macdaddyx12

Can anyone help me?? It's been more than 3 days...I need help BADLY! Now the computer that is infected won't even start up properly... after a few seconds of being on the windows loading screen it will either restart on its own or tell me that "windows could not start because the follwing file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM ". The only thing I have managed to do without errors or restarts is get to the recovery console (which I've had since the last time you guys helped me out to get rid of malware). So, please, if anyone could help me....you'd be my savior for the year. WHAT DO I DO? I need to have my computer working next week! Sorry, I'm just worried. I need someone's help. Thanks ahead of time.

Ok so I downloaded a ringtone from a site my buddy said was okay, and I guess it wasn't 100% okay. My main comp is now infected with some stuff that makes my computer restart by itself at odd times or start to shut itself down after showing me an error with a timer and a message saying that the shutdown is being caused by lsass.exe. Also, a message pop up when I boot up and get to my desktop saying "AVCENTER.EXE cannot be started" and something about how "it cannot be found, has been modified, or destroyed". Also explorer (not iexplorer) disappears and reappears every once in a while, or whenever i try to go to my computer or my documents or start a program (like MBAM) from my start menu. I was able to get MBAM.exe and HJT to run in safe mode (i didnt use networking or command prompt, if that matters). I initially had 23 infections found by MBAM, so I cleared em out, except for 2 that needed to be deleted on reboot. I ran it again in safemode and the same 2 things are still there. I tried a 3 scan (using a full one this time) and those 2 things are there again. Below are my most recent MBAM and HJT logs. I don't know what to do, and I am only worried since I am starting graduate school in a week and a half...so I would more than appreciate it if I could find some help here. Thanks so much in advance to anyone who replies to this! -MacDaddyX12 ~~~~~~~~~~~~~~~~~~~~~`MBAM log~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Malwarebytes' Anti-Malware 1.39 Database version: 2475 Windows 5.1.2600 Service Pack 3 7/23/2009 9:09:50 PM mbam-log-2009-07-23 (21-09-50).txt Scan type: Full Scan (C:\|) Objects scanned: 281851 Time elapsed: 2 hour(s), 57 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: \\?\globalroot\systemroot\system32\geyekrehtiqjis.dll (Trojan.TDSS) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: \\?\globalroot\systemroot\system32\geyekrehtiqjis.dll (Trojan.TDSS) -> Quarantined and deleted successfully. c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Delete on reboot. ~~~~~~~~~~~~~~~~~~~~~HJT log~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:54:30 PM, on 7/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16850) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/fiu.edu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com O3 - Toolbar: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MinPos1024x768(1).y]

Thanks so much...you've been great! Have a great day

Ok well, things seem fine on the outside...but I reinstalled/updated/ran my McAfee's full scan and came back with some results (Vundo stuff....uh oh). I'll post the log below. On the other hand, I updated/ran my MBAM too, which came back with no malicious objects being detected. The only symptom that is still around out of the ones I had before is the constantly and suspiciously running rundll32.exe in the background. I'm just hoping I don't get reinfected somehow. Oh, and I also am incuding a HJT log below....just in case. _________________________________ Here is the log from my McAfee full scan: 4/26/2009 1:18:34 PM Engine version =5301.4018 4/26/2009 1:18:34 PM AntiVirus DAT version =5597.0000 4/26/2009 1:18:34 PM Number of detection signatures in EXTRA.DAT =None 4/26/2009 1:18:34 PM Names of detection signatures in EXTRA.DAT =None 4/26/2009 1:18:20 PM Scan Started T6412\Owner Full Scan 4/26/2009 1:19:53 PM Not scanned (The file is encrypted) Owner c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip\sbRecovery.reg 4/26/2009 1:19:55 PM Not scanned (The file is encrypted) Owner c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip\sbRecovery.reg 4/26/2009 1:45:27 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\mdata.ggz\mh.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\GarenaTV\cn.ggz\default_cn.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\GarenaTV\cn_s.ggz\lang.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\GarenaTV\en.ggz\default.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\GarenaTV\en_s.ggz\lang.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\GarenaTV\id_s.ggz\server.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\GarenaTV\tw.ggz\default_tw.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\GarenaTV\tw_s.ggz\lang.