hijack this log- can run online scans

dito1 · Joined: Nov 15, 2008 Posts: 30

hello,
cannot run any online scans like panda active scan. computer was only working in safe mode ran malware and super anti spyware: here is the malware log

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

4/20/2009 5:38:04 PM
mbam-log-2009-04-20 (17-38-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147634
Time elapsed: 49 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 8
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a5af42a3-94f3-42bd-f634-0604832c897d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a5af42a3-94f3-42bd-f634-0604832c897d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wovotufufa (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6477d36b (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\yaubfh983ind.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.

then ran hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:20 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\3361\SVCHOST.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Joey\reader_s.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\DOCUME~1\Joey\LOCALS~1\Temp\2010108808.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\tdctxte.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {1619adf0-20d5-4f34-a99e-e2da4d21a2cc} - C:\WINDOWS\system32\vohehaki.dll (file missing)
O2 - BHO: (no name) - {a5af42a3-94f3-42bd-f634-0604832c897d} - (no file)
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [FPCCSMiddleware] C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe -t
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lpexavinasowovon] rundll32.exe "C:\WINDOWS\eyigibavuk.dll",e
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [CPM6744e0f7] Rundll32.exe "c:\windows\system32\sukozeme.dll",a
O4 - HKLM\..\Run: [wovotufufa] Rundll32.exe "C:\WINDOWS\system32\vawapuhe.dll",s
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Joey\reader_s.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\Joey\LOCALS~1\Temp\jstw2.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Joey\LOCALS~1\Temp\2010108808.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\Joey\LOCALS~1\Temp\jstw2.exe
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\sqpy5aq4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\sqpy5aq4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3863597176.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Joey\reader_s.exe (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\wutakizu.dll aftrhp.dll c:\windows\system32\majubilu.dll ,c:\progra~1\ThunMail\testabd.dll,C:\WINDOWS\system32\rifakuwi.dll c:\windows\system32\sukozeme.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 11371 bytes

THANK YOU!!!

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download ATF Cleaner at http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {1619adf0-20d5-4f34-a99e-e2da4d21a2cc} - C:\WINDOWS\system32\vohehaki.dll (file missing)
O2 - BHO: (no name) - {a5af42a3-94f3-42bd-f634-0604832c897d} - (no file)
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O4 - HKLM\..\Run: [Lpexavinasowovon] rundll32.exe "C:\WINDOWS\eyigibavuk.dll",e
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [CPM6744e0f7] Rundll32.exe "c:\windows\system32\sukozeme.dll",a
O4 - HKLM\..\Run: [wovotufufa] Rundll32.exe "C:\WINDOWS\system32\vawapuhe.dll",s
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Joey\reader_s.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\Joey\LOCALS~1\Temp\jstw2.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Joey\LOCALS~1\Temp\2010108808.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\Joey\LOCALS~1\Temp\jstw2.exe
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\sqpy5aq4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\sqpy5aq4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3863597176.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Joey\reader_s.exe (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O15 - Trusted Zone: *.antimalwareguard.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\wutakizu.dll aftrhp.dll c:\windows\system32\majubilu.dll ,c:\progra~1\ThunMail\testabd.dll,C:\WINDOWS\system32\rifakuwi.dll c:\windows\system32\sukozeme.dll
O22 - SharedTaskScheduler: lkjf9873jhifjnsfi8w3fe - {D5BF49A0-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\zfgh83jg3.dll (file missing)
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\DOCUME~1\LOCALS~1\protect.dll
C:\Documents and Settings\Joey\reader_s.exe
c:\progra~1\ThunMail\
C:\WINDOWS\eyigibavuk.dll
C:\WINDOWS\system32\3361\
c:\windows\system32\aftrhp.dll
C:\WINDOWS\system32\autochk.dll
c:\windows\system32\majubilu.dll
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\rifakuwi.dll
C:\WINDOWS\system32\sopidkc.exe
c:\windows\system32\sukozeme.dll
C:\WINDOWS\system32\tdctxte.exe
C:\WINDOWS\system32\twex.exe
C:\WINDOWS\system32\vawapuhe.dll
C:\WINDOWS\system32\wutakizu.dll

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

dito1 · Joined: Nov 15, 2008 Posts: 30

i can no longer get any icons on the computer- safe mode or not- any suggestions?

dito1 · Joined: Nov 15, 2008 Posts: 30

also tried ctrl alt dlt and typed regedit but can not find the file

dito1 · Joined: Nov 15, 2008 Posts: 30

can not run combo fix- not a recognized win32 application. did most of the previous fix- some items could not be deleted. ran hjt again here is the log. dont know if will show up right. notepad does not work and i have to start explorer.exe everytime i reboot to get icons. should i just save what i have and reinstall windows?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:32 AM, on 4/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tdctxte.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twex.exe,
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {1619adf0-20d5-4f34-a99e-e2da4d21a2cc} - C:\WINDOWS\system32\vohehaki.dll (file missing)
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"
O4 - HKLM\..\Run: [FPCCSMiddleware] C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraiPodConverter.exe -t
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Lpexavinasowovon] rundll32.exe "C:\WINDOWS\eyigibavuk.dll",e
O4 - HKLM\..\Run: [CPM6744e0f7] Rundll32.exe "c:\windows\system32\yezokuno.dll",a
O4 - HKLM\..\Run: [wovotufufa] Rundll32.exe "C:\WINDOWS\system32\vawapuhe.dll",s
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\Joey\LOCALS~1\Temp\jstw2.exe
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\sqpy5aq4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\sqpy5aq4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3863597176.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Joey\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [VRT9] C:\WINDOWS\TEMP\VRT9.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Java Syncro] C:\Documents and Settings\Joey\Local Settings\Application Data\zchMiB.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\rifakuwi.dll c:\windows\system32\yezokuno.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yezokuno.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yezokuno.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe (file missing)
O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 11002 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twex.exe,
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {1619adf0-20d5-4f34-a99e-e2da4d21a2cc} - C:\WINDOWS\system32\vohehaki.dll (file missing)
O3 - Toolbar: (no name) - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O4 - HKLM\..\Run: [Lpexavinasowovon] rundll32.exe "C:\WINDOWS\eyigibavuk.dll",e
O4 - HKLM\..\Run: [CPM6744e0f7] Rundll32.exe "c:\windows\system32\yezokuno.dll",a
O4 - HKLM\..\Run: [wovotufufa] Rundll32.exe "C:\WINDOWS\system32\vawapuhe.dll",s
O4 - HKCU\..\Run: [] C:\DOCUME~1\Joey\LOCALS~1\Temp\jstw2.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\sqpy5aq4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\sqpy5aq4.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3863597176.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Joey\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [VRT9] C:\WINDOWS\TEMP\VRT9.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Java Syncro] C:\Documents and Settings\Joey\Local Settings\Application Data\zchMiB.exe (User 'Default user')
O20 - AppInit_DLLs: C:\WINDOWS\system32\rifakuwi.dll c:\windows\system32\yezokuno.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yezokuno.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yezokuno.dll
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe (file missing)
O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe

Download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes
explorer.exe
:Services
sopidkc
tdctxte
:Files
C:\DOCUME~1\Joey\LOCALS~1\Temp\jstw2.exe
C:\Documents and Settings\Joey\Local Settings\Application Data\zchMiB.exe
C:\Documents and Settings\Joey\reader_s.exe
C:\WINDOWS\eyigibavuk.dll
C:\WINDOWS\system32\rifakuwi.dll
C:\WINDOWS\system32\tdctxte.exe
C:\WINDOWS\system32\twex.exe
C:\WINDOWS\system32\vawapuhe.dll
c:\windows\system32\yezokuno.dll
C:\WINDOWS\TEMP\3863597176.exe
C:\WINDOWS\TEMP\sqpy5aq4.exe
C:\WINDOWS\TEMP\VRT9.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red MoveIt! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Run a new HijackThis scan and post the log here.

Delete ComboFix. Download a new copy of it, but this time before you even save the file, rename it to CFdito1.exe instead. Then click on save and save it to your desktop. Try running it again.

dito1 · Joined: Nov 15, 2008 Posts: 30

i was not able to do much of anything. i ended up reinstalling windows. should i still run a hjt scan to ensure everything is ok? Thank you

dito1 · Joined: Nov 15, 2008 Posts: 30

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:03 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Joe\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Joe\reader_s.exe (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (file missing)

--
End of file - 4913 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

How did you do the Windows reinstall? Did you just reinstall it on top of your existing Windows or did you do a clean/new install? I still see the infection there.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Joe\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Joe\reader_s.exe (User 'Default user')

Download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\Joe\reader_s.exe
Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
Click the red MoveIt! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

See if you can run ComboFix (rename it first before you save it to your desktop). Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

dito1 · Joined: Nov 15, 2008 Posts: 30

not sure if hjt worked.

did the otmoveit here is the log

========== FILES ==========
File/Folder C:\WINDOWS\system32\ntos.exe not found.
C:\WINDOWS\System32\reader_s.exe moved successfully.
C:\Documents and Settings\Joe\reader_s.exe moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04222009_214713

combofix did not work here i can download and begin to run it then i get the error-[/img]

"the contents of the combofix package has been compromised. please download a freshcopy form www.bleepingcomputer (where i got it from in the first place)

Note you may be infected with a file patching virus (virut)"

dito1 · Joined: Nov 15, 2008 Posts: 30

Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\BN1.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\3361\SVCHOST.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\wh5glp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\wh5glp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\wh5glp.exe (User 'Default user')
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing)
O23 - Service: sopidkc Service (sopidkc) - 5.232.121.233 - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (file missing)

--
End of file - 4501 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Are you having problems booting into Normal Mode?

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\wh5glp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\wh5glp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\wh5glp.exe (User 'Default user')
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: sopidkc Service (sopidkc) - 5.232.121.233 - C:\WINDOWS\system32\sopidkc.exe

[*] Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

dito1 · Joined: Nov 15, 2008 Posts: 30

delete

dito1 · Joined: Nov 15, 2008 Posts: 30

nope not able to do combofix. tried downloading it from all 3 places. from a diff computer and saved as a different name

i was also able to run a malwarebytes here is the log. tried running superantispyware again but keep getting the blue windows error screen.

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/24/2009 9:49:20 AM
mbam-log-2009-04-24 (09-49-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 208517
Time elapsed: 1 hour(s), 0 minute(s), 33 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 30

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Joe\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: msclapl.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\twain32 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\msclapl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\Joey\Local Settings\temp\ovfsthkbycwmtdre.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B68C5C2B-AB6A-43AB-B1C8-8311054C540A}\RP137\A0010853.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Joe\Desktop\VirusRemover.log (Rogue.VirusRemove) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joey\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joe\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joey\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcxool64.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN14.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN1B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\BN27.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\winlognn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.

hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:56 PM, on 4/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\medctrro.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (file missing)
O23 - Service: sopidkc Service (sopidkc) - sdfecdsf sdfe ddee - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Unknown owner - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (file missing)

--
End of file - 4637 bytes

dito1 · Joined: Nov 15, 2008 Posts: 30

google seaches are now also hijacked

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Download GooredFix and save it to your Desktop. Double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe (file missing)
O23 - Service: sopidkc Service (sopidkc) - sdfecdsf sdfe ddee - C:\WINDOWS\system32\sopidkc.exe

[*] Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

dito1 · Joined: Nov 15, 2008 Posts: 30

things seem to be fine. i was running malware byte before so it found nothing this time i will not include the log. i was finally able to get combofix running the log is down below. Thank you

GooredFix v1.92 by jpshortstuff
Log created at 22:05 on 25/04/2009 running Option #2 (Joe)
Firefox version 3.0.9 (en-US)
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

========== PROCESSES ==========
Unable to kill process: explorer
========== SERVICES/DRIVERS ==========

Service\Driver DhcpSrv deleted successfully.
Service\Driver sopidkc not found.
Service\Driver sopidkc not found.
========== FILES ==========
File/Folder C:\WINDOWS\dhcp not found.
File/Folder C:\WINDOWS\system32\sopidkc.exe not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Joe\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\1194989436.exe scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\BN3.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\j7cm5ifmjy.exe scheduled to be deleted on reboot.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04252009_220814

Files moved on Reboot...
C:\WINDOWS\temp\1194989436.exe moved successfully.
File C:\WINDOWS\temp\BN3.tmp not found!
C:\WINDOWS\temp\j7cm5ifmjy.exe moved successfully.

ComboFix 09-04-25.A3 - Joe 04/25/2009 23:02.1 - NTFSx86
Running from: c:\cfbleep\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated)
.
ADS - ntoskrnl.exe: deleted 1021 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Joey\Application Data\inst.exe
c:\documents and settings\Joey\Application Data\wiaserva.log
c:\windows\IE4 Error Log.txt
c:\windows\Install.txt
c:\windows\system32\ntos.exe

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_PROTECT
-------\Legacy_RESTORE
-------\Service_Ias
-------\Service_restore

