frijj

Hey,
I'd really appriciate if someone spent a minute looking through my log. Recently I've just been attacked with pop-ups, and have also have been experiencing some slow internet as well.
Would anyone know what's up?

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:50:54, on 15/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\vhrtgbir.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Documents and Settings\Adam\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [xkpgjgba] rundll32.exe "C:\Program Files\xkpgjgba\zqhsvcxk.dll",Init
O4 - HKLM\..\Run: [etitctir] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\etitctir.dll"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win80.tmp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvvaf.dll,startup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\fikrxjme.dll",forkonce
O4 - HKLM\..\RunServices: [NAVSCAN32.EXE] NAVSCAN32.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NAVSCAN32.EXE] NAVSCAN32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitBuddy - {8FCCDD73-C9F3-443a-AB53-7A25FD925808} - C:\Program Files\BitBuddy\BitBuddy.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab30149.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.35mb.com/applet/applet_l.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102802471859
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DomainService - - C:\WINDOWS\system32\vhrtgbir.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Update Manager (WUM) - Unknown owner - C:\WINDOWS\winfire.exe (file missing)

jwbirdsong

If you have access to another computer to D/L the programs below..use it and disconnect this one from the internet.
If not D/L both to your desktop and THEN unplug your internet connection.
Please follow the steps in the order they are given..also print this out or copy to Notepad for use while the fix is running.

Download SDFix and save it to your desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

Please then reboot your computer in Safe Mode (without Networking) by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the C:\SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back here along with a Combofix log..(below)

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply .

__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004

frijj

thanks for the quick reply, I really appriciate it!

Here is the SDFix Log :