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\FPSGame.dll.cn\lang.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\FPSGame.dll.en\lang.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\FPSGame.dll.tw\lang.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.br\Garena.exe.br.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.cn\Garena.exe.cn.xml 4/26/2009 1:45:30 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.en\Garena.exe.en.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.id\Garena.exe.id.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.ru\Garena.exe.ru.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.sp\Garena.exe.sp.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.th\Garena.exe.th.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.tw\Garena.exe.tw.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\Garena.exe.vn\Garena.exe.vn.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\GarenaTV_UI.dll.cn\lang.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\GarenaTV_UI.dll.en\lang.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\GarenaTV_UI.dll.id\lang.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\GarenaTV_UI.dll.tw\lang.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\update.exe.cn\update.exe.cn.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\update.exe.tw\update.exe.tw.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\update2.exe.cn\update2.exe.cn.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\update2.exe.tw\update2.exe.tw.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\WC3Ass.dll.cn\lang.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\WC3Ass.dll.en\lang.xml 4/26/2009 1:45:31 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\WC3Ass.dll.tw\lang.xml 4/26/2009 1:45:32 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\WC3Ladder.dll.cn\lang.xml 4/26/2009 1:45:32 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\WC3Ladder.dll.en\lang.xml 4/26/2009 1:45:32 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Languages\WC3Ladder.dll.tw\lang.xml 4/26/2009 1:45:34 PM Not scanned (The file is encrypted) Owner c:\Program Files\Garena\Skin\Skin.ggz\shop_gm_type.bmp 4/26/2009 2:03:36 PM Not scanned (The file is encrypted) Owner c:\Program Files\Runes of Magic\update.inf\install.ini 4/26/2009 2:28:49 PM Cleaned Owner c:\windows\system32\dekozeda.exe Vundo.gen.ap(Trojan) 4/26/2009 2:28:50 PM Deleted Owner C:\WINDOWS\SYSTEM32\DEKOZEDA.EXE Vundo.gen.ap(Trojan) 4/26/2009 2:28:50 PM Deleted Owner c:\WINDOWS\system32\dekozeda.exe Vundo.gen.ap(Trojan) 4/26/2009 2:36:26 PM Not scanned (The file is encrypted) Owner d:\i386\Apps\App12148\msc\agentins.ui\agentins.ini 4/26/2009 2:36:26 PM Not scanned (The file is encrypted) Owner d:\i386\Apps\App12148\msc\shared\agentcfg.cab\SCREM.UI\agntcons.vbs 4/26/2009 2:40:24 PM Deleted Owner L:\RECYCLER\BOOT.INI Generic Downloader.h(Trojan) 4/26/2009 2:40:25 PM Deleted Owner l:\RECYCLER\boot.ini Generic Downloader.h(Trojan) 4/26/2009 2:40:25 PM Deleted Owner L:\RECYCLER\CONFIG.SYS W32/Autorun.worm.d(Virus) 4/26/2009 2:40:25 PM Deleted Owner l:\RECYCLER\CONFIG.SYS W32/Autorun.worm.d(Virus) 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Scan Summary 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Processes scanned : 90 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Processes detected : 0 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Processes cleaned : 0 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Boot sectors scanned : 3 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Boot sectors detected: 0 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Boot sectors cleaned : 0 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Files scanned : 107337 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Files with detections: 3 4/26/2009 2:40:26 PM Scan Summary T6412\Owner File detections : 7 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Files cleaned : 0 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Files deleted : 3 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Files not scanned : 67 4/26/2009 2:40:26 PM Scan Summary T6412\Owner Run time : 1:22:06 4/26/2009 2:40:26 PM Scan Complete T6412\Owner Full Scan ________________________________________________________________________________ ___ Here is my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:59:10 PM, on 4/26/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/fiu.edu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll O2 - BHO: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader2.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174309756140 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 7738 bytes -MacDaddy

THX miekiemoes! ComboFix seems to have fixed most of this up...I now have internet again. I know it doesn't necessarily mean my comp is clean, but it's a great start. I've posted my ComboFix log below. Just to be sure about what my next step is, I can go ahead and reinstall/update/run my McAfee virus scan now right? Also, I assume once I can do that then I should go ahead and take a moment to update/scan with my MBAM, as well as scan with HJT, and post those logs. Thanks again for helping me out and everyone else on these forums. __________________________ My HJT log: ComboFix 09-04-25.A3 - Owner 04/26/2009 11:57.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2215 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bnguviwr.ini c:\windows\system32\cmeiddiq.ini c:\windows\system32\crxdwecy.ini c:\windows\system32\cteanhjr.ini c:\windows\system32\drivers\KeenSense.sys c:\windows\system32\drivers\ksdevice.sys c:\windows\system32\drivers\UACmovbdqomqurteth.sys c:\windows\system32\dyuphtri.ini c:\windows\system32\enqpyomc.ini c:\windows\system32\fduydcbp.ini c:\windows\system32\fefilUvw.ini c:\windows\system32\fefilUvw.ini2 c:\windows\system32\fnelvwmk.ini c:\windows\system32\fotkwjqb.ini c:\windows\system32\fptodqdt.ini c:\windows\system32\fycjjvcp.ini c:\windows\system32\ghfcpjct.ini c:\windows\system32\gpogbdqu.ini c:\windows\system32\huhbnrhh.ini c:\windows\system32\hxbrfliy.ini c:\windows\system32\jmmgxwdb.ini c:\windows\system32\jokohvmg.ini c:\windows\system32\kiadqfpr.ini c:\windows\system32\ktbmqumb.ini c:\windows\system32\ldjcsdxf.ini c:\windows\system32\lntxidrd.ini c:\windows\system32\louwdqso.ini c:\windows\system32\lubfryjo.ini c:\windows\system32\mypmdlyv.ini c:\windows\system32\nmhkngnc.ini c:\windows\system32\pmogxido.ini c:\windows\system32\qffrnbmr.ini c:\windows\system32\ryhyursl.ini c:\windows\system32\smroviap.ini c:\windows\system32\tupxfkqq.ini c:\windows\system32\tvmkrfge.ini c:\windows\system32\UACbkbbjwnwmbppela.dll c:\windows\system32\UACcplqjlswvxmejwo.log c:\windows\system32\UACfnbqxyiyueuxqyl.log c:\windows\system32\UACfrklwblhbqltput.dll c:\windows\system32\UAChqlluibakmfriqq.dll c:\windows\system32\UACkpgrwekmeahavqn.log c:\windows\system32\UACoscpbasrnsflnri.dll c:\windows\system32\UACpgvdyvborowkwpp.dat c:\windows\system32\UACunyxuxpvbgmvdel.dll c:\windows\system32\uwjddlfl.ini c:\windows\system32\vnjsoffb.ini c:\windows\system32\wbanaahq.ini c:\windows\system32\wmjveakq.ini c:\windows\system32\xbsaadqr.ini c:\windows\system32\xkdqlxvi.ini D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 ))))))))))))))))))))))))))))))) . 2009-04-22 20:48 . 2009-04-22 20:48 44360 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-15 14:59 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb 2009-04-15 14:59 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 14:59 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-15 14:57 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 14:57 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 14:57 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 14:57 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 14:57 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 14:57 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 14:57 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 14:57 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 14:57 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-10 00:52 . 2005-01-22 19:12 679936 ----a-w c:\windows\system32\D3DX81ab.dll 2009-04-10 00:48 . 2009-04-10 00:48 -------- d-----w c:\program files\WinPcap 2009-04-09 00:47 . 2009-04-19 15:16 -------- d-----w c:\documents and settings\Armando\Application Data\MYPOINTS 2009-04-04 00:04 . 2009-04-04 00:04 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\CurseClient . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-26 16:09 . 2006-01-06 00:15 552370 ----a-w C:\lxcf.log 2009-04-26 01:22 . 2008-06-09 22:46 -------- d-----w c:\program files\Warcraft III 2009-04-23 00:25 . 2006-12-11 20:08 -------- d-----w c:\program files\Trend Micro 2009-04-22 23:44 . 2008-07-30 00:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-22 03:49 . 2009-01-22 03:49 51200 --sha-w c:\windows\system32\dekozeda.exe 2009-04-22 02:52 . 2009-03-26 02:30 -------- d-----w c:\program files\Garena 2009-04-21 16:50 . 2009-03-20 13:06 -------- d-----w c:\program files\Runes of Magic 2009-04-17 20:20 . 2007-04-04 01:17 -------- d-----w c:\documents and settings\Owner\Application Data\Azureus 2009-04-17 02:35 . 2009-03-05 23:46 -------- d-----w c:\documents and settings\Guest\Application Data\MYPOINTS 2009-04-15 21:48 . 2008-08-03 05:12 3240 ----a-w c:\windows\system32\PerfStringBackup.TMP 2009-04-15 20:29 . 2006-09-23 03:40 -------- d-----w c:\program files\OFFICE11 2009-04-12 15:20 . 2005-08-06 20:45 -------- d-----w c:\program files\Java 2009-04-12 15:12 . 2006-01-04 02:29 -------- d-----w c:\documents and settings\All Users\Application Data\pdf995 2009-04-12 15:11 . 2006-01-04 02:29 -------- d-----w c:\program files\pdf995 2009-04-02 21:07 . 2007-05-02 04:45 -------- d-----w c:\program files\Diablo II 2009-03-30 00:07 . 