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-26 02:56 . 2009-04-26 02:56 -------- d-----w C:\cfbleep
2009-04-26 02:04 . 2009-04-26 02:04 38 ----a-w C:\4A.tmp
2009-04-26 02:04 . 2009-04-26 02:04 0 ----a-w C:\49.tmp
2009-04-26 02:04 . 2009-04-26 02:04 0 ----a-w C:\47.tmp
2009-04-26 02:04 . 2009-04-26 02:04 0 ----a-w C:\46.tmp
2009-04-26 02:04 . 2009-04-26 02:04 0 ----a-w C:\45.tmp
2009-04-26 02:04 . 2009-04-26 02:04 0 ----a-w C:\43.tmp
2009-04-26 02:04 . 2009-04-26 02:04 0 ----a-w C:\42.tmp
2009-04-26 02:04 . 2009-04-26 02:04 0 ----a-w C:\41.tmp
2009-04-26 02:04 . 2009-04-26 02:04 0 ----a-w C:\31.tmp
2009-04-26 02:04 . 2009-04-26 02:04 38 ----a-w C:\2A.tmp
2009-04-26 02:04 . 2009-04-26 02:04 54784 ----a-w C:\25.tmp
2009-04-25 22:23 . 2009-04-25 22:23 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Skinux
2009-04-25 22:23 . 2009-04-25 22:23 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\ArcSoft
2009-04-25 10:31 . 2009-04-25 10:31 124 ----a-w c:\windows\system32\3D.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\3A.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\38.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\37.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\36.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\35.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\34.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\33.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\32.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\30.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\2E.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\2D.tmp
2009-04-25 10:31 . 2009-04-25 10:31 0 ----a-w C:\2B.tmp
2009-04-25 10:30 . 2009-04-25 10:30 38 ----a-w C:\28.tmp
2009-04-25 10:30 . 2009-04-25 10:30 54784 ----a-w C:\26.tmp
2009-04-25 10:30 . 2009-04-25 10:30 21504 ----a-w C:\24.tmp
2009-04-25 01:28 . 2009-04-25 01:31 -------- d-----w c:\documents and settings\Joe\Application Data\Move Networks
2009-04-24 14:10 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-24 14:10 . 2009-04-24 14:10 -------- d-----w c:\program files\Panda Security
2009-04-24 13:53 . 2009-04-24 13:53 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-04-24 13:53 . 2009-04-24 13:53 -------- d-----w c:\documents and settings\Joe\Application Data\SUPERAntiSpyware.com
2009-04-24 12:47 . 2009-04-24 12:47 -------- d-----w c:\documents and settings\Joe\Application Data\Malwarebytes
2009-04-24 12:47 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 12:47 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 12:47 . 2009-04-24 12:47 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-04-24 01:31 . 2009-04-24 01:31 -------- d-----w c:\documents and settings\Joe\Application Data\AVG8
2009-04-23 11:33 . 2009-04-23 11:33 -------- d-----w c:\documents and settings\Joe\Application Data\U3
2009-04-23 11:19 . 2009-04-23 11:19 44 ----a-w c:\windows\system32\26.tmp
2009-04-23 11:19 . 2009-04-23 11:19 38 ----a-w C:\23.tmp
2009-04-23 11:19 . 2009-04-23 11:19 0 ----a-w C:\22.tmp
2009-04-23 11:19 . 2009-04-23 11:19 0 ----a-w C:\21.tmp
2009-04-23 11:19 . 2009-04-23 11:19 0 ----a-w C:\20.tmp
2009-04-23 11:19 . 2009-04-23 11:19 0 ----a-w C:\1F.tmp
2009-04-23 11:19 . 2009-04-23 11:19 0 ----a-w C:\1E.tmp
2009-04-23 11:19 . 2009-04-23 11:19 0 ----a-w C:\1D.tmp
2009-04-23 11:19 . 2009-04-23 11:19 0 ----a-w C:\1C.tmp
2009-04-23 11:19 . 2009-04-23 11:19 0 ----a-w C:\1B.tmp
2009-04-23 11:18 . 2009-04-23 11:18 38 ----a-w C:\B.tmp
2009-04-23 11:18 . 2009-04-23 11:18 52736 ----a-w C:\A.tmp
2009-04-23 01:47 . 2009-04-23 01:47 -------- d-----w C:\_OTMoveIt
2009-04-23 01:20 . 2009-04-23 01:20 108336 ----a-w c:\windows\system32\MSWINSCK.OCX
2009-04-23 00:02 . 2009-04-23 00:02 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
2009-04-22 20:52 . 2009-04-22 20:52 0 ----a-w C:\26F.tmp
2009-04-22 20:52 . 2009-04-22 20:52 0 ----a-w C:\26E.tmp
2009-04-22 20:52 . 2009-04-22 20:52 0 ----a-w C:\26D.tmp
2009-04-22 20:52 . 2009-04-22 20:52 38 ----a-w C:\26C.tmp
2009-04-22 20:52 . 2009-04-22 20:52 0 ----a-w C:\26B.tmp
2009-04-22 20:52 . 2009-04-22 20:52 0 ----a-w C:\26A.tmp
2009-04-22 20:52 . 2009-04-22 20:52 0 ----a-w C:\269.tmp
2009-04-22 20:52 . 2009-04-22 20:52 0 ----a-w C:\268.tmp
2009-04-22 20:52 . 2009-04-22 20:52 0 ----a-w C:\267.tmp
2009-04-22 20:52 . 2009-04-22 20:52 38 ----a-w C:\266.tmp
2009-04-22 20:52 . 2009-04-22 20:52 52736 ----a-w C:\265.tmp
2009-04-22 20:52 . 2009-04-22 20:52 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-22 20:51 . 2009-04-22 20:51 213120 -c----w c:\windows\system32\dllcache\ndis.sys
2009-04-22 20:50 . 2009-04-22 20:50 0 ----a-w c:\windows\system32\261.tmp
2009-04-22 20:50 . 2009-04-22 20:50 44 ----a-w c:\windows\system32\25F.tmp
2009-04-22 17:42 . 2009-04-22 17:42 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\KodakGallery
2009-04-22 17:42 . 2009-04-22 17:42 -------- d-----w c:\documents and settings\Joe\Application Data\KodakCredentialStore
2009-04-22 17:41 . 2009-04-22 17:41 -------- d-----w c:\documents and settings\Joe\Application Data\Skinux
2009-04-22 12:09 . 2009-03-19 20:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-22 12:09 . 2008-04-17 16:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-22 12:09 . 2009-04-22 12:09 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\ArcSoft
2009-04-22 12:04 . 2009-04-23 20:48 -------- d-----w c:\documents and settings\Joe\Application Data\ArcSoft
2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ArcSoft
2009-04-22 12:03 . 2009-04-22 12:04 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-22 12:03 . 2009-04-22 12:03 -------- d-----w c:\program files\ArcSoft
2009-04-22 12:03 . 2008-04-13 18:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 12:03 . 2008-04-13 18:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 12:03 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-22 12:03 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-22 11:58 . 2008-05-02 13:25 465920 -c----w c:\windows\system32\dllcache\imapi2fs.dll
2009-04-22 11:58 . 2008-05-02 13:25 465920 ------w c:\windows\system32\imapi2fs.dll
2009-04-22 11:58 . 2008-05-02 13:25 317952 -c----w c:\windows\system32\dllcache\imapi2.dll
2009-04-22 11:58 . 2008-05-02 13:25 317952 ------w c:\windows\system32\imapi2.dll
2009-04-22 11:58 . 2008-05-02 10:49 62976 -c----w c:\windows\system32\dllcache\cdrom.sys
2009-04-22 11:52 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Kodak
2009-04-22 00:01 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-21 23:59 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 23:59 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 23:59 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 23:59 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 23:59 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 23:59 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 23:59 . 2009-02-06 11:11 131072 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 23:59 . 2009-02-06 10:10 248320 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 23:59 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 23:59 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-21 23:59 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-21 23:59 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-21 23:58 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-21 23:58 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-21 23:57 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-21 23:57 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-04-21 23:57 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-21 23:53 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-21 23:53 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-04-21 23:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 23:52 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-21 23:52 . 2008-04-21 12:08 236032 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-21 23:48 . 2009-04-21 23:48 15890 ----a-w c:\windows\system32\drivers\mdc8021x.sys
2009-04-21 23:47 . 2008-04-13 18:45 6272 ----a-w c:\windows\system32\drivers\splitter.sys
2009-04-21 23:47 . 2008-04-13 19:17 83072 ----a-w c:\windows\system32\drivers\wdmaud.sys
2009-04-21 23:47 . 2008-04-13 18:45 52864 ----a-w c:\windows\system32\drivers\DMusic.sys
2009-04-21 23:47 . 2008-04-13 18:45 56576 ----a-w c:\windows\system32\drivers\swmidi.sys
2009-04-21 23:47 . 2008-04-13 16:39 142592 ----a-w c:\windows\system32\drivers\aec.sys
2009-04-21 23:47 . 2008-04-13 18:45 2944 ----a-w c:\windows\system32\drivers\drmkaud.sys
2009-04-21 23:47 . 2008-04-13 18:45 172416 ----a-w c:\windows\system32\drivers\kmixer.sys
2009-04-21 23:47 . 2008-04-13 19:15 60800 ----a-w c:\windows\system32\drivers\sysaudio.sys
2009-04-21 23:47 . 2006-03-21 00:54 1052672 ----a-w c:\windows\system32\stlang.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 22:23 . 2009-04-25 22:22 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\ArcSoft
2009-04-25 22:22 . 2009-04-25 22:22 38 ----a-w C:\40.tmp
2009-04-25 22:22 . 2009-04-25 22:22 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Malwarebytes
2009-04-25 22:22 . 2009-04-25 22:22 0 ----a-w C:\3F.tmp
2009-04-25 22:22 . 2009-04-25 22:22 0 ----a-w C:\3E.tmp
2009-04-25 22:22 . 2009-04-25 22:22 0 ----a-w C:\3D.tmp
2009-04-25 22:22 . 2009-04-25 22:22 0 ----a-w C:\3C.tmp
2009-04-25 22:22 . 2009-04-25 22:22 0 ----a-w C:\3B.tmp
2009-04-25 22:22 . 2009-04-25 22:22 0 ----a-w C:\39.tmp
2009-04-25 22:22 . 2009-04-25 22:22 0 ----a-w C:\2F.tmp
2009-04-25 22:22 . 2009-04-25 22:22 0 ----a-w C:\2C.tmp
2009-04-25 22:22 . 2009-04-25 22:22 38 ----a-w C:\29.tmp
2009-04-25 22:22 . 2009-04-25 22:22 54784 ----a-w C:\27.tmp
2009-04-25 17:40 . 2005-03-30 01:21 2145280 ---ha-w c:\windows\system32\ntoskrnl.exe
2009-04-24 13:53 . 2008-11-15 17:20 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-24 13:53 . 2008-11-15 17:20 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 12:47 . 2008-11-18 03:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 01:36 . 2008-05-03 19:36 488 ----a-w C:\hpfr5550.xml
2009-04-22 20:51 . 2004-08-10 11:00 213120 ------w c:\windows\system32\drivers\ndis.sys
2009-04-22 12:09 . 2009-03-25 22:43 -------- d-----w c:\program files\iTunes
2009-04-22 12:04 . 2008-04-22 12:14 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 12:02 . 2008-04-27 21:57 -------- d-----w c:\program files\Common Files\Kodak
2009-04-21 23:43 . 2009-04-21 21:39 87747 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-21 22:06 . 2008-04-22 09:51 -------- d-----w c:\program files\RGB
2009-04-21 22:03 . 2008-04-22 09:50 -------- d-----w c:\program files\ESPNMotion
2009-04-21 22:03 . 2008-04-22 09:50 -------- d-----w c:\program files\DIGStream
2009-03-29 19:31 . 2008-09-06 20:41 65248 ----a-w c:\documents and settings\Joey\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 22:43 . 2009-03-25 22:43 -------- d-----w c:\program files\iPod
2009-03-25 22:43 . 2008-04-22 14:26 -------- d-----w c:\program files\Common Files\Apple
2009-03-25 22:41 . 2009-03-25 22:41 -------- d-----w c:\program files\Bonjour
2009-03-25 09:10 . 2009-02-17 14:13 1324 ----a-w c:\documents and settings\Joey\Local Settings\Application Data\d3d9caps.tmp
2009-03-19 02:13 . 2009-03-19 02:13 -------- d-----w c:\program files\Zone Labs
2009-03-19 02:11 . 2009-03-19 02:11 -------- d-----w c:\program files\Alwil Software
2009-03-07 01:56 . 2009-03-07 01:56 65248 ----a-w c:\documents and settings\Beata\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-07 01:55 . 2009-03-07 01:55 -------- d-----w c:\documents and settings\Beata\Application Data\MySpace
2009-03-06 14:22 . 2004-08-10 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 02:17 . 2009-04-21 21:38 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 . 2009-04-21 21:38 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 . 2009-04-21 21:38 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-06 00:50 . 2009-03-06 00:50 -------- d-----w c:\program files\JumpStart
2009-03-06 00:50 . 2009-03-06 00:50 -------- d-----w c:\program files\Common Files\Knowledge Adventure
2009-03-06 00:50 . 2008-04-22 12:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-03 23:12 . 2009-04-21 21:38 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-02 00:20 . 2008-05-03 18:49 -------- d-----w c:\program files\Google
2009-03-02 00:15 . 2009-03-02 00:15 -------- d-----w c:\documents and settings\Joey\Application Data\OpenOffice.org
2009-02-26 12:35 . 2008-04-22 14:19 65248 ----a-w c:\documents and settings\Joey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 08:10 . 2006-03-04 03:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-10 11:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-10 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-10 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 10:39 . 2004-08-10 11:00 55808 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-03-30 01:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-10 11:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-07-21 03:18 . 2008-07-21 03:18 251 ----a-w c:\program files\wt3d.ini
2008-04-22 09:50 . 2008-04-22 09:50 127 ----a-w c:\documents and settings\Joey\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[-] 2004-08-10 11:00 34816 73638095376F85943A492B672726F0C3 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 34816 6E459BE75587AABFC6ED5BC5D1131840 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 34816 1A5CD2861195499FBEE224DEE47C3BD6 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2008-04-14 00:12 34816 CE13AE101B4A21E74BFD5C2022E85F2C c:\windows\system32\svchost.exe

