - System Checkpoint
RP831: 2/20/2009 9:25:34 AM - System Checkpoint
RP832: 2/21/2009 9:26:12 AM - System Checkpoint
RP833: 2/22/2009 11:06:52 AM - System Checkpoint
RP834: 2/22/2009 4:35:13 PM - Restore Operation
RP835: 2/23/2009 4:53:39 PM - System Checkpoint
RP836: 2/24/2009 4:56:51 PM - System Checkpoint
RP837: 2/25/2009 3:00:12 AM - Software Distribution Service 3.0
RP838: 2/25/2009 8:34:19 AM - Restore Operation
RP839: 2/26/2009 3:00:18 AM - Software Distribution Service 3.0
RP840: 2/27/2009 3:00:16 AM - Software Distribution Service 3.0
RP841: 2/28/2009 3:10:55 AM - System Checkpoint
RP842: 3/1/2009 4:10:54 AM - System Checkpoint
RP843: 3/2/2009 5:10:59 AM - System Checkpoint
RP844: 3/2/2009 7:09:51 AM - Removed Bonjour
RP845: 3/2/2009 7:10:36 AM - Removed NetZeroInstallers
RP846: 3/3/2009 7:10:59 AM - System Checkpoint
RP847: 3/3/2009 8:11:19 AM - Removed Documentation & Support Launcher
RP848: 3/3/2009 8:11:56 AM - Removed Games, Music, & Photos Launcher
RP849: 3/3/2009 8:15:56 AM - Removed Digital Content Portal
RP850: 3/5/2009 9:50:47 AM - System Checkpoint
RP851: 3/6/2009 3:00:13 AM - Software Distribution Service 3.0
RP852: 3/6/2009 9:04:35 AM - ComboFix created restore point
RP853: 3/6/2009 8:36:43 PM - ComboFix created restore point

==== Installed Programs ======================

Adobe Audition 1.0
Adobe Audition 2.0
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.8
Apple Mobile Device Support
Apple Software Update
CDDRV_Installer
Creative MediaSource
Dell CinePlayer
Dell Driver Reset Tool
Dell Support 3.2.1
Dell System Restore
EducateU
EPSON ESPR220 Reference Guide
EPSON Print CD
EPSON Printer Software
ESPNMotion
FlashFXP v3
getPlus®_ocx
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
IL Download Manager
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Intel® PRO Network Connections
iTunes
J2SE Runtime Environment 5.0 Update 6
Juniper Networks Host Checker
Juniper Terminal Services Client
KhalSetup
LimeWire 4.16.6
Logitech Communications Manager
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mogul User Guide
Move Networks Media Player for Internet Explorer
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
NVIDIA PhysX v8.07.18
Play MPE Player
QuickTime
RealPlayer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scratch LIVE 1.8.2 (18221)
Secure Application Manager
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SHOUTcast Source DSP 1.9.0 (remove only)
Sonic Activation Module
Sonic Advanced Decoder
Sonic Encoders
Sonic Update Manager
Sound Blaster X-Fi
Spybot - Search & Destroy
Trend Micro PC-cillin Internet Security 14
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
Warcraft III: All Products
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
Xone Mixed In Key 3
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

3/3/2009 7:53:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/3/2009 7:50:16 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified.
3/3/2009 7:30:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
3/3/2009 10:31:59 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss RsvLock SbPrcCtl Tcpip tmtdi WS2IFSL
3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 10:31:59 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 10:31:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
3/3/2009 10:13:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume5'. It has stopped monitoring the volume.
3/3/2009 9:58:44 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm RsvLock SbPrcCtl tmtdi
3/3/2009 9:42:48 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)
3/3/2009 9:34:35 AM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s).
3/3/2009 9:33:47 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/3/2009 8:27:00 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/3/2009 8:09:01 AM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/3/2009 8:09:01 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
3/3/2009 8:00:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
3/3/2009 8:00:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/3/2009 8:03:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
3/5/2009 7:22:11 AM, error: Dhcp [1002] - The IP address lease 98.233.23.210 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/5/2009 7:38:48 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/5/2009 8:15:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/5/2009 8:18:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
3/5/2009 8:22:07 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 8060c56e, parameter3 b9ce35b0, parameter4 00000000.
3/6/2009 7:36:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)
3/6/2009 8:06:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The SafeBoot Client Manager service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Personal Firewall service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Intel® Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Real-time Service service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Central Control Component service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Please uninstall the following programs that have old exploited code.
Adobe Reader 7.0.8
J2SE Runtime Environment 5.0 Update 6


Please uninstall this P2P prorgram and any others you may be running if you want us to continue to help you remove this Malware.
Using P2P software is often how users become infected in the first place and it's counter productive to keep fighting it.
LimeWire 4.16.6

File sharing involves using technology that allows internet users to share files that are housed on their individual computers. Peer-to-peer (P2P) applications, such as those used to share music files, are some of the most common forms of file-sharing technology. However, P2P applications introduce security risks that may put your information or your computer in jeopardy. Risks of File-Sharing Technology


These file dates and times don't look correct. These files are very old and should probably have had updates by now.
They may be perfectly legit, but just seem odd due to age fo the files.

2007-11-28 19:12 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:12 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:12 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:12 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:12 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

Ok, I un-installed adobe, limeware, and java. I've noticed two strange things when I boot up. When I first start up, I just get my desktop background. I can pull up task manager and manually start up explorer.exe. After explorer loads, my desktop loads up fine. Then a Common Folder opens (C:\Programs\Common).

Any suggestions?

Please delete your current copy of Combofix.exe and download a FRESH new copy and run it.
Then post back the log.


Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

Okay the Comon Folder coming up is gone, but I still had to manually start up explorer.exe. Here's my log:


ComboFix 09-03-06.02 - GIFTED 2009-03-07 8:34:36.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1286 [GMT -5:00]
Running from: c:\documents and settings\GIFTED\Desktop\ComboFix.exe
AV: PC-cillin Internet Security - Virus Protection *On-access scanning enabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://vestepau.cn
.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-06 22:32 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvuninst.exe
2009-03-06 22:32 . 2008-09-17 23:55 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-03-06 22:32 . 2009-03-06 22:32 200,712 --a------ c:\windows\system32\nvapps.xml
2009-03-06 22:32 . 2008-09-17 23:55 18,394 --a------ c:\windows\system32\nvdisp.nvu
2009-03-06 20:36 . 2009-03-06 20:51 <DIR> d-------- C:\bip
2009-03-05 08:02 . 2009-03-05 08:02 <DIR> d-------- c:\documents and settings\GIFTED\Application Data\Malwarebytes
2009-03-04 08:32 . 2009-03-04 23:05 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 20:02 . 2009-03-03 20:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 20:02 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 20:02 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 10:01 . 2009-03-03 10:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-03 10:01 . 2009-03-06 08:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 09:31 . 2009-03-03 09:31 <DIR> d-------- c:\documents and settings\test345\Application Data\Logitech
2009-03-03 09:30 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test345\Application Data\Juniper Networks
2009-03-03 09:30 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test345\Application Data\Gtek
2009-03-03 09:30 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test345\Application Data\Creative
2009-03-03 09:30 . 2009-03-03 09:30 <DIR> d-------- c:\documents and settings\test345
2009-03-03 09:09 . 2009-03-03 09:09 <DIR> d-------- c:\documents and settings\test123\Application Data\Logitech
2009-03-03 09:07 . 2008-03-18 08:35 <DIR> d-------- c:\documents and settings\test123\Application Data\Juniper Networks
2009-03-03 09:07 . 2006-11-25 13:31 <DIR> d--h----- c:\documents and settings\test123\Application Data\Gtek
2009-03-03 09:07 . 2006-11-25 13:08 <DIR> d-------- c:\documents and settings\test123\Application Data\Creative
2009-03-03 09:07 . 2009-03-03 09:07 <DIR> d-------- c:\documents and settings\test123
2009-03-03 08:00 . 2009-03-03 08:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Juniper Networks
2009-02-11 03:09 . 2009-02-11 03:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-10 07:22 . 2009-03-05 07:39 <DIR> d-------- c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 03:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-03 13:20 --------- d-----w c:\program files\Viewpoint
2009-03-03 13:15 --------- d-----w c:\program files\Dell
2009-03-03 13:15 --------- d-----w c:\program files\Common Files\AOL
2009-03-03 13:15 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-03 13:14 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-03 13:12 --------- d-----w c:\program files\GemMaster
2009-03-03 05:08 --------- d-----w c:\program files\World of Warcraft
2009-03-02 12:43 --------- d-----w c:\documents and settings\GIFTED\Application Data\Juniper Networks
2009-03-02 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2009-02-28 01:22 --------- d-----w c:\documents and settings\GIFTED\Application Data\Move Networks
2009-02-20 12:49 --------- d-----w c:\program files\EPSON Print CD
2009-02-11 08:09 --------- d-----w c:\program files\Google
.