2007-05-04 14:45 -------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks 2009-03-26 20:49 . 2008-07-30 00:15 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-26 20:49 . 2008-07-30 00:15 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-03-26 02:26 . 2008-06-09 22:49 83476 ----a-w c:\windows\War3Unin.dat 2009-03-24 21:56 . 2006-08-17 15:48 -------- d-----w c:\documents and settings\Owner\Application Data\Ventrilo 2009-03-24 02:05 . 2009-03-07 02:21 -------- d-----w c:\documents and settings\Daniela\Application Data\MYPOINTS 2009-03-20 15:26 . 2009-03-20 15:26 -------- d-----w c:\program files\Ventrilo 2009-03-20 15:26 . 2009-03-20 15:26 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-03-09 09:19 . 2008-12-01 14:27 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-09 04:18 . 2009-03-03 00:31 -------- d-----w c:\documents and settings\Monique\Application Data\MYPOINTS 2009-03-09 04:09 . 2006-01-05 02:11 14850 ----a-w c:\documents and settings\Monique\Application Data\wklnhst.dat 2009-03-07 23:00 . 2009-02-02 04:38 -------- d-----w c:\program files\WarHammer 2009-03-07 18:02 . 2005-08-06 20:35 -------- d-----w c:\program files\Google 2009-03-07 17:59 . 2009-02-27 22:14 -------- d-----w c:\program files\Coupons 2009-03-07 02:21 . 2009-03-07 02:21 -------- d-----w c:\documents and settings\Daniela\Application Data\Yahoo! 2009-03-06 14:22 . 2004-08-26 16:12 284160 ----a-w c:\windows\system32\pdh.dll 2009-03-05 23:46 . 2009-03-05 23:46 -------- d-----w c:\documents and settings\Guest\Application Data\Yahoo! 2009-03-03 00:31 . 2009-03-03 00:31 -------- d-----w c:\documents and settings\Monique\Application Data\Yahoo! 2009-03-03 00:18 . 2004-08-26 16:12 826368 ----a-w c:\windows\system32\wininet.dll 2009-03-02 03:30 . 2009-02-27 19:14 -------- d-----w c:\documents and settings\Owner\Application Data\mypoints 2009-02-27 22:03 . 2009-02-27 22:03 -------- d-----w c:\documents and settings\Owner\Application Data\Yahoo! 2009-02-27 19:14 . 2009-02-27 19:14 -------- d-----w c:\program files\mypoints 2009-02-27 18:06 . 2009-02-27 18:06 -------- d-----w c:\documents and settings\Owner\Application Data\dvdcss 2009-02-20 18:09 . 2004-08-26 16:11 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2004-08-26 16:11 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2004-08-26 16:12 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2004-08-26 16:12 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2004-08-26 16:11 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2004-08-26 16:12 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-07 23:02 . 2004-08-04 05:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-06 11:11 . 2004-08-26 16:12 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:08 . 2004-08-26 16:12 2189056 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2004-08-26 16:12 35328 ----a-w c:\windows\system32\sc.exe 2009-02-03 19:59 . 2004-08-26 16:12 56832 ----a-w c:\windows\system32\secur32.dll 2009-01-06 23:30 . 2006-01-11 21:17 44360 -c--a-w c:\documents and settings\Monique\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-31 02:43 . 2006-01-11 23:58 1466 ----a-w c:\documents and settings\Daniela\Application Data\wklnhst.dat 2008-12-11 00:34 . 2006-05-08 21:57 44360 -c--a-w c:\documents and settings\Daniela\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-10-06 13:37 . 2006-01-04 02:18 9984 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat 2008-09-29 01:16 . 2005-12-20 03:29 44360 -c--a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-12-25 17:16 . 2007-12-25 17:16 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat 2007-10-04 20:59 . 2007-10-04 20:59 39312 ----a-w c:\documents and settings\Armando\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-03-05 17:16 . 2006-01-12 03:39 10022 --sha-w c:\windows\system32\KGyGaAvL.sys 2008-08-03 05:09 . 2008-08-03 05:09 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080320080804\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CEC4-75A487FD6484}] 2008-08-07 20:24 1909248 ----a-w c:\progra~1\mypoints\mypoints.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-08-07 1909248] [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}] [HKEY_CLASSES_ROOT\mypoints.MYPOINTS] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-08-07 1909248] [HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}] [HKEY_CLASSES_ROOT\mypoints.MYPOINTS] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728] "SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-04-15 77824] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-12-19 581632] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk backup=c:\windows\pss\BigFix.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\BitTorrent.lnk backup=c:\windows\pss\BitTorrent.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ChkDisk.dll] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.dll backup=c:\windows\pss\ChkDisk.dllStartup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ChkDisk.