[-] 2004-08-10 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2009-04-22 20:51 213120 D9C9981C9E83DB13FFC803AEDF5CB57E c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-22 20:51 213120 D9C9981C9E83DB13FFC803AEDF5CB57E c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 00:12 1054208 36C280DF671D9F6BECD46AAD13B30711 c:\windows\explorer.exe
[-] 2004-08-10 11:00 1052672 F49FBC4489EEDAAC9E2CAAE906C839E2 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12 1054208 E3BFC5975119C52E1290E4B0DEDB76A0 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1054208 7997C3EF507C0D88476947868BCD5686 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe

[-] 2004-08-10 11:00 35840 868C3D7E7108B77C1A248954E2AB7955 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 35840 39EE0BB8028B752B26B1C540EE0705E4 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 35840 BFE7C42A6D99085FD0F70C25B317EA39 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2008-04-14 00:12 35840 9CE5A9751DFE8810DD30CF2F86F52DDE c:\windows\system32\ctfmon.exe

[-] 2004-08-10 11:00 78336 D3D66695112A61659D5D90397AD1DC73 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12 78336 01001F6328235BBDBC07D08CCFD4A43C c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 78336 A33777D011510FE8BBA01D2F1CBFC15B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2008-04-14 00:12 78336 C2FC8046C59CF1C26EE283E15F6DF0A6 c:\windows\system32\spoolsv.exe

[-] 2004-08-10 11:00 45056 2E666D08CBF4B47D836E86A2D762D47B c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 46592 19962F68665826C76AE5825F9C01227D c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 46592 598E3AEB4F0E476189382BF06F350265 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2008-04-14 00:12 46592 E8CCF751D78A0D4125BDB99FC0A8D08B c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1850608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 79872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 208896]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 303104]

c:\documents and settings\Joey\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 404480]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 49152]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 303104]
NETGEAR WPN311 Wireless Assistant.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2005-2-22 4538368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-19 09:45 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\ThunMail\testabd.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

R1 ethtgytc;ethtgytc; [x]
R2 TmProxy;Trend Micro Proxy Service; [x]
R3 restore;restore; [x]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - ACDaemon
*Deregistered* - ACS
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ehRecvr
*Deregistered* - ehSched
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDC8021X
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - pavboot
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmactmon
*Deregistered* - TMBMServer
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - tmpreflt
*Deregistered* - tmtdi
*Deregistered* - tmxpflt
*Deregistered* - TrkWks
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\kjsdiowq8oikf.dll
HKLM-Run-UfSeAgnt.exe - c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
HKLM-Run-VT100 Emulator - c:\windows\system32\VT100.EXE
SharedTaskScheduler-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\kjsdiowq8oikf.dll

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\h757j2am.default\
FF - plugin: c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\h757j2am.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 23:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\temp\BN4.tmp
.
**************************************************************************
.
Completion time: 2009-04-26 23:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 03:11
ComboFix2.txt 2008-11-20 23:40

Pre-Run: 31,401,410,560 bytes free
Post-Run: 31,337,000,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

462 --- E O F --- 2009-04-25 07:00

dito1 · Joined: Nov 15, 2008 Posts: 30

i also have trend micro antivirus that is no longer working. several of the files could not be found. they had and additional .mui in the extension. so it looked like *.exe.mui when i delete the mui and try to run the program it tells me it is not a valid win32 program.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

If you have problems with TrendMicro, uninstall it and install it back to see if it helps. Or uninstall it and install AVG instead. I see you already have it listed. If it's not working, reinstall AVG again and it should get it up and running.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

dito1 · Joined: Nov 15, 2008 Posts: 30

ComboFix 09-04-27.02 - Joe 04/27/2009 21:45.2 - NTFSx86
Running from: c:\documents and settings\Joe\Desktop\Cfforo.exe
Command switches used :: c:\documents and settings\Joe\Desktop\cfscript.txt
AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated)

FILE ::
C:\1B.tmp
C:\1C.tmp
C:\1D.tmp
C:\1E.tmp
C:\1F.tmp
C:\20.tmp
C:\21.tmp
C:\22.tmp
C:\23.tmp
C:\24.tmp
C:\25.tmp
C:\26.tmp
C:\265.tmp
C:\266.tmp
C:\267.tmp
C:\268.tmp
C:\269.tmp
C:\26A.tmp
C:\26B.tmp
C:\26C.tmp
C:\26D.tmp
C:\26E.tmp
C:\26F.tmp
C:\27.tmp
C:\28.tmp
C:\29.tmp
C:\2A.tmp
C:\2B.tmp
C:\2C.tmp
C:\2D.tmp
C:\2E.tmp
C:\2F.tmp
C:\30.tmp
C:\31.tmp
C:\32.tmp
C:\33.tmp
C:\34.tmp
C:\35.tmp
C:\36.tmp
C:\37.tmp
C:\38.tmp
C:\39.tmp
C:\3A.tmp
C:\3B.tmp
C:\3C.tmp
C:\3D.tmp
C:\3E.tmp
C:\3F.tmp
C:\41.tmp
C:\42.tmp
C:\43.tmp
C:\45.tmp
C:\46.tmp
C:\47.tmp
C:\49.tmp
C:\4A.tmp
C:\A.tmp
C:\B.tmp
c:\windows\system32\25F.tmp
c:\windows\system32\26.tmp
c:\windows\system32\261.tmp
c:\windows\system32\3D.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1B.tmp
C:\1C.tmp
C:\1D.tmp
C:\1E.tmp
C:\1F.tmp
C:\20.tmp
C:\21.tmp
C:\22.tmp
C:\23.tmp
C:\24.tmp
C:\25.tmp
C:\26.tmp
C:\265.tmp
C:\266.tmp
C:\267.tmp
C:\268.tmp
C:\269.tmp
C:\26A.tmp
C:\26B.tmp
C:\26C.tmp
C:\26D.tmp
C:\26E.tmp
C:\26F.tmp
C:\27.tmp
C:\28.tmp
C:\29.tmp
C:\2A.tmp
C:\2B.tmp
C:\2C.tmp
C:\2D.tmp
C:\2E.tmp
C:\2F.tmp
C:\30.tmp
C:\31.tmp
C:\32.tmp
C:\33.tmp
C:\34.tmp
C:\35.tmp
C:\36.tmp
C:\37.tmp
C:\38.tmp
C:\39.tmp
C:\3A.tmp
C:\3B.tmp
C:\3C.tmp
C:\3D.tmp
C:\3E.tmp
C:\3F.tmp
C:\41.tmp
C:\42.tmp
C:\43.tmp
C:\45.tmp
C:\46.tmp
C:\47.tmp
C:\49.tmp
C:\4A.tmp
C:\A.tmp
C:\B.tmp
c:\windows\system32\25F.tmp
c:\windows\system32\26.tmp
c:\windows\system32\261.tmp
c:\windows\system32\3D.tmp

c:\windows\system32\userinit.exe . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\userinit.exe --> c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TMPROXY
-------\Service_ethtgytc
-------\Service_restore
-------\Service_TmProxy

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-26 22:36 . 2009-04-26 22:36 -------- d-----w C:\temp
2009-04-26 22:36 . 2009-04-26 22:36 -------- d-----w c:\temp\HP All-in-One Series Web Release
2009-04-26 16:25 . 2009-04-26 16:25 1033 ---ha-w c:\documents and settings\Joey\hpothb07.dat
2009-04-26 16:19 . 2009-04-26 16:19 -------- d-----w c:\documents and settings\Joe\Application Data\Hewlett-Packard
2009-04-26 02:56 . 2009-04-26 02:56 -------- d-----w C:\cfbleep
2009-04-25 22:23 . 2009-04-25 22:23 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Skinux
2009-04-25 22:23 . 2009-04-25 22:23 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\ArcSoft
2009-04-25 22:22 . 2009-04-25 22:23 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\ArcSoft
2009-04-25 22:22 . 2009-04-25 22:22 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Malwarebytes
2009-04-25 01:28 . 2009-04-26 03:17 -------- d-----w c:\documents and settings\Joe\Application Data\Move Networks
2009-04-24 14:10 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-24 14:10 . 2009-04-24 14:10 -------- d-----w c:\program files\Panda Security
2009-04-24 13:53 . 2009-04-24 13:53 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-04-24 13:53 . 2009-04-24 13:53 -------- d-----w c:\documents and settings\Joe\Application Data\SUPERAntiSpyware.com
2009-04-24 12:47 . 2009-04-24 12:47 -------- d-----w c:\documents and settings\Joe\Application Data\Malwarebytes
2009-04-24 12:47 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 12:47 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 12:47 . 2009-04-24 12:47 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-04-24 01:31 . 2009-04-24 01:31 -------- d-----w c:\documents and settings\Joe\Application Data\AVG8
2009-04-23 11:33 . 2009-04-23 11:33 -------- d-----w c:\documents and settings\Joe\Application Data\U3
2009-04-23 01:47 . 2009-04-23 01:47 -------- d-----w C:\_OTMoveIt
2009-04-23 00:02 . 2009-04-23 00:02 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Apple
2009-04-22 20:52 . 2009-04-22 20:52 -------- d-s---w c:\windows\system32\config\systemprofile\UserData
2009-04-22 20:51 . 2009-04-22 20:51 213120 -c----w c:\windows\system32\dllcache\ndis.sys
2009-04-22 17:42 . 2009-04-22 17:42 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\KodakGallery
2009-04-22 17:42 . 2009-04-22 17:42 -------- d-----w c:\documents and settings\Joe\Application Data\KodakCredentialStore
2009-04-22 17:41 . 2009-04-22 17:41 -------- d-----w c:\documents and settings\Joe\Application Data\Skinux
2009-04-22 12:09 . 2009-03-19 20:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-04-22 12:09 . 2008-04-17 16:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-04-22 12:09 . 2009-04-22 12:09 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\ArcSoft
2009-04-22 12:04 . 2009-04-23 20:48 -------- d-----w c:\documents and settings\Joe\Application Data\ArcSoft
2009-04-22 12:04 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\ArcSoft
2009-04-22 12:03 . 2009-04-22 12:03 -------- d-----w c:\program files\ArcSoft
2009-04-22 12:03 . 2009-04-22 12:04 -------- d-----w c:\program files\Common Files\ArcSoft
2009-04-22 12:03 . 2001-08-18 02:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-22 12:03 . 2008-04-13 18:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-22 12:03 . 2008-04-13 18:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-22 12:03 . 2008-04-14 00:12 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-22 11:58 . 2008-05-02 10:49 62976 -c----w c:\windows\system32\dllcache\cdrom.sys
2009-04-22 11:58 . 2008-05-02 13:25 465920 -c----w c:\windows\system32\dllcache\imapi2fs.dll
2009-04-22 11:58 . 2008-05-02 13:25 465920 ------w c:\windows\system32\imapi2fs.dll
2009-04-22 11:58 . 2008-05-02 13:25 317952 -c----w c:\windows\system32\dllcache\imapi2.dll
2009-04-22 11:58 . 2008-05-02 13:25 317952 ------w c:\windows\system32\imapi2.dll
2009-04-22 11:52 . 2009-04-22 12:04 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Kodak
2009-04-22 00:01 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-21 23:59 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 23:59 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 23:59 . 2009-02-06 11:11 131072 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 23:59 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 23:59 . 2009-02-06 10:10 248320 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 23:59 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 23:59 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 23:59 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 23:59 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-21 23:59 . 2009-02-06 11:06 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-21 23:59 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-21 23:59 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-21 23:58 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-21 23:58 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-21 23:57 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-21 23:57 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-04-21 23:57 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-21 23:53 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-21 23:53 . 2008-09-04 17:15 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-04-21 23:52 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-21 23:52 . 2008-04-21 12:08 236032 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-21 23:48 . 2009-04-21 23:48 15890 ----a-w c:\windows\system32\drivers\mdc8021x.sys
2009-04-21 23:47 . 2008-04-13 18:45 6272 ----a-w c:\windows\system32\drivers\splitter.sys
2009-04-21 23:47 . 2008-04-13 19:17 83072 ----a-w c:\windows\system32\drivers\wdmaud.sys
2009-04-21 23:47 . 2008-04-13 18:45 52864 ----a-w c:\windows\system32\drivers\DMusic.sys
2009-04-21 23:47 . 2008-04-13 18:45 56576 ----a-w c:\windows\system32\drivers\swmidi.sys
2009-04-21 23:47 . 2008-04-13 16:39 142592 ----a-w c:\windows\system32\drivers\aec.sys
2009-04-21 23:47 . 2008-04-13 18:45 172416 ----a-w c:\windows\system32\drivers\kmixer.sys
2009-04-21 23:47 . 2008-04-13 18:45 2944 ----a-w c:\windows\system32\drivers\drmkaud.sys
2009-04-21 23:47 . 2008-04-13 19:15 60800 ----a-w c:\windows\system32\drivers\sysaudio.sys
2009-04-21 23:47 . 2006-03-21 00:54 1052672 ----a-w c:\windows\system32\stlang.dll
2009-04-21 23:47 . 2006-03-20 20:00 303104 ----a-w c:\windows\stsystra.exe
2009-04-21 23:47 . 2008-04-13 18:45 60160 ----a-w c:\windows\system32\drivers\drmk.sys
2009-04-21 23:47 . 2006-03-20 20:04 112128 ----a-w c:\windows\system32\staco.dll
2009-04-21 23:38 . 2009-04-21 23:39 -------- dc-h--w c:\documents and settings\All Users.WINDOWS\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-04-21 23:14 . 2004-08-04 02:29 25471 ------w c:\windows\system32\drivers\watv10nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 22271 ------w c:\windows\system32\drivers\watv06nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 11871 ------w c:\windows\system32\drivers\wadv09nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 11935 ------w c:\windows\system32\drivers\wadv11nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 11807 ------w c:\windows\system32\drivers\wadv07nt.sys
2009-04-21 23:14 . 2004-08-04 02:29 11295 ------w c:\windows\system32\drivers\wadv08nt.sys
2009-04-21 23:11 . 2004-08-04 02:29 63488 ------w c:\windows\system32\drivers\atinxsxx.sys
2009-04-21 22:57 . 2008-07-09 07:38 26488 ----a-w c:\windows\system32\spupdsvc.exe
2009-04-21 22:56 . 2009-04-21 22:56 -------- d-s---w c:\documents and settings\Joe\UserData
2009-04-21 22:24 . 2009-04-21 22:24 -------- d-----w c:\program files\Dell
2009-04-21 22:09 . 2008-04-13 18:39 7552 ----a-w c:\windows\system32\drivers\mskssrv.sys
2009-04-21 22:09 . 2008-04-13 18:39 4992 ----a-w c:\windows\system32\drivers\mspqm.sys
2009-04-21 22:09 . 2008-04-13 18:39 5376 ----a-w c:\windows\system32\drivers\mspclock.sys
2009-04-21 22:09 . 2001-08-17 17:57 16128 -c--a-w c:\windows\system32\dllcache\modemcsa.sys
2009-04-21 22:09 . 2001-08-17 17:57 16128 ----a-w c:\windows\system32\drivers\MODEMCSA.sys
2009-04-21 22:09 . 2008-04-14 00:11 4096 ----a-w c:\windows\system32\ksuser.dll
2009-04-21 22:09 . 2009-04-21 22:09 -------- d-----w c:\program files\CONEXANT