SDFix: Version 1.104

Run by Adam on 16/09/2007 at 18:35

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
DomainService

ImagePath:
C:\WINDOWS\system32\vhrtgbir.exe /service

DomainService - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\WDMIFIL.DLL - Deleted
C:\114258~1 - Deleted
C:\Documents and Settings\Adam\Local Settings\Temp\winEE.tmp.exe - Deleted
C:\Documents and Settings\Adam\Local Settings\Temp\winF0.tmp.exe - Deleted
C:\Documents and Settings\Adam\Local Settings\Temp\~fi113.tmp.exe - Deleted
C:\WINDOWS\Temp\win80.tmp.exe - Deleted
C:\WINDOWS\Temp\win84.tmp.exe - Deleted
C:\WINDOWS\Temp\win8C.tmp.exe - Deleted
C:\WINDOWS\Temp\win93.tmp.exe - Deleted
C:\WINDOWS\Temp\win80.tmp.exe - Deleted
C:\WINDOWS\Temp\win84.tmp.exe - Deleted
C:\WINDOWS\Temp\win8C.tmp.exe - Deleted
C:\WINDOWS\Temp\win93.tmp.exe - Deleted
C:\DOCUME~1\Adam\LOCALS~1\Temp\GLF12D.tmp.dll - Deleted
C:\DOCUME~1\Adam\LOCALS~1\Temp\GLFFB.tmp.dll - Deleted
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe - Deleted
C:\DOCUME~1\Adam\LOCALS~1\Temp\hdq26.tmp - Deleted
C:\DOCUME~1\Adam\LOCALS~1\Temp\temp.bat - Deleted
C:\d.exe - Deleted
C:\WINDOWS\avp.exe - Deleted
C:\WINDOWS\internet.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\WINDOWS\system32\TFTP1508 - Deleted
C:\WINDOWS\system32\TFTP2396 - Deleted
C:\WINDOWS\system32\TFTP3824 - Deleted
C:\WINDOWS\system32\web.dat - Deleted
C:\WINDOWS\system32\winbjv32.dll - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\moove\\_adv.exe"="C:\\moove\\_adv.exe:*:Enabled:Roomancer - moove Online World Client"
"C:\\WINDOWS\\system32\\otserv.exe"="C:\\WINDOWS\\system32\\otserv.exe:*:Enabled:otserv"
"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX00.891\\Release\\TibiCAM.exe"="C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX00.891\\Release\\TibiCAM.exe:*:Enabled:TibiCAM"
"C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX04.828\\Release\\TibiCAM.exe"="C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX04.828\\Release\\TibiCAM.exe:*:Enabled:TibiCAM"
"C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX09.203\\Release\\TibiCAM.exe"="C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX09.203\\Release\\TibiCAM.exe:*:Enabled:TibiCAM"
"C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX28.187\\Release\\TibiCAM.exe"="C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX28.187\\Release\\TibiCAM.exe:*:Enabled:TibiCAM"
"C:\\Documents and Settings\\Adam\\Desktop\\Release\\TibiCAM.exe"="C:\\Documents and Settings\\Adam\\Desktop\\Release\\TibiCAM.exe:*:Enabled:TibiCAM"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX00.172\\Release\\TibiCAM.exe"="C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX00.172\\Release\\TibiCAM.exe:*:Enabled:TibiCAM"
"C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX00.781\\Release\\TibiCAM.exe"="C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\Rar$EX00.781\\Release\\TibiCAM.exe:*:Enabled:TibiCAM"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealOne Player"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\IMVU\\gui1.exe"="C:\\Program Files\\IMVU\\gui1.exe:*:Enabled:gui1"
"C:\\Program Files\\Gaim\\gaim.exe"="C:\\Program Files\\Gaim\\gaim.exe:*:Enabled:gaim"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\TeVeo\\TeVeo VIDiO Suite\\Live\\TeVeoLive.exe"="C:\\Program Files\\TeVeo\\TeVeo VIDiO Suite\\Live\\TeVeoLive.exe:*:Enabled:TeVeoLive"
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\iVisit\\iVisit.exe"="C:\\Program Files\\iVisit\\iVisit.exe:*:Enabled: iVisit "
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Documents and Settings\\Adam\\Desktop\\Unused\\Release\\TibiCAM.exe"="C:\\Documents and Settings\\Adam\\Desktop\\Unused\\Release\\TibiCAM.exe:*:Enabled:TibiCAM"
"C:\\Documents and Settings\\Adam\\Desktop\\The Ot\\ots\\YurOTS.exe"="C:\\Documents and Settings\\Adam\\Desktop\\The Ot\\ots\\YurOTS.exe:*:Enabled:YurOTS"
"C:\\Program Files\\Eyeball\\Eyeball Chat\\EyeballChat.exe"="C:\\Program Files\\Eyeball\\Eyeball Chat\\EyeballChat.exe:*:Enabled:Eyeball Chat"
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Vampire city\\Vampirecity.exe"="C:\\Program Files\\Vampire city\\Vampirecity.exe:*:Enabled:Vampirecity"
"C:\\Program Files\\LeapFTP\\LeapFTP.exe"="C:\\Program Files\\LeapFTP\\LeapFTP.exe:*:Enabled:File Transfer Protocol (FTP) Client"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\RSSoft\\RedSwoosh.exe"="C:\\Program Files\\RSSoft\\RedSwoosh.exe:*:Disabled:RedSwoosh"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza Ultimate File Sharing"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\MySpaceMp3Gopher.exe"="C:\\Documents and Settings\\Adam\\Local Settings\\Temp\\MySpaceMp3Gopher.exe:*:Enabled:MySpace Mp3 Gopher Application"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\ooVoo\\ooVoo.exe"="C:\\Program Files\\ooVoo\\ooVoo.exe:*:Enabled:ooVoo"
"C:\\Program Files\\BitBuddy\\BitBuddy.exe"="C:\\Program Files\\BitBuddy\\BitBuddy.exe:*:Enabled:BitBuddy"
"C:\\DOCUME~1\\Adam\\LOCALS~1\\Temp\\winEA.tmp.exe"="C:\\DOCUME~1\\Adam\\LOCALS~1\\Temp\\winEA.tmp.exe:*:Enabled:winEA.tmp"
"C:\\WINDOWS\\system32\\mwobffdu.exe"="C:\\WINDOWS\\system32\\mwo"
"C:\\WINDOWS\\system32\\vhrtgbir.exe"="C:\\WINDOWS\\system32\\vhr"
"C:\\WINDOWS\\TEMP\\win7E.tmp.exe"="C:\\WINDOWS\\TEMP\\win7E.tmp.exe:*:Enabled:win7E.tmp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Adam\Desktop\new unused\Unused\celldwelleruk\gallery\beyondreflection.com - july 29 2004\Thumbs.db
C:\Documents and Settings\Adam\Desktop\new unused\Unused\celldwelleruk\gallery\dnalounge.com - 19 november\Thumbs.db
C:\Documents and Settings\Adam\Desktop\new unused\Unused\celldwelleruk\gallery\jet13.hasweb.com[slash]~paulcas - celldweller november 2 2003 Paul W. Cashman\Thumbs.db
C:\Documents and Settings\Adam\Desktop\new unused\Unused\celldwelleruk\gallery\pics from dusted.com\Thumbs.db
C:\Documents and Settings\Adam\Desktop\new unused\Unused\celldwelleruk\gallery\thewhitehouserocks.com - 20 september\Thumbs.db
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Messenger\icantseemtofindthespacebar@hotmail.com\Sharing Folders\djwoodford@hotmail.com\Thumbs.db
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Messenger\icantseemtofindthespacebar@hotmail.com\Sharing Folders\idiggiantrobots@hotmail.com\Thumbs.db
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Messenger\icantseemtofindthespacebar@hotmail.com\Sharing Folders\obsessedeminemfan@hotmail.com\Thumbs.db
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Messenger\icantseemtofindthespacebar@hotmail.com\Sharing Folders\sozbasically@hotmail.com\Thumbs.db
C:\Documents and Settings\Adam\Local Settings\Application Data\Microsoft\Messenger\seriouslyadam@hotmail.com\Sharing Folders\obsessedeminemfan@hotmail.com\Thumbs.db
C:\Documents and Settings\Adam\SendTo\WLM - seriouslyadam@hotmail.com\brokenmemory@gmail.com.lnk
C:\Documents and Settings\Adam\SendTo\WLM - seriouslyadam@hotmail.com\Desktop.ini
C:\Program Files\Trillian\users\default\downloads\MSN\icantseemtofindthespacebar@hotmail.com\Thumbs.db
C:\Program Files\Trillian\users\default\downloads\MSN\seriouslyadam@hotmail.com\Thumbs.db
C:\Program Files\Common Files\aolshare\shell\uk\shellext.dll
C:\Program Files\eRightSoft\SUPER\cygwin1.dll
C:\Program Files\eRightSoft\SUPER\cygz.dll
C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll
C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll
C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll
C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll
C:\WINDOWS\system32\3B39574D65.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\flvDX.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\msfDX.dll
C:\WINDOWS\system32\yv12vfw.dll
C:\Program Files\eRightSoft\SUPER\Setup.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\system32\msvcrsp.exe
C:\WINDOWS\system32\x.264.exe
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP441\A0198776.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP441\A0198833.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP441\A0198973.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP441\A0199044.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP441\A0199166.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP441\A0199191.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP442\A0199344.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP442\A0199469.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP442\A0199536.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP443\A0199560.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP443\A0199658.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP443\A0199698.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP443\A0199744.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP443\A0199824.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP445\A0200116.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP445\A0200166.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP445\A0200205.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP445\A0200295.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP445\A0200405.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP445\A0200590.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP445\A0200709.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP445\A0200813.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP446\A0201015.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP446\A0201086.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP446\A0201202.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP448\A0201655.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP449\A0201970.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP449\A0202074.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP450\A0202390.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP451\A0202458.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP451\A0202616.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP451\A0202639.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP451\A0202758.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP451\A0202790.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP451\A0202876.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP452\A0202894.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP453\A0203038.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP453\A0203139.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP454\A0203260.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP455\A0204096.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP471\A0204193.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP471\A0204319.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP471\A0204410.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP473\A0204620.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP473\A0204703.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP473\A0204751.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP476\A0205270.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP476\A0205319.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP476\A0205441.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP477\A0205740.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP479\A0206288.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP479\A0206311.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP479\A0206503.sys
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP479\A0206547.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Finished!





-----


and here is the combofix log :

ComboFix 07-09-14.2 - "Adam" 2007-09-16 19:08:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.475 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\xkpgjgba
C:\Program Files\xkpgjgba\zqhsvcxk.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\emjxrkif.ini
C:\WINDOWS\system32\fikrxjme.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\jygdtugd.exe
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\piywexus.exe
C:\WINDOWS\system32\qephhfgy.exe
C:\WINDOWS\system32\urqnoll.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-16 to 2007-09-16 )))))))))))))))))))))))))))))))
.

2007-09-16 19:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 18:33 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-15 20:32 15,360 --a------ C:\WINDOWS\system32\drvvafr.dll
2007-09-15 20:32 104,448 --a------ C:\WINDOWS\system32\drvvaf.dll
2007-09-11 14:18 15,360 --a------ C:\WINDOWS\system32\drvfefr.dll
2007-08-27 01:42 195,096 --a------ C:\WINDOWS\system32\lvci1110.dll
2007-08-27 01:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logishrd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 19:18 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-16 19:16 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2007-09-16 12:28 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Creative
2007-09-16 11:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-15 22:27 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Apple Computer
2007-09-15 21:39 --------- d-------- C:\Program Files\Creative
2007-09-15 20:32 1357893 --ahs---- C:\WINDOWS\system32\edeeg.bak2
2007-09-11 14:19 --------- d-------- C:\Program Files\Winamp
2007-09-02 00:36 9652 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-28 23:55 --------- d-------- C:\Program Files\Trillian
2007-08-27 12:54 --------- d-------- C:\Program Files\Common Files\LogiShrd
2007-08-27 01:41 --------- d-------- C:\Program Files\Logitech
2007-08-16 10:44 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony
2007-08-16 10:43 --------- d-------- C:\Program Files\Sony
2007-08-16 10:42 --------- d-------- C:\Program Files\Sony Setup
2007-08-14 17:46 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Sony Corporation
2007-08-14 17:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Corporation
2007-08-13 22:13 --------- d-------- C:\Program Files\LeapFTP
2007-08-12 11:30 --------- d-------- C:\Program Files\BitComet
2007-08-11 21:46 --------- d-------- C:\Program Files\BitBuddy
2007-08-11 21:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kontiki
2007-07-21 02:21 --------- d-------- C:\Program Files\Viewpoint
2007-07-21 02:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-07-21 02:13 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Screenshot Sender
2007-07-20 00:39 2142488 --a------ C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-07-20 00:37 2109592 --a------ C:\WINDOWS\system32\drivers\Lvckap.sys
2007-07-19 01:44 465432 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-07-19 01:44 41752 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-07-19 01:44 3599000 --a------ C:\WINDOWS\system32\drivers\lvuvc.sys
2007-07-19 01:44 22296 --a------ C:\WINDOWS\system32\drivers\lvuvcflt.sys
2007-07-19 01:43 490008 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-07-19 01:42 1920920 --a------ C:\WINDOWS\system32\drivers\lvpopflt.sys
2007-07-19 01:40 416280 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-07-19 00:55 19344 --a------ C:\WINDOWS\system32\Repository.reg
2007-07-18 17:42 25624 --a------ C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2003-09-11 14:19 102400 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\etitctir.dll
2005-05-13 16:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2006-04-20 21:38:13 8 --sh--r C:\WINDOWS\system32\3B39574D65.dll
2005-07-14 11:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 14:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 0954 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47:16 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2002-09-19 19:34:19 30,484 --sha-w C:\WINDOWS\system32\msvcrsp.exe
2005-02-28 12:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39020A55-CD91-4FC9-8149-11FBE0DEC17A}]
2003-09-11 14:23 244832 --a------ C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7378296C-1FA1-46CC-927A-059E501AFAE4}]
2003-09-11 14:19 102400 --a------ C:\Program Files\Soqsobaj\eqsvwcxo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-28 21:10]
"NAVSCAN32.EXE"="NAVSCAN32.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-17 14:32]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-28 01:53]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" []
"VCSPlayer"="C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" [2003-08-13 10:33]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"CleanEasyImg"="c:\apps\easydvd\cleanall.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [1999-10-11 02:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 09:52]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-28 20:09]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"NAVSCAN32.EXE"=NAVSCAN32.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NAVSCAN32.EXE"=NAVSCAN32.exe
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\DOCUME~1\Adam\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-06 18:27:52]

C:\DOCUME~1\Guest\STARTM~1\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-02-16 22:55:37]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\geede

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Basic Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Basic Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Basic Help.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Search.vbs]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs
backup=C:\WINDOWS\pss\Search.vbsCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
C:\WINDOWS\Belt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClickMe]
C:\apps\ClickMe\ClickMe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClrSchLoader]
C:\Program Files\ClearSearch\Loader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DM_Server]
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
c:\windows\ioneei~1\msbb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"c:\Apps\Powercinema\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pldo]
C:\Documents and Settings\Lauren\Application Data\osrr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAHBundle]
C:\DOCUME~1\Lauren\LOCALS~1\Temp\bundle.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\skynetave.exe]
C:\WINDOWS\skynetave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update]
C:\WINDOWS\System32\isooz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zqzhadg]
C:\WINDOWS\System32\aqzdrr.exe

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsmpdrv.sys
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S2 WUM;Windows Update Manager;"C:\WINDOWS\winfire.exe"
S3 ASIOMI;ASIOMI;\??\C:\WINDOWS\system32\drivers\ASIOMI.sys
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\CTRun\Start.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\CChat25.inf,PerUserRemove
.
Contents of the 'Scheduled Tasks' folder
"2007-06-29 15:47:49 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-17 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2004-06-17 22:50:00 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2004-06-24 21:35:00 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-09-16 18:23:02 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 19:18:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-16 19:24:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 19:24
.
--- E O F ---





----

Is there anything else I should do?

jwbirdsong

Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004

frijj

Okay, I've followed the instructions and sent it to bleeping computer, here is the combofix log:

ComboFix 07-09-14.2 - "Adam" 2007-09-17 23:16:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.287 [GMT 1:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\edeeg.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aprquwdu.dll
C:\WINDOWS\system32\cnwymkci.exe
C:\WINDOWS\system32\edeeg.bak2
C:\WINDOWS\system32\flgowcfq.exe
C:\WINDOWS\system32\jwckhfur.dll
C:\WINDOWS\system32\kuoaspgw.dll
C:\WINDOWS\system32\nvhfawbe.exe
C:\WINDOWS\system32\pnbwmifq.dll
C:\WINDOWS\system32\rufhkcwj.ini
C:\WINDOWS\system32\udwuqrpa.ini
C:\WINDOWS\system32\yhsstvds.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-16 19:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 18:33 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-15 20:32 15,360 --a------ C:\WINDOWS\system32\drvvafr.dll
2007-09-15 20:32 104,448 --a------ C:\WINDOWS\system32\drvvaf.dll
2007-09-11 14:18 15,360 --a------ C:\WINDOWS\system32\drvfefr.dll
2007-08-27 01:42 195,096 --a------ C:\WINDOWS\system32\lvci1110.dll
2007-08-27 01:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logishrd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 23:30 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-17 23:27 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2007-09-16 12:28 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Creative
2007-09-16 11:44 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-15 22:27 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Apple Computer
2007-09-15 21:39 --------- d-------- C:\Program Files\Creative
2007-09-11 14:19 --------- d-------- C:\Program Files\Winamp
2007-08-28 23:55 --------- d-------- C:\Program Files\Trillian
2007-08-27 12:54 --------- d-------- C:\Program Files\Common Files\LogiShrd
2007-08-27 01:41 --------- d-------- C:\Program Files\Logitech
2007-08-16 10:44 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony
2007-08-16 10:43 --------- d-------- C:\Program Files\Sony
2007-08-16 10:42 --------- d-------- C:\Program Files\Sony Setup
2007-08-14 17:46 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Sony Corporation
2007-08-14 17:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sony Corporation
2007-08-13 22:13 --------- d-------- C:\Program Files\LeapFTP
2007-08-12 11:30 --------- d-------- C:\Program Files\BitComet
2007-08-11 21:46 --------- d-------- C:\Program Files\BitBuddy
2007-08-11 21:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kontiki
2007-07-21 02:21 --------- d-------- C:\Program Files\Viewpoint
2007-07-21 02:21 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-07-21 02:13 --------- d-------- C:\DOCUME~1\Adam\APPLIC~1\Screenshot Sender
2007-07-20 00:39 2142488 --a------ C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-07-20 00:37 2109592 --a------ C:\WINDOWS\system32\drivers\Lvckap.sys
2007-07-19 01:44 41752 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-07-19 01:44 3599000 --a------ C:\WINDOWS\system32\drivers\lvuvc.sys
2007-07-19 01:44 22296 --a------ C:\WINDOWS\system32\drivers\lvuvcflt.sys
2007-07-19 01:42 1920920 --a------ C:\WINDOWS\system32\drivers\lvpopflt.sys
2007-07-18 17:42 25624 --a------ C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2003-09-11 14:19 102400 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\etitctir.dll
2005-05-13 16:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2006-04-20 21:38:13 8 --sh--r C:\WINDOWS\system32\3B39574D65.dll
2005-07-14 11:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 14:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 0954 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47:16 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2002-09-19 19:34:19 30,484 --sha-w C:\WINDOWS\system32\msvcrsp.exe
2005-02-28 12:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 23:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{393186D5-40EC-4BB5-B624-CF6E9A5390B6}]
2003-09-11 14:23 244832 --a------ C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-28 21:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-12-02 16:11]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 16:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-17 14:32]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-28 01:53]
"ScreenPrint32"="C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe" []
"VCSPlayer"="C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" [2003-08-13 10:33]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"CleanEasyImg"="c:\apps\easydvd\cleanall.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06]
"CTRegRun"="C:\WINDOWS\CTRegRun.EXE" [1999-10-11 02:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 09:52]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 15:35]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-28 20:09]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-19 20:09:10]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2006-01-10 20:13:36]

C:\DOCUME~1\Adam\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-07-06 18:27:52]

C:\DOCUME~1\Guest\STARTM~1\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-02-16 22:55:37]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Basic Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Basic Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Basic Help.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Search.vbs]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Search.vbs
backup=C:\WINDOWS\pss\Search.vbsCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"c:\Apps\Powercinema\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R1 Asapi;Asapi;C:\WINDOWS\system32\drivers\Asapi.sys
R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys
R1 vcsmpdrv;vcsmpdrv;C:\WINDOWS\system32\DRIVERS\vcsmpdrv.sys
R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
R3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys
S2 WUM;Windows Update Manager;"C:\WINDOWS\winfire.exe"
S3 ASIOMI;ASIOMI;\??\C:\WINDOWS\system32\drivers\ASIOMI.sys
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\CTRun\Start.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\CChat25.inf,PerUserRemove
.
Contents of the 'Scheduled Tasks' folder
"2007-06-29 15:47:49 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-17 19:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2004-06-17 22:50:00 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2004-06-24 21:35:00 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-09-17 22:33:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 23:31:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-17 23:34:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-17 23:33
C:\ComboFix2.txt ... 2007-09-16 19:24
.
--- E O F ---





Any other instructions?

jwbirdsong

Yeah another run of CF and then a Online scan should have you looking pretty good, We hope.

Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

When done post the Kaspersky log and the Combofix log.

__________________


Please donate to the site to help us help you DONATE


PROUD member Since 2004

frijj

Hey. Sorry about being late responding, it's been a busy few days. Here is Combofix log:

ComboFix 07-09-14.2 - "Adam" 2007-09-21 14:57:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.445 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\amshjcun.exe
C:\WINDOWS\system32\chnaeoiu.exe
C:\WINDOWS\system32\drvfefr.dll
C:\WINDOWS\system32\drvvaf.dll
C:\WINDOWS\system32\drvvafr.dll
C:\WINDOWS\system32\fqpdwgim.ini
C:\WINDOWS\system32\migwdpqf.dll
C:\WINDOWS\system32\uigkgjbj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-21 to 2007-09-21 )))))))))))))))))))))))))))))))
.

2007-09-18 20:33 1,311,259 ---hs---- C:\WINDOWS\system32\edeeg.bak2
2007-09-16 19:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-16 18:33 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-27 01:42 195,096 --a------ C:\WINDOWS\system32\lvci1110.dll
2007-08-27 01:41 <DIR> d-------- C:\DOCUME~1\A