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\ChkDisk.lnk backup=c:\windows\pss\ChkDisk.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Warcraft III\\Frozen Throne.exe"= "c:\\Program Files\\Warcraft III\\Warcraft III.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Azureus\\Azureus.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Runes of Magic\\Curse\\CurseClient.exe"= R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1a8d3f4-c49f-11dc-8e78-0013d3b4258f}] \Shell\Auto\command - Setup.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.exe . Contents of the 'Scheduled Tasks' folder 2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) HKCU-Run-DW6 - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://partnerpage.google.com/fiu.edu mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-26 12:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-684440140-4092777574-1335313972-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(664) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3064) c:\program files\Logitech\SetPoint\lgscroll.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\PnkBstrA.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\wscntfy.exe c:\program files\Logitech\SetPoint\KHALMNPR.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-04-26 12:16 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-26 16:15 Pre-Run: 105,410,576,384 bytes free Post-Run: 107,014,766,592 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 280 --- E O F --- 2009-04-15 20:29 -MacDaddy

Hi everyone. I'm new to the forums so help a newbie out (although i'll admit i've been here to look at the self help guides before, and this is my second time posting this info since I didn't get any replies when i originally posted this like 5 days ago :-P ) I recently became infected when trying to download a file (custom map for a realtime strategy game) from a website I had never used before. I then started having the following things happen:things minimized by themselves, seeing iexplorer.exe (and rundll32.exe) in my task manager when I had just started my comp and hadnt yet clicked on the internet explorer icon or anything, I can't actually go on the internet on this computer (nothing loads, just page not valid screen) even though the comp in the next room and my psp can use the network just fine, i couldn't run mbam.exe until i changed the name, now that i can run it I can't update it (since i can't seem to use the internet), and even though i have scanned a few times both in normal and safe mode the problems are still around. BTW i ended up doing the offline update to see if that helped, it detected 2 more items but now i'm stuck with these annoying symptoms. THANK YOU IN ADVANCE FOR ANY HELP AT ALL! ~~~~Here is my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:07:24 PM, on 4/22/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/fiu.edu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O1 - Hosts: 82.98.231.89 url.adtrgt.com O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll O2 - BHO: Java

BUMP... i need my internet... PS- let me know if i need to further explain anything or add any new info

I recently became infected when trying to download a file (custom map for a realtime strategy game) from a website I had never used before. I then started having things minimized by themselves, seeing iexplorer.exe (and rundll32.exe) in my taskmanager when I had just started my comp and hadnt yet clicked on the internet explorer icon or anything, I can't actually go on the internet on this computer (nothing loads, just page not valid screen) even though the comp in the next room and my psp can use the network just fine, i couldn't run mbam.exe until i changed the name, now that i can run it I can't update it (since i can't seem to use the internet), and even though i have scanned a few times, the problems are still around. BTW i ended up doing the offline update to see if that helped, it detected 2 more items but now i'm stuck with these annoying symptoms. THANK YOU IN ADVANCE FOR ANY HELP AT ALL. Here is my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:07:24 PM, on 4/22/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Logitech\SetPoint\KEM.exe C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/fiu.edu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O1 - Hosts: 82.98.231.89 url.adtrgt.com O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [A00F3458A2.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F3458A2.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader2.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174309756140 O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownlo...Plugin10USA.cab O20 - AppInit_DLLs: karna.dat wjogjc.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8022 bytes Please help me, I appreciate any responses. -MacDaddyX12