2009-04-21 22:03 . 2009-04-21 22:03 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\DIGStream
2009-04-21 22:03 . 2009-04-21 22:03 126 ----a-w c:\documents and settings\Joe\Local Settings\Application Data\fusioncache.dat
2009-04-21 22:03 . 2009-04-21 22:55 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\ApplicationHistory
2009-04-21 22:03 . 2009-04-21 22:03 -------- d-----w c:\program files\GemMaster
2009-04-21 22:03 . 2007-09-17 12:07 376832 ----a-w c:\windows\system32\nvudisp.exe
2009-04-21 22:03 . 2009-04-21 22:03 -------- d-----w c:\program files\EnglishOtto
2009-04-21 21:57 . 2009-04-26 02:54 -------- d-----w c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft
2009-04-21 21:57 . 2009-04-25 22:22 -------- d-sh--w c:\documents and settings\LocalService.NT AUTHORITY
2009-04-21 21:55 . 2009-04-22 12:20 13880 ----a-w c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-21 21:45 . 2009-04-24 22:25 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft
2009-04-21 21:45 . 2009-04-24 22:26 -------- d-sh--w c:\documents and settings\NetworkService.NT AUTHORITY
2009-04-21 21:42 . 2004-08-10 11:00 36864 -c--a-w c:\windows\system32\dllcache\quser.exe
2009-04-21 21:41 . 2004-08-10 11:00 514587 -c--a-w c:\windows\system32\dllcache\edb500.dll
2009-04-21 21:40 . 2009-04-21 21:40 -------- d-----w c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Microsoft
2009-04-21 21:39 . 2009-04-21 22:06 -------- d-sh--w c:\documents and settings\All Users.WINDOWS\DRM
2009-04-21 21:37 . 2009-04-21 21:37 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-21 21:35 . 2008-04-14 00:13 40840 ----a-w c:\windows\system32\drivers\termdd.sys
2009-04-21 21:35 . 2008-04-13 18:32 196224 ----a-w c:\windows\system32\drivers\rdpdr.sys
2009-04-21 21:32 . 2009-04-21 21:32 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Trend Micro
2009-04-21 21:18 . 2009-04-22 01:37 13484 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-21 21:18 . 2009-04-24 22:27 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-21 21:18 . 2009-04-22 12:09 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\Apple Computer
2009-04-21 21:18 . 2009-04-21 21:18 -------- d-----w c:\documents and settings\Joe\Application Data\Apple Computer
2009-04-21 21:17 . 2009-04-21 21:17 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2009-04-21 21:17 . 2009-04-21 21:17 -------- d-----w c:\documents and settings\Joe\Local Settings\Application Data\Apple
2009-04-21 21:17 . 2009-04-21 21:17 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2009-04-21 21:09 . 2009-04-21 21:09 0 ----a-w c:\windows\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 22:22 . 2009-04-25 22:22 38 ----a-w C:\40.tmp
2009-04-25 17:40 . 2005-03-30 01:21 2145280 ---ha-w c:\windows\system32\ntoskrnl.exe
2009-04-24 14:06 . 2009-04-21 14:17 90112 ----a-w c:\windows\DUMP60dc.tmp
2009-04-24 13:58 . 2009-04-21 14:17 90112 ----a-w c:\windows\DUMP5b00.tmp
2009-04-24 13:53 . 2008-11-15 17:20 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-24 13:53 . 2008-11-15 17:20 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-24 12:47 . 2008-11-18 03:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 20:51 . 2004-08-10 11:00 213120 ------w c:\windows\system32\drivers\ndis.sys
2009-04-22 12:09 . 2009-03-25 22:43 -------- d-----w c:\program files\iTunes
2009-04-22 12:04 . 2008-04-22 12:14 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 12:02 . 2008-04-27 21:57 -------- d-----w c:\program files\Common Files\Kodak
2009-04-21 23:43 . 2009-04-21 21:39 87747 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-21 22:06 . 2008-04-22 09:51 -------- d-----w c:\program files\RGB
2009-04-21 22:03 . 2008-04-22 09:50 -------- d-----w c:\program files\ESPNMotion
2009-04-21 22:03 . 2008-04-22 09:50 -------- d-----w c:\program files\DIGStream
2009-04-21 21:43 . 2008-04-23 12:12 -------- d-----w c:\program files\Trend Micro
2009-04-21 21:40 . 2004-08-10 11:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-21 21:17 . 2008-07-15 05:01 -------- d-----w c:\program files\Safari
2009-04-21 12:17 . 2008-04-24 14:33 -------- d-----w c:\program files\Ahead
2009-04-21 00:38 . 2008-07-17 05:07 -------- d-----w c:\program files\SPSSGP
2009-04-21 00:30 . 2008-06-09 05:14 -------- d-----w c:\program files\Microsoft Works
2009-04-21 00:16 . 2008-08-02 15:15 -------- d-----w c:\program files\Boardmaker with SD Pro
2009-04-20 19:29 . 2009-04-20 19:29 0 ----a-w C:\1A.tmp
2009-04-20 19:29 . 2009-04-20 19:29 0 ----a-w C:\19.tmp
2009-04-20 19:29 . 2009-04-20 19:29 0 ----a-w C:\18.tmp
2009-04-20 19:29 . 2009-04-20 19:29 0 ----a-w C:\17.tmp
2009-04-20 19:29 . 2009-04-20 19:29 0 ----a-w C:\16.tmp
2009-04-20 19:29 . 2009-04-20 19:29 0 ----a-w C:\15.tmp
2009-04-20 19:29 . 2009-04-20 19:29 0 ----a-w C:\14.tmp
2009-04-20 19:29 . 2009-04-20 19:29 0 ----a-w C:\13.tmp
2009-04-20 19:29 . 2009-04-20 19:29 52736 ----a-w C:\8.tmp
2009-04-20 19:29 . 2009-04-20 19:29 38 ----a-w C:\12.tmp
2009-04-20 19:04 . 2009-04-20 19:04 0 ----a-w C:\F.tmp
2009-04-20 19:04 . 2009-04-20 19:04 0 ----a-w C:\E.tmp
2009-04-20 19:04 . 2009-04-20 19:04 0 ----a-w C:\11.tmp
2009-04-20 19:04 . 2009-04-20 19:04 0 ----a-w C:\10.tmp
2009-04-20 19:04 . 2009-04-20 19:04 38 ----a-w C:\7.tmp
2009-04-20 19:04 . 2009-04-20 19:04 52736 ----a-w C:\3.tmp
2009-04-20 19:04 . 2009-04-20 19:04 0 ----a-w C:\D.tmp
2009-04-20 19:04 . 2009-04-20 19:04 0 ----a-w C:\C.tmp
2009-04-20 19:04 . 2009-04-20 19:04 38 ----a-w C:\4.tmp
2009-04-20 19:04 . 2009-04-20 19:04 0 ----a-w C:\6.tmp
2009-04-20 19:04 . 2009-04-20 19:04 0 ----a-w C:\5.tmp
2009-04-13 23:35 . 2008-06-09 05:41 19442 ----a-w c:\documents and settings\Joey\Application Data\wklnhst.dat
2009-04-03 12:52 . 2004-08-10 11:00 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-02 23:08 . 2009-04-21 21:43 50192 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-02 23:08 . 2009-04-21 21:43 50192 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 23:08 . 2009-04-21 21:43 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-29 19:31 . 2008-09-06 20:41 65248 ----a-w c:\documents and settings\Joey\Application Data\GDIPFONTCACHEV1.DAT
2009-03-25 22:43 . 2009-03-25 22:43 -------- d-----w c:\program files\iPod
2009-03-25 22:43 . 2008-04-22 14:26 -------- d-----w c:\program files\Common Files\Apple
2009-03-25 22:41 . 2009-03-25 22:41 -------- d-----w c:\program files\Bonjour
2009-03-25 09:10 . 2009-02-17 14:13 1324 ----a-w c:\documents and settings\Joey\Local Settings\Application Data\d3d9caps.tmp
2009-03-19 02:13 . 2009-03-19 02:13 -------- d-----w c:\program files\Zone Labs
2009-03-19 02:11 . 2009-03-19 02:11 -------- d-----w c:\program files\Alwil Software
2009-03-07 01:56 . 2009-03-07 01:56 65248 ----a-w c:\documents and settings\Beata\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2004-08-10 11:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 02:17 . 2009-04-21 21:38 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-03-06 02:17 . 2009-04-21 21:38 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-03-06 02:17 . 2009-04-21 21:38 1195512 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-03-06 00:50 . 2009-03-06 00:50 -------- d-----w c:\program files\JumpStart
2009-03-06 00:50 . 2009-03-06 00:50 -------- d-----w c:\program files\Common Files\Knowledge Adventure
2009-03-06 00:50 . 2008-04-22 12:13 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-03 23:12 . 2009-04-21 21:38 80400 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-03-02 00:20 . 2008-05-03 18:49 -------- d-----w c:\program files\Google
2009-02-26 12:35 . 2008-04-22 14:19 65248 ----a-w c:\documents and settings\Joey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 08:10 . 2006-03-04 03:33 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-10 11:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-10 11:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 11:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-10 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-10 11:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-10 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 10:39 . 2004-08-10 11:00 55808 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2005-03-30 01:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-10 11:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-07-21 03:18 . 2008-07-21 03:18 251 ----a-w c:\program files\wt3d.ini
.