------- Sigcheck -------

2004-08-10 05:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 19:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-03 07:46 17920 3d2deea032afd945261542b345733a5f c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot_2009-03-06_20.31.29.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-07 13:40:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-07 13:40:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-07 01:21:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-07 13:40:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 321040]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"EPSON Stylus Photo R220 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SBEVMON.EXE"="c:\progra~1\SafeBoot\vdisk\SBEVMON.EXE" [2007-10-26 176128]
"SafeBootTrayManager"="c:\program files\SafeBoot Tray Manager\SbTrayManager.exe" [2007-06-12 69632]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-01 c:\windows\system32\CTXFIHLP.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-18 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-30 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-03 688128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbNp5 scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\Documents and Settings\\GIFTED\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-02-22 101647]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-07-16 44720]
R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]
R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-05 44752]
R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-02-22 6272]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-02-22 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-02-22 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-02-22 14960]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\SafeBoot\SbClientManager.exe [2008-02-22 356352]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~2\Tmntsrv.exe [2006-09-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2006-08-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-09-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~2\tmproxy.exe [2006-08-29 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-08-29 280392]
S0 rpgr;rpgr;c:\windows\system32\drivers\jkfrnexd.sys --> c:\windows\system32\drivers\jkfrnexd.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13008daa-54bf-11dd-ae7c-001676b7ead6}]
\Shell\AutoRun\command - e:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
LSP: c:\program files\Neoteris\Secure Application Manager\gapsp.dll
DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 08:50:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\SbNp.DLL

- - - - - - - > 'lsass.exe'(788)
c:\program files\Neoteris\Secure Application Manager\gapsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~2\PcCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\combofix\hidec.exe
c:\windows\ehome\ehmsas.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-03-07 8:58:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-07 13:57:12
ComboFix2.txt 2009-03-07 01:51:00
ComboFix3.txt 2009-03-07 01:33:16
ComboFix4.txt 2009-03-05 12:55:44

Pre-Run: 84,365,283,328 bytes free
Post-Run: 82,445,426,688 bytes free

244 --- E O F --- 2009-03-06 08:00:28

The logs seem to indicate that you're loading Windows in SAFE MODE not Normal Mode.

When the computer starts up do you get a menu choice? Try tapping the F8 key and select Normal Windows and see if it will load properly.

STEP 01
RootRepeal - Rootkit Detector

• Please download the following tool: RootRepeal - Rootkit Detector
• Direct download link is here: RootRepeal.rar
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
• Extract the program file to a new folder such as C:\RootRepeal
• Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
• When done, click on Save Report
• Save it to the same location where you ran it from, such as C:\RootRepeal
• Save it as your_name_rootrepeal.txt - where your_name is your forum name
• This makes it more easy to track who the log belongs to.
• Then open that log and select all and copy/paste it back on your next reply please.
• Quit the RootRepeal program.

STEP 02

Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

• Save both reports to your desktop
• Please include the following logs in your next reply: DDS.txt and Attach.txt

STEP 03

Please create a BOOTLOG
• Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
• Select "Enable Boot Logging" option and press enter.
• Windows prompts you to select a Windows Installation (even if there is only one windows installation)
• This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
  
  If you're already running inside Windows you can enable it the following way.
  
• Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
• Click on OK and you will be prompted to RESTART Windows. Please do restart now.
• After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
• From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.

STEP 04
Please download the following scanning tool. GMER

• Open the zip file and copy the file gmer.exe to your Desktop.
• Double click on gmer.exe and run it.
• It may take a minute to load and become available.
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/03/08 10:40
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xBA490000 Size: 30592 File Visible: No
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xBA128000 Size: 60416 File Visible: No
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA4A33000 Size: 749568 File Visible: No
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xBA5F6000 Size: 6464 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA238000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\GIFTED\Desktop\MUSIC DOWNLOADS\david_20banner_20ft[1]._20busta_20rhymes_20-_20i_20dont_20give_20a_20fuck_20-_20buckmarleyxxx.blogspot.
Status: Locked to the Windows API!

Path: C:\Documents and Settings\GIFTED\Desktop\MUSIC DOWNLOADS\David_Banner-_Stand_Up__Ft._Dem_Hood_Starz.mp3:Zone.Identifier
Status: Invisible to the Windows API!

SSDT
-------------------
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\Drivers\SbPrcCtl.SYS" at address 0xa764e9b1

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x878d1da8]
Process: System Address: 0x87cfb260 Size: -

Object: Hidden Code [ETHREAD: 0x8757eda8]
Process: System Address: 0x87ce9280 Size: -

Object: Hidden Code [ETHREAD: 0x878beda8]
Process: System Address: 0x87d2e7d0 Size: -

Object: Hidden Code [ETHREAD: 0x875d6da8]
Process: System Address: 0x87ccc610 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x87cc4760 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x87cc4760 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x87cc01ac Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x87cc01ac Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87cc4772 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87cc476c Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87cc4766 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87cc4772 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x87cc477e Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87cc4784 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x87cc4778 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x87cc4760 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x87cc4760 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x87cc01ac Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x87cc01ac Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87cc4772 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87cc476c Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87cc4766 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87cc4772 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x87cc477e Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87cc4784 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x87cc4778 Size: -

DDS (Ver_09-02-01.01) - NTFSx86
Run by GIFTED at 10:51:29.51 on Sun 03/08/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1227 [GMT -4:00]

AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SafeBoot\SbClientManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SafeBoot\vdisk\SBEVMON.EXE
C:\Program Files\SafeBoot Tray Manager\SbTrayManager.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\GIFTED\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
uRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /M "Stylus Photo R220" /EF "HKCU"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [EPSON Stylus Photo R220 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P39 "EPSON Stylus Photo R220 Series (Copy 1)" /O6 "USB002" /M "Stylus Photo R220"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBEVMON.EXE] c:\progra~1\safeboot\vdisk\SBEVMON.EXE -WinLogon
mRun: [SafeBootTrayManager] "c:\program files\safeboot tray manager\SbTrayManager.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\neoteris\secure application manager\gapsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {528C14CD-CF9E-489C-A365-5999F17B69B9} - hxxp://pictures.sprintpcs.com/activex/LightSurfUploadControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165103620734
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D1519EBF-06AB-4FDD-8DB2-836893F3DED7} - hxxps://plaympe.com/activex/PlayMPEX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://gaoportal1.gao.gov/dana-cached/setup/JuniperSetupSP1.cab
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.4.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = SbNp5 scecli

