Tech Support Forum - View Single Post - Completed 2/5 steps - please look over this and tell me what to do

omgmizzle · 01-14-2008, 05:57 PM

ComboFix 08-01-14.3 - Owner 2008-01-15 7:54:34.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.651 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\All Users
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\winzoa32.dll_tobedeleted_old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\EasySpywareCleaner
C:\Program Files\Registry Cleaner Trial
C:\Program Files\Registry Cleaner Trial\Regclean.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\avp .exe.bad
C:\VundoFix Backups\avp.exe.bad
C:\VundoFix Backups\ctfmon.exe.bad
C:\VundoFix Backups\egjlm.ini.bad
C:\VundoFix Backups\egjlm.ini2.bad
C:\VundoFix Backups\hggfecb.dll.bad
C:\VundoFix Backups\ihkmp.ini.bad
C:\VundoFix Backups\ihkmp.ini2.bad
C:\VundoFix Backups\kmllm.ini.bad
C:\VundoFix Backups\kmllm.ini2.bad
C:\VundoFix Backups\lsass .exe.bad
C:\VundoFix Backups\lsass .exe.bad
C:\VundoFix Backups\lsass.exe.bad
C:\VundoFix Backups\mljge.dll.bad
C:\VundoFix Backups\mljge.exe.bad
C:\VundoFix Backups\mllmk.dll.bad
C:\VundoFix Backups\mllmk.exe.bad
C:\VundoFix Backups\pmkhi.dll.bad
C:\VundoFix Backups\pmkhi.exe.bad
C:\VundoFix Backups\printer.exe.bad
C:\VundoFix Backups\shell.exe.bad
C:\VundoFix Backups\spoolvs.exe.bad
C:\VundoFix Backups\winzoa32.dll.bad
C:\WINDOWS\system32\ctfmona .exe
C:\WINDOWS\system32\winzoa32.dll_tobedeleted_old

.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-13 22:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 21:27 . 2008-01-13 21:27 4,022 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-13 21:24 . 2008-01-13 21:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-01-13 21:24 . 2008-01-13 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-13 21:24 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-13 21:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-13 21:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-13 21:16 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-13 21:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-13 21:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-13 21:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-13 21:02 . 2008-01-13 21:02 <DIR> d-------- C:\Deckard
2008-01-13 20:57 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-13 20:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-13 14:19 . 2008-01-13 14:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-11 23:06 . 2008-01-11 23:06 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-11 23:04 . 2006-11-07 21:01 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-01-11 12:41 . 2008-01-11 12:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\EasySpywareCleaner.com
2008-01-08 22:53 . 2008-01-12 22:34 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-08 18:44 . 2008-01-08 18:44 0 --a------ C:\Install
2007-12-24 09:52 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-24 09:52 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-22 15:04 . 2007-12-28 21:44 520 --a------ C:\WINDOWS\netdet.ini
2007-12-19 17:31 . 2007-12-19 17:31 118,784 --a------ C:\WINDOWS\dsdxirmv.exe
2007-12-15 15:49 . 2007-12-19 17:31 <DIR> d-------- C:\Program Files\Cakewalk
2007-12-15 15:49 . 2007-12-19 17:32 <DIR> d-------- C:\Cakewalk Projects
2007-12-15 15:30 . 2007-12-16 18:32 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-12-15 15:28 . 2007-12-15 15:28 <DIR> d-------- C:\Linksys Driver

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 06:22 --------- d-----w C:\Program Files\QuickTime
2008-01-14 06:22 --------- d-----w C:\Program Files\iTunes
2008-01-13 23:49 --------- d-----w C:\Program Files\Viewpoint
2008-01-13 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-13 23:47 --------- d-----w C:\Program Files\MySpace
2008-01-13 23:45 --------- d-----w C:\Program Files\Yahoo!
2008-01-13 23:43 --------- d-----w C:\Program Files\LimeWire
2008-01-13 23:41 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-13 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-13 21:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2008-01-10 00:50 --------- d-----w C:\Program Files\Yahoo! Games
2007-12-28 21:01 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-28 00:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst
2007-12-24 01:07 --------- d-----w C:\Program Files\Diablo II
2007-12-15 23:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 09:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-01 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv(2).dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-09-02 20:17 2,273,106 -c--a-w C:\Program Files\SFM2Install.exe
2007-08-08 02:17 17 -c--a-w C:\Program Files\Sims2Pack Clean Installer.ini
2005-05-12 06:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll
.