------- Sigcheck -------

[-] 2004-08-10 11:00 34816 73638095376F85943A492B672726F0C3 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 34816 6E459BE75587AABFC6ED5BC5D1131840 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 34816 1A5CD2861195499FBEE224DEE47C3BD6 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe
[-] 2008-04-14 00:12 34816 CE13AE101B4A21E74BFD5C2022E85F2C c:\windows\system32\svchost.exe

[-] 2004-08-10 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2009-04-22 20:51 213120 D9C9981C9E83DB13FFC803AEDF5CB57E c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-22 20:51 213120 D9C9981C9E83DB13FFC803AEDF5CB57E c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 00:12 1054208 36C280DF671D9F6BECD46AAD13B30711 c:\windows\explorer.exe
[-] 2004-08-10 11:00 1052672 F49FBC4489EEDAAC9E2CAAE906C839E2 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12 1054208 E3BFC5975119C52E1290E4B0DEDB76A0 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1054208 7997C3EF507C0D88476947868BCD5686 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe

[-] 2004-08-10 11:00 35840 868C3D7E7108B77C1A248954E2AB7955 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 35840 39EE0BB8028B752B26B1C540EE0705E4 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 35840 BFE7C42A6D99085FD0F70C25B317EA39 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ctfmon.exe
[-] 2008-04-14 00:12 35840 9CE5A9751DFE8810DD30CF2F86F52DDE c:\windows\system32\ctfmon.exe

[-] 2004-08-10 11:00 78336 D3D66695112A61659D5D90397AD1DC73 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 00:12 78336 01001F6328235BBDBC07D08CCFD4A43C c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 78336 A33777D011510FE8BBA01D2F1CBFC15B c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2008-04-14 00:12 78336 C2FC8046C59CF1C26EE283E15F6DF0A6 c:\windows\system32\spoolsv.exe

[-] 2004-08-10 11:00 45056 2E666D08CBF4B47D836E86A2D762D47B c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 46592 19962F68665826C76AE5825F9C01227D c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 46592 598E3AEB4F0E476189382BF06F350265 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
[-] 2004-08-10 11:00 45056 2E666D08CBF4B47D836E86A2D762D47B c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot DeleteThis @2009-04-26_03.07.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-21 21:30 . 2009-04-21 21:38 57856 c:\windows\Installer\mfcm80u.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 57856 c:\windows\Installer\mfcm80u.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 69632 c:\windows\Installer\mfcm80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 69632 c:\windows\Installer\mfcm80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 96256 c:\windows\Installer\atl80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 96256 c:\windows\Installer\atl80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 124168 c:\windows\Installer\TmDbg32.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 626688 c:\windows\Installer\msvcr80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 626688 c:\windows\Installer\msvcr80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 548864 c:\windows\Installer\msvcp80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 548864 c:\windows\Installer\msvcp80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 479232 c:\windows\Installer\msvcm80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 479232 c:\windows\Installer\msvcm80.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 156936 c:\windows\Installer\libexpat.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 1093120 c:\windows\Installer\mfc80u.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 1093120 c:\windows\Installer\mfc80u.dll
+ 2009-04-21 21:30 . 2008-02-16 07:07 1101824 c:\windows\Installer\mfc80.dll
- 2009-04-21 21:30 . 2009-04-21 21:38 1101824 c:\windows\Installer\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1850608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 79872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2003-03-09 208896]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 303104]

c:\documents and settings\Joey\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 404480]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 49152]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 303104]
NETGEAR WPN311 Wireless Assistant.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2005-2-22 4538368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-19 09:45 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-03-06 36368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - ACDaemon
*Deregistered* - ACS
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ehRecvr
*Deregistered* - ehSched
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDC8021X
*Deregistered* - mdmxsdk
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - pavboot
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SASDIFSV
*Deregistered* - SASENUM
*Deregistered* - SASKUTIL
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - tmactmon
*Deregistered* - tmcomm
*Deregistered* - tmevtmgr
*Deregistered* - tmpreflt
*Deregistered* - tmtdi
*Deregistered* - tmxpflt
*Deregistered* - TrkWks
*Deregistered* - Udfs
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vsapint
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\h757j2am.default\
FF - plugin: c:\documents and settings\Joe\Application Data\Mozilla\Firefox\Profiles\h757j2am.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 21:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\iac25_32.ax
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2009-04-28 21:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 01:52
ComboFix2.txt 2009-04-26 03:11
ComboFix3.txt 2008-11-20 23:40

Pre-Run: 30,807,908,352 bytes free
Post-Run: 30,824,484,864 bytes free

606 --- E O F --- 2009-04-27 07:00