============= SERVICES / DRIVERS ===============

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-2-22 101647]
R0 SBAlg;SBAlg;c:\windows\system32\drivers\SbAlg.sys [2007-7-16 44720]
R0 SBAlg01;SBAlg01;c:\windows\system32\drivers\SBALG01.SYS [2004-11-29 7504]
R0 SBAlg12;SBAlg12;c:\windows\system32\drivers\SBALG12.SYS [2006-10-5 44752]
R0 SbEncVol;SbEncVol;c:\windows\system32\drivers\sbencvol.sys [2007-10-26 23552]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-2-22 6272]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\RsvLock.sys [2008-2-22 5840]
R1 SbFlop;SbFlop;c:\windows\system32\drivers\SbFlop.sys [2008-2-22 34000]
R1 SbPrcCtl;SbPrcCtl;c:\windows\system32\drivers\SbPrcCtl.sys [2008-2-22 14960]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SafeBootClientManager;SafeBoot Client Manager;c:\program files\safeboot\SbClientManager.exe [2008-2-22 356352]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~2\Tmntsrv.exe [2006-9-18 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2006-8-29 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-11 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~2\tmproxy.exe [2006-8-29 566872]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-8-29 280392]
S0 rpgr;rpgr;c:\windows\system32\drivers\jkfrnexd.sys --> c:\windows\system32\drivers\jkfrnexd.sys [?]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-8-16 26488]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-03-08 10:24 18,801 a------- C:\RootRepeal.dmp
2009-03-08 10:21 0 a------- C:\settings.dat
2009-03-08 10:20 446,464 a------- C:\RootRepeal.exe
2009-03-07 18:36 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-07 10:32 <DIR> --d----- c:\windows\pss
2009-03-07 10:30 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-07 10:30 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-07 10:30 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-07 10:30 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-07 10:30 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-07 10:30 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-07 10:30 <DIR> --d----- C:\4eec6e5b9e6f03319333abbc42e7a7
2009-03-07 10:30 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-07 10:30 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-07 10:29 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-07 10:27 <DIR> --d----- C:\5dd382b34908719fd5529793495b
2009-03-07 09:33 <DIR> --d----- C:\ComboFix
2009-03-06 23:32 200,712 a------- c:\windows\system32\nvapps.xml
2009-03-06 23:32 453,152 a------- c:\windows\system32\nvuninst.exe
2009-03-06 23:32 453,152 a------- c:\windows\system32\nvudisp.exe
2009-03-06 23:32 18,394 a------- c:\windows\system32\nvdisp.nvu
2009-03-06 21:36 <DIR> --d----- C:\bip
2009-03-05 09:02 <DIR> --d----- c:\docume~1\gifted\applic~1\Malwarebytes
2009-03-05 08:30 <DIR> a-dshr-- C:\cmdcons
2009-03-05 08:28 161,792 a------- c:\windows\SWREG.exe
2009-03-05 08:28 98,816 a------- c:\windows\sed.exe
2009-03-04 09:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-03 21:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-03 21:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 21:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-03 11:01 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-03 11:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-10 08:22 <DIR> --d----- c:\program files\Common

==================== Find3M ====================

2009-03-03 08:46 17,920 a------- c:\windows\system32\userinit.exe
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 05:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 05:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 01:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 01:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 06:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 10:51:43.24 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/2/2006 6:28:06 PM
System Uptime: 3/7/2009 8:40:03 AM (26 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | Microprocessor | 2128/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 75.509 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP757: 12/9/2008 1:19:23 AM - System Checkpoint
RP758: 12/10/2008 1:51:41 AM - System Checkpoint
RP759: 12/11/2008 12:09:58 AM - Restore Operation
RP760: 12/12/2008 2:05:50 AM - System Checkpoint
RP761: 12/13/2008 2:27:47 AM - System Checkpoint
RP762: 12/13/2008 3:00:14 AM - Software Distribution Service 3.0
RP763: 12/14/2008 3:12:36 AM - System Checkpoint
RP764: 12/15/2008 4:12:37 AM - System Checkpoint
RP765: 12/16/2008 5:12:42 AM - System Checkpoint
RP766: 12/17/2008 5:24:38 AM - System Checkpoint
RP767: 12/18/2008 3:00:16 AM - Software Distribution Service 3.0
RP768: 12/19/2008 3:04:19 AM - System Checkpoint
RP769: 12/20/2008 3:13:23 AM - System Checkpoint
RP770: 12/21/2008 4:13:26 AM - System Checkpoint
RP771: 12/21/2008 5:22:52 PM - Removed Scratch LIVE 1.8.1 (18120)
RP772: 12/21/2008 5:23:11 PM - Installed Scratch LIVE 1.8.2 (18221)
RP773: 12/22/2008 5:25:25 PM - System Checkpoint
RP774: 12/23/2008 6:13:26 PM - System Checkpoint
RP775: 12/24/2008 7:13:24 PM - System Checkpoint
RP776: 12/25/2008 7:25:28 PM - System Checkpoint
RP777: 12/26/2008 8:25:29 PM - System Checkpoint
RP778: 12/27/2008 11:07:02 PM - System Checkpoint
RP779: 12/29/2008 1:24:00 AM - System Checkpoint
RP780: 12/30/2008 1:25:34 AM - System Checkpoint
RP781: 12/31/2008 2:13:33 AM - System Checkpoint
RP782: 1/1/2009 2:25:33 AM - System Checkpoint
RP783: 1/2/2009 3:25:38 AM - System Checkpoint
RP784: 1/3/2009 4:13:40 AM - System Checkpoint
RP785: 1/3/2009 7:23:35 PM - Installed Windows XP Wdf01005.
RP786: 1/5/2009 1:18:00 AM - System Checkpoint
RP787: 1/6/2009 1:30:13 AM - System Checkpoint
RP788: 1/7/2009 2:30:11 AM - System Checkpoint
RP789: 1/8/2009 2:42:13 AM - System Checkpoint
RP790: 1/9/2009 3:42:14 AM - System Checkpoint
RP791: 1/10/2009 4:30:15 AM - System Checkpoint
RP792: 1/11/2009 5:30:16 AM - System Checkpoint
RP793: 1/12/2009 6:30:17 AM - System Checkpoint
RP794: 1/13/2009 7:30:19 AM - System Checkpoint
RP795: 1/14/2009 8:55:26 AM - System Checkpoint
RP796: 1/15/2009 3:00:14 AM - Software Distribution Service 3.0
RP797: 1/16/2009 3:47:37 AM - System Checkpoint
RP798: 1/17/2009 4:47:39 AM - System Checkpoint
RP799: 1/18/2009 5:47:38 AM - System Checkpoint
RP800: 1/19/2009 6:47:40 AM - System Checkpoint
RP801: 1/20/2009 7:47:43 AM - System Checkpoint
RP802: 1/21/2009 7:59:44 AM - System Checkpoint
RP803: 1/22/2009 8:52:56 AM - System Checkpoint
RP804: 1/23/2009 9:48:50 AM - System Checkpoint
RP805: 1/24/2009 12:06:37 PM - System Checkpoint
RP806: 1/25/2009 4:39:33 PM - System Checkpoint
RP807: 1/26/2009 4:59:31 PM - System Checkpoint
RP808: 1/27/2009 5:47:50 PM - System Checkpoint
RP809: 1/28/2009 6:47:50 PM - System Checkpoint
RP810: 1/29/2009 6:59:52 PM - System Checkpoint
RP811: 1/30/2009 7:47:53 PM - System Checkpoint
RP812: 1/31/2009 8:47:54 PM - System Checkpoint
RP813: 2/1/2009 8:59:56 PM - System Checkpoint
RP814: 2/2/2009 11:50:52 PM - System Checkpoint
RP815: 2/3/2009 11:59:59 PM - System Checkpoint
RP816: 2/5/2009 1:18:33 AM - System Checkpoint
RP817: 2/6/2009 1:49:54 AM - System Checkpoint
RP818: 2/7/2009 2:00:06 AM - System Checkpoint
RP819: 2/8/2009 2:48:08 AM - System Checkpoint
RP820: 2/9/2009 3:50:48 AM - System Checkpoint
RP821: 2/10/2009 4:48:08 AM - System Checkpoint
RP822: 2/11/2009 3:00:14 AM - Software Distribution Service 3.0
RP823: 2/12/2009 3:13:27 AM - System Checkpoint
RP824: 2/13/2009 4:13:27 AM - System Checkpoint
RP825: 2/14/2009 5:13:28 AM - System Checkpoint
RP826: 2/15/2009 6:13:29 AM - System Checkpoint
RP827: 2/16/2009 7:44:11 AM - System Checkpoint
RP828: 2/17/2009 8:33:53 AM - System Checkpoint
RP829: 2/18/2009 8:57:03 AM - System Checkpoint
RP830: 2/19/2009 9:02:25 AM - System Checkpoint
RP831: 2/20/2009 9:25:34 AM - System Checkpoint
RP832: 2/21/2009 9:26:12 AM - System Checkpoint
RP833: 2/22/2009 11:06:52 AM - System Checkpoint
RP834: 2/22/2009 4:35:13 PM - Restore Operation
RP835: 2/23/2009 4:53:39 PM - System Checkpoint
RP836: 2/24/2009 4:56:51 PM - System Checkpoint
RP837: 2/25/2009 3:00:12 AM - Software Distribution Service 3.0
RP838: 2/25/2009 8:34:19 AM - Restore Operation
RP839: 2/26/2009 3:00:18 AM - Software Distribution Service 3.0
RP840: 2/27/2009 3:00:16 AM - Software Distribution Service 3.0
RP841: 2/28/2009 3:10:55 AM - System Checkpoint
RP842: 3/1/2009 4:10:54 AM - System Checkpoint
RP843: 3/2/2009 5:10:59 AM - System Checkpoint
RP844: 3/2/2009 7:09:51 AM - Removed Bonjour
RP845: 3/2/2009 7:10:36 AM - Removed NetZeroInstallers
RP846: 3/3/2009 7:10:59 AM - System Checkpoint
RP847: 3/3/2009 8:11:19 AM - Removed Documentation & Support Launcher
RP848: 3/3/2009 8:11:56 AM - Removed Games, Music, & Photos Launcher
RP849: 3/3/2009 8:15:56 AM - Removed Digital Content Portal
RP850: 3/5/2009 9:50:47 AM - System Checkpoint
RP851: 3/6/2009 3:00:13 AM - Software Distribution Service 3.0
RP852: 3/6/2009 9:04:35 AM - ComboFix created restore point
RP853: 3/6/2009 8:36:43 PM - ComboFix created restore point
RP854: 3/6/2009 10:11:49 PM - Removed Adobe Reader 7.0.8
RP855: 3/6/2009 10:12:28 PM - Removed J2SE Runtime Environment 5.0 Update 6
RP856: 3/6/2009 10:30:30 PM - Removed NVIDIA PhysX v8.07.18
RP857: 3/7/2009 8:34:18 AM - ComboFix created restore point
RP858: 3/7/2009 9:26:54 AM - Software Distribution Service 3.0
RP859: 3/8/2009 3:00:17 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Audition 1.0
Adobe Audition 2.0
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Apple Mobile Device Support
Apple Software Update
CDDRV_Installer
Creative MediaSource
Dell CinePlayer
Dell Driver Reset Tool
Dell Support 3.2.1
Dell System Restore
EducateU
EPSON ESPR220 Reference Guide
EPSON Print CD
EPSON Printer Software
ESPNMotion
FlashFXP v3
getPlus®_ocx
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
IL Download Manager
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Intel® PRO Network Connections
iTunes
Juniper Networks Host Checker
Juniper Terminal Services Client
KhalSetup
Logitech Communications Manager
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mogul User Guide
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
Play MPE Player
QuickTime
RealPlayer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scratch LIVE 1.8.2 (18221)
Secure Application Manager
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SHOUTcast Source DSP 1.9.0 (remove only)
Sonic Activation Module
Sonic Advanced Decoder
Sonic Encoders
Sonic Update Manager
Sound Blaster X-Fi
Spybot - Search & Destroy
Trend Micro PC-cillin Internet Security 14
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
Warcraft III: All Products
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft
Xone Mixed In Key 3
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

3/3/2009 8:44:26 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss RsvLock SbPrcCtl Tcpip tmtdi WS2IFSL
3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The Trend Micro Proxy Service service depends on the Trend Micro TDI Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 8:44:26 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2009 8:43:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/3/2009 8:28:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm RsvLock SbPrcCtl tmtdi
3/3/2009 8:27:00 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/3/2009 8:09:01 AM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/3/2009 8:09:01 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
3/3/2009 8:00:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
3/3/2009 8:00:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/3/2009 8:58:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)
3/3/2009 8:59:43 AM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified.
3/3/2009 9:33:47 AM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/3/2009 9:34:35 AM, error: Service Control Manager [7034] - The Trend Micro Proxy Service service terminated unexpectedly. It has done this 1 time(s).
3/3/2009 10:13:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume5'. It has stopped monitoring the volume.
3/3/2009 10:31:45 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume4'. It has stopped monitoring the volume.
3/3/2009 10:45:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
3/3/2009 8:03:41 PM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
3/5/2009 7:22:11 AM, error: Dhcp [1002] - The IP address lease 98.233.23.210 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/5/2009 7:38:48 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001676B7EAD6 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/5/2009 8:15:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/5/2009 8:18:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
3/5/2009 8:22:07 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 8060c56e, parameter3 b9ce35b0, parameter4 00000000.
3/6/2009 7:36:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)
3/6/2009 8:06:43 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for. (0x80072AFC)
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The SafeBoot Client Manager service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Personal Firewall service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Intel® Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Real-time Service service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7031] - The Media Center Extender Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Trend Micro Central Control Component service terminated unexpectedly. It has done this 1 time(s).
3/6/2009 9:04:52 AM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

is there any way you can increase the attachment space? i tried copy/pasting my ntblog.txt, but it keeps saying the data is too large. my log is 2.3 mbs. otherwise i can post several split posts. let me know.

here's the GMER log

Well both scanners detect an MBR RootKit
You also appear to possibly have a P2P file sharing worm. Do you have any Torrrent or other File Sharing software on this computer?


Path: Volume C:\
Status: MBR Rootkit Detected!


Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!

Please run the followoing. Download it from a friends computer or work computer and burn to CD then run on your infected computer.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the Avira AntiVir Rescue System from here
• Place a blank CD in your burner and double-click on the downloaded file.
• The program will automatically burn the CD for you.
• Place the burned CD into the affected computer and start the computer from this CD.
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
• Click on the Configuration button.
  
  • Select Scan all files
  • Select Try to repair infected files and Rename files, if they cannot be removed
  • Select Scan for dialers
  • Select Scan for joke programs (Jokes)
  • Select Scan for games
  • Select Scan for spyware (SPR)
• Click on Virus scanner
• Click on Start scanner at the bottom of the screen
• Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems
Please see the post here if you're unable to view the entire screen of Avira.

well i ran the avira scan, but now i cannot log back into my computer. as soon as click on which account to login in as, windows immediately logs me out. any ideas on how to fix that problem???


Avira found the following things:
- Exp/Java.Gmish.B.2 in few jvmimpro.jav......zip files
- TR/Agent.EQF, SPR/Tool.Ln, and SPR/dldr.delf. in a one specifc zip file
- TR/SPY.wsmpoem.KI in several IE...tmp files
- SPR/dldr in digstream.exe

- in the trend micro/quarantine folder was the following:
Tr/Dropper.en
RKIT/Tdss.eyi66
TR/PCK.tdss.f.135
TR/Crypt.XPACK.Gu
RKIT/tdss.eyj.65

-in Qoobox/Quarntine
TR/BHo.lvv in Program Files/Common/helper.dll
TR/Agent.azdy.2 in System 32/a.exe.vir
TR/Crypt.XPACK.gen in System 32/senkaksunebdd.dll.vir
TR/Drop.Agent.Esy in System32/userinit.exe

This file here: TR/Drop.Agent.Esy in System32/userinit.exe

The Anti-Virus appears to have renamed it because it couldn't fix it. That is a core file required by Windows to logon.

Do you have the Windows XP CD or can you borrow one to get the file from it?

yes, i was able to use the recovery console and copied the userinit.exe file back to the system32 folder. i was able to login. i just my log and it looks like everything is okay. see below:


Malwarebytes' Anti-Malware 1.34
Database version: 1848
Windows 5.1.2600 Service Pack 3

3/14/2009 4:54:00 AM
mbam-log-2009-03-14 (04-54-00).txt

Scan type: Quick Scan
Objects scanned: 81541
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please run the following so that we can make sure the system is clean now.


Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP A

Uninstall ComboFix.exe

• Click START then RUN
• Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

• 

• When shown the disclaimer, Select "2"

STEP B

Uninstall GMER
Click on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.

STEP C

Uninstall other tools
Please Download OTMoveIt3 by Old Timer and save it to your Desktop.

• Double-click OTMoveIt3.exe to run it.
• While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.
• It should ask if you want to clean up, select Yes and allow the system to clean up these items.
  NOW please reboot your computer to finish the cleanup process

Remove all but the most recent Restore Point on Windows XP

You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
• Give the new Restore Point a name, then click "Create".
• The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use the Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr.exe
• Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.
• On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
• These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore

Then let's do an online AV scan.

Eset NOD32 Online AntiVirus

Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Anvirisus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.