Code:

<pre>
----a-w             9,728 2008-01-13 06:35:29  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-14_13.49.54.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-14 06:16:00 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-15 15:54:31 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-14 06:16:00 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-15 15:54:31 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-14 06:16:00 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-15 15:54:31 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-14 06:16:00 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-15 15:54:31 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-14 06:16:00 8,146,944 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-15 15:54:31 7,827,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-14 06:16:01 155,648 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 15:54:32 155,648 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 15:10:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_3b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-12 22:34 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-13 10:12 1415824]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB2782"="command /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ]
"SpybotDeletingD8803"="cmd /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-13 10:12 90112]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-01-13 10:12 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-01-13 10:12 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2008-01-13 10:12 40960]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2008-01-13 10:12 49152]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-13 10:12 851968]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-13 10:12 57344]
"zzzHPSETUP"="D:\Setup.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-13 10:12 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-13 10:12 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-13 10:12 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-13 10:12 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AOLRebootNeeded"="regsvr32.exe" [2004-08-04 11:00 11776 C:\WINDOWS\system32\regsvr32.exe]
"VundoFix"="C:\Documents and Settings\Owner\Desktop\vundofix.exe" [2008-01-13 14:16 132608]
"SpybotDeletingA7973"="command /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ]
"SpybotDeletingC5299"="cmd /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
autorun .exe [2008-01-12 22:35:29]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-07-23 20:22:05]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-02-01 07:38:18]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-13 10:12 267048 C:\Program Files\iTunes\iTunesHelper.exe

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32f8ce28-469c-11dc-bbbf-0013d3b1bb15}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9a92e7e-5d4e-11dc-bbeb-0013d3b1bb15}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 04:22:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 07:55:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 7:55:47
ComboFix-quarantined-files.txt 2008-01-15 15:55:33
ComboFix2.txt 2008-01-15 15:41:49
ComboFix3.txt 2008-01-14 21:50:16
.
2008-01-13 05:23:36 --- E O F ---

New ComboFix log, I am attaching the HijackThis log next, and will download an AntiVirus program listed (:

01-14-2008, 05:57 PM	#23 (permalink)
omgmizzle Registered User Join Date: Jan 2008 Posts: 71 OS: Windows Vista	Re: Completed 2/5 steps - please look over this and tell me what to do ComboFix 08-01-14.3 - Owner 2008-01-15 7:54:34.4 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.651 [GMT -8:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE C:\Documents and Settings\All Users C:\WINDOWS\system32\ctfmona .exe C:\WINDOWS\system32\winzoa32.dll_tobedeleted_old . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\EasySpywareCleaner C:\Program Files\Registry Cleaner Trial C:\Program Files\Registry Cleaner Trial\Regclean.exe C:\VundoFix Backups C:\VundoFix Backups\addmorefiles.txt C:\VundoFix Backups\avp .exe.bad C:\VundoFix Backups\avp.exe.bad C:\VundoFix Backups\ctfmon.exe.bad C:\VundoFix Backups\egjlm.ini.bad C:\VundoFix Backups\egjlm.ini2.bad C:\VundoFix Backups\hggfecb.dll.bad C:\VundoFix Backups\ihkmp.ini.bad C:\VundoFix Backups\ihkmp.ini2.bad C:\VundoFix Backups\kmllm.ini.bad C:\VundoFix Backups\kmllm.ini2.bad C:\VundoFix Backups\lsass .exe.bad C:\VundoFix Backups\lsass .exe.bad C:\VundoFix Backups\lsass.exe.bad C:\VundoFix Backups\mljge.dll.bad C:\VundoFix Backups\mljge.exe.bad C:\VundoFix Backups\mllmk.dll.bad C:\VundoFix Backups\mllmk.exe.bad C:\VundoFix Backups\pmkhi.dll.bad C:\VundoFix Backups\pmkhi.exe.bad C:\VundoFix Backups\printer.exe.bad C:\VundoFix Backups\shell.exe.bad C:\VundoFix Backups\spoolvs.exe.bad C:\VundoFix Backups\winzoa32.dll.bad C:\WINDOWS\system32\ctfmona .exe C:\WINDOWS\system32\winzoa32.dll_tobedeleted_old . ((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 ))))))))))))))))))))))))))))))) . 2008-01-13 22:14 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-13 21:27 . 2008-01-13 21:27 4,022 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-13 21:24 . 2008-01-13 21:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft 2008-01-13 21:24 . 2008-01-13 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-01-13 21:24 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-01-13 21:16 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-01-13 21:16 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-01-13 21:16 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-01-13 21:16 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-01-13 21:16 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-01-13 21:16 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-01-13 21:02 . 2008-01-13 21:02 <DIR> d-------- C:\Deckard 2008-01-13 20:57 . 2008-01-13 20:58 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-01-13 20:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2008-01-13 14:19 . 2008-01-13 14:19 <DIR> d-------- C:\Program Files\Trend Micro 2008-01-11 23:06 . 2008-01-11 23:06 230 --a------ C:\WINDOWS\system32\spupdsvc.inf 2008-01-11 23:04 . 2006-11-07 21:01 66,048 --a------ C:\WINDOWS\ieResetIcons.exe 2008-01-11 12:41 . 2008-01-11 12:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\EasySpywareCleaner.com 2008-01-08 22:53 . 2008-01-12 22:34 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe 2008-01-08 18:44 . 2008-01-08 18:44 0 --a------ C:\Install 2007-12-24 09:52 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2007-12-24 09:52 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2007-12-22 15:04 . 2007-12-28 21:44 520 --a------ C:\WINDOWS\netdet.ini 2007-12-19 17:31 . 2007-12-19 17:31 118,784 --a------ C:\WINDOWS\dsdxirmv.exe 2007-12-15 15:49 . 2007-12-19 17:31 <DIR> d-------- C:\Program Files\Cakewalk 2007-12-15 15:49 . 2007-12-19 17:32 <DIR> d-------- C:\Cakewalk Projects 2007-12-15 15:30 . 2007-12-16 18:32 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor 2007-12-15 15:28 . 2007-12-15 15:28 <DIR> d-------- C:\Linksys Driver . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-14 06:22 --------- d-----w C:\Program Files\QuickTime 2008-01-14 06:22 --------- d-----w C:\Program Files\iTunes 2008-01-13 23:49 --------- d-----w C:\Program Files\Viewpoint 2008-01-13 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan 2008-01-13 23:47 --------- d-----w C:\Program Files\MySpace 2008-01-13 23:45 --------- d-----w C:\Program Files\Yahoo! 2008-01-13 23:43 --------- d-----w C:\Program Files\LimeWire 2008-01-13 23:41 --------- d-----w C:\Program Files\Common Files\AOL 2008-01-13 23:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-01-13 21:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2 2008-01-10 00:50 --------- d-----w C:\Program Files\Yahoo! Games 2007-12-28 21:01 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-12-28 00:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\PlayFirst 2007-12-24 01:07 --------- d-----w C:\Program Files\Diablo II 2007-12-15 23:49 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-12-13 09:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-12-01 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv(2).dll 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll 2007-09-02 20:17 2,273,106 -c--a-w C:\Program Files\SFM2Install.exe 2007-08-08 02:17 17 -c--a-w C:\Program Files\Sims2Pack Clean Installer.ini 2005-05-12 06:36 12,288 -c--a-w C:\WINDOWS\Fonts\RandFont.dll . Code: <pre> ----a-w 9,728 2008-01-13 06:35:29 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun .exe </pre> ((((((((((((((((((((((((((((( snapshot@2008-01-14_13.49.54.46 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-14 06:16:00 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-15 15:54:31 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-14 06:16:00 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-15 15:54:31 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-14 06:16:00 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-15 15:54:31 1,417,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-14 06:16:00 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-15 15:54:31 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-14 06:16:00 8,146,944 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat + 2008-01-15 15:54:31 7,827,456 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat - 2008-01-14 06:16:01 155,648 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-15 15:54:32 155,648 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-15 15:10:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_3b0.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-12 22:34 15360] "Aim6"="C:\Program Files\AIM6\aim6.exe" [ ] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-13 10:12 1415824] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "SpybotDeletingB2782"="command /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ] "SpybotDeletingD8803"="cmd /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 577536 C:\WINDOWS\soundman.exe] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2008-01-13 10:12 90112] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-01-13 10:12 155648] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2008-01-13 10:12 57393] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2008-01-13 10:12 40960] "SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [2008-01-13 10:12 49152] "ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2008-01-13 10:12 851968] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-13 10:12 57344] "zzzHPSETUP"="D:\Setup.exe" [ ] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-13 10:12 49152] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-13 10:12 39792] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-13 10:12 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-13 10:12 267048] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "AOLRebootNeeded"="regsvr32.exe" [2004-08-04 11:00 11776 C:\WINDOWS\system32\regsvr32.exe] "VundoFix"="C:\Documents and Settings\Owner\Desktop\vundofix.exe" [2008-01-13 14:16 132608] "SpybotDeletingA7973"="command /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ] "SpybotDeletingC5299"="cmd /c del C:\Documents and Settings\Owner\Local Settings\Temp\gos1E.tmp_tobedeleted_old" [ ] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ autorun .exe [2008-01-12 22:35:29] HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-07-23 20:22:05] Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-02-01 07:38:18] [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6] C:\Program Files\AIM6\aim6.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-13 10:12 267048 C:\Program Files\iTunes\iTunesHelper.exe S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 21:15] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{32f8ce28-469c-11dc-bbbf-0013d3b1bb15}] \Shell\AutoRun\command - J:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9a92e7e-5d4e-11dc-bbeb-0013d3b1bb15}] \Shell\AutoRun\command - I:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2008-01-12 04:22:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-15 07:55:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-01-15 7:55:47 ComboFix-quarantined-files.txt 2008-01-15 15:55:33 ComboFix2.txt 2008-01-15 15:41:49 ComboFix3.txt 2008-01-14 21:50:16 . 2008-01-13 05:23:36 --- E O F --- New ComboFix log, I am attaching the HijackThis log next, and will download an AntiVirus program listed (: