9ballwizzz

I am in need of some MAJOR help.... this is my daughters computer and is majorlly infected....


ComboFix 08-06-20.4 - Cat 2008-06-25 19:49:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.482 [GMT -4:00]
Running from: C:\Documents and Settings\Cat\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Desktop\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Documents and Settings\b\Favorites\Online Security Test.url
C:\Documents and Settings\Cat\Application Data\AXPDefender
C:\Documents and Settings\Cat\Application Data\macromedia\Flash Player\#SharedObjects\7RM62B86\www.broadcaster.com
C:\Documents and Settings\Cat\Application Data\macromedia\Flash Player\#SharedObjects\7RM62B86\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Cat\Application Data\macromedia\Flash Player\#SharedObjects\7RM62B86\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Cat\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Cat\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Cat\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\Cat\Application Data\rhc5ojj0eg9l
C:\Documents and Settings\Cat\Application Data\shc7ojj0eg9l
C:\Documents and Settings\Guest\Application Data\Install.dat
C:\Program Files\shc7ojj0eg9l
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\WINDOWS\system32\blphc1ojj0eg9l.scr
C:\WINDOWS\system32\llkkj.bak1
C:\WINDOWS\system32\llkkj.ini
C:\WINDOWS\system32\lphc1ojj0eg9l.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\phc1ojj0eg9l.bmp
C:\WINDOWS\system32\pphc1ojj0eg9l.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-25 15:22 . 2008-06-25 19:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-25 15:22 . 2008-06-25 15:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-25 12:44 . 2008-06-25 13:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 01:09 . 2008-06-25 01:09 <DIR> d-------- C:\Program Files\Panda Security
2008-06-25 00:27 . 2008-06-25 00:27 2,002 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-24 16:09 . 2008-06-24 16:09 2,031,832 --a------ C:\WINDOWS\system321lkdoiuekrewr.bin
2008-06-23 04:45 . 2008-06-23 04:44 23,040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-06-23 04:45 . 2008-06-25 19:34 15,328 --a------ C:\WINDOWS\system32\sysrest.sys
2008-06-11 06:38 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:38 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 23:33 --------- d-----w C:\Documents and Settings\Cat\Application Data\OpenOffice.org2
2008-06-20 07:05 --------- d-----w C:\Documents and Settings\Cat\Application Data\uTorrent
2008-05-10 07:28 --------- d-----w C:\Program Files\Plaxo
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2006-03-04 23:09 56 --sh--r C:\WINDOWS\system32\2DF59B81CF.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2006-05-15 21:40 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe

----a-w 81,920 2005-06-10 16:44:02 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 180,269 2005-12-30 05:59:55 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 102,400 2004-12-02 22:23:34 C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe

----a-w 57,344 2005-02-15 20:10:16 C:\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe

----a-w 1,159,168 2005-02-23 17:08:50 C:\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe

----a-w 16,384 2007-11-15 14:24:00 C:\Program Files\Dell Support Center\gs_agent\custom\bak\dsca.exe

----a-w 460,784 2007-03-15 15:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 257,088 2007-03-14 23:05:48 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2008-02-19 17:10:32 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 132,760 2007-06-14 22:32:40 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 57,344 2003-08-19 10:43:46 C:\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe

----a-w 227,914 2007-12-11 22:21:12 C:\Program Files\Plaxo\2.13.1.3\bak\PlaxoHelper.exe

----a-w 282,624 2007-02-16 14:54:04 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 385,024 2008-02-01 03:13:08 C:\Program Files\QuickTime\QTTask.exe

----a-w 48 2008-03-21 14:10:11 C:\Program Files\Trend Micro\Internet Security 12\bak\pc-cillin.ini
----a-w 2,817 2008-06-25 23:54:20 C:\Program Files\Trend Micro\Internet Security 12\pc-cillin.ini

----a-w 823,362 2005-08-30 22:30:26 C:\Program Files\Trend Micro\Internet Security 12\bak\pccguide.exe

----a-w 176,201 2006-04-12 00:39:22 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEMon.exe

----a-w 57,401 2004-07-14 17:28:56 C:\WINDOWS\bak\ssdiag.exe

----a-w 90,112 2000-05-11 05:00:00 C:\WINDOWS\bak\UpdReg.EXE

----a-w 67,584 2005-09-29 20:01:14 C:\WINDOWS\ehome\bak\ehtray.exe

----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 11:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 77,824 2005-07-20 0512 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 114,688 2005-07-20 05:10:06 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 94,208 2005-07-20 05:09:26 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 127,035 2004-12-06 07:05:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 19:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [ ]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [ ]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBMon"="CTMBHA.DLL" [2005-05-19 18:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"SMrhc5ojj0eg9l"="C:\Program Files\rhc5ojj0eg9l\rhc5ojj0eg9l.exe" [ ]
"SMshc7ojj0eg9l"="C:\Program Files\shc7ojj0eg9l\shc7ojj0eg9l.exe" [ ]

C:\Documents and Settings\Cat\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2005-12-31 03:03:05 634880]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-13 12:56:45 24576]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2005-12-28 01:38:46 459264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipspnp]
ipspnp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sysrest32.exe"=

R1 npapimon;npapimon;C:\WINDOWS\system32\drivers\npapimon.sys [2004-07-14 13:29]
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-07-14 20:32]
R1 ssdiagn;ssdiagn;C:\WINDOWS\system32\drivers\ssdiagn.sys [2004-07-14 13:28]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 09:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 01:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysrest.sys]
"ImagePath"="\??\C:\WINDOWS\system32\sysrest.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Cat\LOCALS~1\temp\clclean.0001
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2008-06-25 19:57:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 23:57:56

Pre-Run: 25,174,917,120 bytes free
Post-Run: 25,223,843,840 bytes free

233 --- E O F --- 2008-06-20 07:01:19

9ballwizzz

Deckard's System Scanner v20071014.68
Run by Cat on 2008-06-25 20:23:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-25 20:23:58
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Cat\LOCALS~1\Temp\clclean.0001
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Cat\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\Program Files\vmntoolbar\vmntoolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll (file missing)
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\Program Files\vmntoolbar\vmntoolbar.dll
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMrhc5ojj0eg9l] C:\Program Files\rhc5ojj0eg9l\rhc5ojj0eg9l.exe
O4 - HKLM\..\Run: [SMshc7ojj0eg9l] C:\Program Files\shc7ojj0eg9l\shc7ojj0eg9l.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Digimax Viewer 2.1.lnk = C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136683721640
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O20 - Winlogon Notify: ipspnp - C:\WINDOWS\system32\ipspnp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security 12\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security 12\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 12\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security 12\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 8725 bytes

-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-06-25 20:03:02 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-06-25 20:03:02 0 d-------- C:\Program Files\SpywareBlaster
2008-06-25 19:48:33 68096 --a------ C:\WINDOWS\zip.exe
2008-06-25 19:48:33 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-25 19:48:33 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-25 19:48:33 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-25 19:48:33 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-25 19:48:33 98816 --a------ C:\WINDOWS\sed.exe
2008-06-25 19:48:33 80412 --a------ C:\WINDOWS\grep.exe
2008-06-25 19:48:33 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-25 12:44:02 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 01:09:06 0 d-------- C:\Program Files\Panda Security
2008-06-25 00:27:42 2002 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-24 16:09:47 2031832 --a------ C:\WINDOWS\system321lkdoiuekrewr.bin
2008-06-23 04:45:10 23040 --a------ C:\WINDOWS\system32\sysrest32.exe
2008-06-23 04:45:10 15328 --a------ C:\WINDOWS\system32\sysrest.sys


-- Find3M Report ---------------------------------------------------------------

2008-06-25 19:55:00 0 d-------- C:\Documents and Settings\Cat\Application Data\OpenOffice.org2
2008-06-18 12:58:27 0 d-------- C:\Documents and Settings\Cat\Application Data\Adobe
2008-05-10 03:28:59 0 d-------- C:\Program Files\Plaxo
2008-05-03 19:48:54 664 --a------ C:\WINDOWS\system32\d3d9caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MBMon"="CTMBHA.DLL" [05/19/2005 06:54 PM C:\WINDOWS\system32\CTMBHA.DLL]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"SMrhc5ojj0eg9l"="C:\Program Files\rhc5ojj0eg9l\rhc5ojj0eg9l.exe" []
"SMshc7ojj0eg9l"="C:\Program Files\shc7ojj0eg9l\shc7ojj0eg9l.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [12/22/2004 07:40 PM C:\WINDOWS\MIDIDEF.EXE]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" []
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 07:00 AM]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []

C:\Documents and Settings\Cat\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [8/17/2007 10:57:56 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 7:16:50 PM]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [12/31/2005 3:03:05 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [12/13/2005 12:56:45 PM]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [12/28/2005 1:38:46 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ipspnp]
ipspnp.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-06-25 20:24:13 ------------

9ballwizzz

Bumppp

Ried

Hello 9ballwizzz,

As the ComboFix Disclaimer clearly states, you should not have run Combofix without being advised to, nor without being under supervision.

Delete your existing ComboFix.exe

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

1. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix). Do not run it yet.


2. Download ComboFix.exe from here and save it directly to your desktop.

Do not run it yet.

------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console on your machine before doing any malware removal.

The Windows recovery console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
• At the next prompt, click ' NO' to exit ComboFix for now.

--------------------------------------------------------------------

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.

When the PC restarts, the Fixtool will run again and complete the removal process then display Finished.

• Press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

From Normal Mode...


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
• A browser will open.
• Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior

__________________

Member of ASAP since 2005
Member of UNITE since 2006

9ballwizzz

Hey Ried....

First off I would like to apoligize for jumping the gun and doing things not in the order that it was suppose to be done in....

Here is the reports that you require:


SDFix: Version 1.199
Run by Cat on Tue 07/01/2008 at 04:13 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\sysrest32.exe - Deleted
C:\WINDOWS\system32\sysrest.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

disk not found C:\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\sysrest32.exe"="C:\\WINDOWS\\system32\\sysrest32.exe:*:Enabled:enable"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 24 Feb 2008 0 ..SH. --- "C:\WINDOWS\S62793EB7.tmp"
Sat 4 Mar 2006 56 ..SHR --- "C:\WINDOWS\system32\2DF59B81CF.sys"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Mon 15 May 2006 4,704 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Wed 22 Aug 2007 224 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti670.tmp"
Sun 23 Jul 2006 224 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti6C.tmp"
Sat 3 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Cat\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Cat\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sun 8 Apr 2007 8 A..H. --- "C:\Documents and Settings\Cat\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sun 15 Apr 2007 8 A..H. --- "C:\Documents and Settings\Cat\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!


ComboFix 08-06-30.2 - Cat 2008-07-01 16:37:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.491 [GMT -4:00]
Running from: C:\Documents and Settings\Cat\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cat\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 16:08 . 2008-07-01 16:08 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-01 15:49 . 2008-07-01 16:22 <DIR> d-------- C:\SDFix
2008-06-25 20:11 . 2008-06-25 20:11 <DIR> d-------- C:\Deckard
2008-06-25 20:03 . 2008-06-25 20:03 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-25 20:03 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-06-25 15:22 . 2008-07-01 16:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-25 15:22 . 2008-06-25 15:22 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-25 12:44 . 2008-06-25 13:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-25 01:09 . 2008-06-25 01:09 <DIR> d-------- C:\Program Files\Panda Security
2008-06-25 00:27 . 2008-06-25 00:27 2,002 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-11 06:38 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 06:38 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 20:29 --------- d-----w C:\Program Files\QuickTime
2008-07-01 20:29 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-07-01 20:29 --------- d-----w C:\Program Files\iTunes
2008-07-01 20:29 --------- d-----w C:\Program Files\DellSupport
2008-07-01 20:29 --------- d-----w C:\Program Files\Common Files\Real
2008-07-01 20:23 --------- d-----w C:\Documents and Settings\Cat\Application Data\OpenOffice.org2
2008-05-10 07:28 --------- d-----w C:\Program Files\Plaxo
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-24 02:16 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-03-04 23:09 56 --sh--r C:\WINDOWS\system32\2DF59B81CF.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2006-05-15 21:40 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-25_19.57.08.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 23:53:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 20:18:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-01 07:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-01 20:08:53 16,060,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-07-01 20:08:53 200,704 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-01 07:23:42 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-01 20:08:37 16,060,416 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-07-01 20:08:37 200,704 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 823,362 2005-08-30 22:30:26 C:\Program Files\Trend Micro\Internet Security 12\bak\pccguide.exe

----a-w 176,201 2006-04-12 00:39:22 C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\bak\TMAS_OEMon.exe

----a-w 39,792 2007-10-11 00:51:56 C:\QooBox\Quarantine\C\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe.vir

----a-w 81,920 2005-06-10 16:44:02 C:\QooBox\Quarantine\C\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe.vir

----a-w 180,269 2005-12-30 05:59:55 C:\QooBox\Quarantine\C\Program Files\Common Files\Real\Update_OB\bak\realsched.exe.vir

----a-w 102,400 2004-12-02 22:23:34 C:\QooBox\Quarantine\C\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe.vir

----a-w 57,344 2005-02-15 20:10:16 C:\QooBox\Quarantine\C\Program Files\Creative\SBAudigy\Surround Mixer\bak\CTSysVol.exe.vir

----a-w 1,159,168 2005-02-23 17:08:50 C:\QooBox\Quarantine\C\Program Files\Creative\VoiceCenter\bak\AndreaVC.exe.vir

----a-w 16,384 2007-11-15 14:24:00 C:\QooBox\Quarantine\C\Program Files\Dell Support Center\gs_agent\custom\bak\dsca.exe.vir

----a-w 460,784 2007-03-15 15:09:36 C:\QooBox\Quarantine\C\Program Files\DellSupport\bak\DSAgnt.exe.vir

----a-w 257,088 2007-03-14 23:05:48 C:\QooBox\Quarantine\C\Program Files\iTunes\bak\iTunesHelper.exe.vir

----a-w 132,760 2007-06-14 22:32:40 C:\QooBox\Quarantine\C\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe.vir

----a-w 57,344 2003-08-19 10:43:46 C:\QooBox\Quarantine\C\Program Files\Lexmark X1100 Series\bak\lxbkbmgr.exe.vir

----a-w 227,914 2007-12-11 22:21:12 C:\QooBox\Quarantine\C\Program Files\Plaxo\2.13.1.3\bak\PlaxoHelper.exe.vir

----a-w 282,624 2007-02-16 14:54:04 C:\QooBox\Quarantine\C\Program Files\QuickTime\bak\qttask.exe.vir

----a-w 57,401 2004-07-14 17:28:56 C:\QooBox\Quarantine\C\WINDOWS\bak\ssdiag.exe.vir

----a-w 90,112 2000-05-11 05:00:00 C:\QooBox\Quarantine\C\WINDOWS\bak\UpdReg.EXE.vir

----a-w 67,584 2005-09-29 20:01:14 C:\QooBox\Quarantine\C\WINDOWS\ehome\bak\ehtray.exe.vir

----a-w 15,360 2004-08-10 11:00:00 C:\QooBox\Quarantine\C\WINDOWS\system32\bak\ctfmon.exe.vir

----a-w 77,824 2005-07-20 0512 C:\QooBox\Quarantine\C\WINDOWS\system32\bak\hkcmd.exe.vir

----a-w 114,688 2005-07-20 05:10:06 C:\QooBox\Quarantine\C\WINDOWS\system32\bak\igfxpers.exe.vir

----a-w 94,208 2005-07-20 05:09:26 C:\QooBox\Quarantine\C\WINDOWS\system32\bak\igfxtray.exe.vir

----a-w 127,035 2004-12-06 07:05:00 C:\QooBox\Quarantine\C\WINDOWS\system32\dla\bak\tfswctrl.exe.vir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [N/A]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [N/A]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [N/A]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [N/A]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [N/A]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 19:40 24576 C:\WINDOWS\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"SMrhc5ojj0eg9l"="C:\Program Files\rhc5ojj0eg9l\rhc5ojj0eg9l.exe" [N/A]
"SMshc7ojj0eg9l"="C:\Program Files\shc7ojj0eg9l\shc7ojj0eg9l.exe" [N/A]
"MBMon"="CTMBHA.DLL" [2005-05-19 18:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]

C:\Documents and Settings\Cat\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2005-12-31 03:03:05 634880]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-13 12:56:45 24576]
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe [2005-12-28 01:38:46 459264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\FrostWire\\FrostWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 npapimon;npapimon;C:\WINDOWS\system32\drivers\npapimon.sys [2004-07-14 13:29]
R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-07-14 20:32]
R1 ssdiagn;ssdiagn;C:\WINDOWS\system32\drivers\ssdiagn.sys [2004-07-14 13:28]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 09:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PCANDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-07-01 01:48:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2008-07-01 16:41:25
ComboFix-quarantined-files.txt 2008-07-01 20:41:23
ComboFix2.txt 2008-07-01 20:32:17
ComboFix3.txt 2008-06-25 23:58:00

Pre-Run: 25,002,823,680 bytes free
Post-Run: 24,991,191,040 bytes free

188 --- E O F --- 2008-06-20 07:01:19


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 01, 2008 11:52:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/07/2008
Kaspersky Anti-Virus database records: 903012
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 119165
Number of viruses found: 22
Number of infected objects: 59
Number of suspicious objects: 0
Duration of the scan process: 01:27:42

Infected Object Name / Virus Name / Last Action
C:\b80815917beeff43ac\update\update.exe Object is locked skipped
C:\b80815917beeff43ac\update\updspapi.dll Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\arr3.jar-53b20017-1ce68b64.zip.bac_a03744/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\arr3.jar-53b20017-1ce68b64.zip.bac_a03744/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\arr3.jar-53b20017-1ce68b64.zip.bac_a03744/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\arr3.jar-53b20017-1ce68b64.zip.bac_a03744 ZIP: infected - 3 skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\arr3.jar-53b20017-1ce68b64.zip.bac_a03744 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\count.jar-5ceda26e-601c230b.zip.bac_a03744/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\count.jar-5ceda26e-601c230b.zip.bac_a03744/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\count.jar-5ceda26e-601c230b.zip.bac_a03744/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\count.jar-5ceda26e-601c230b.zip.bac_a03744 ZIP: infected - 3 skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\count.jar-5ceda26e-601c230b.zip.bac_a03744 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\jkkjh.dll.bac_a03744 Infected: Trojan-Downloader.Win32.ConHook.ab skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\qlogktqq.exe.bac_a03744 Infected: Trojan-Downloader.Win32.Small.cpg skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\tmp14D.tmp.bac_a03744 Infected: not-virus:Hoax.Win32.Renos.dp skipped
C:\Documents and Settings\Cat\.housecall\Quarantine\viruxz.dll.bac_a03744 Infected: not-virus:Hoax.Win32.Renos.dp skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-50ca7bc4/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-50ca7bc4 ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\38\5e1889e6-31cd4416/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\38\5e1889e6-31cd4416/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\38\5e1889e6-31cd4416/NewSecurityClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\38\5e1889e6-31cd4416/NewURLClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\38\5e1889e6-31cd4416 ZIP: infected - 4 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-574adf35/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-574adf35 ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-3df15a98/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-3df15a98 ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-68bfcdaa/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-68bfcdaa ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\57\3da0bb79-34641aba/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\57\3da0bb79-34641aba/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\57\3da0bb79-34641aba/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\6.0\57\3da0bb79-34641aba ZIP: infected - 3 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-185f95b3.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-185f95b3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-1aef9392.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-1aef9392.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2fdf5686.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-2fdf5686.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-25f7f891.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-25f7f891.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cat\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Cat\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Cat\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Cat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cat\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cat\Local Settings\Temp\hsperfdata_Cat\3920 Object is locked skipped
C:\Documents and Settings\Cat\Local Settings\Temp\~DF372F.tmp Object is locked skipped
C:\Documents and Settings\Cat\Local Settings\Temp\~DF373A.tmp Object is locked skipped
C:\Documents and Settings\Cat\Local Settings\Temp\~DFB510.tmp Object is locked skipped
C:\Documents and Settings\Cat\Local Settings\Temp\~DFB51B.tmp Object is locked skipped
C:\Documents and Settings\Cat\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cat\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Cat\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13.tmp Infected: EICAR-Test-File skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14.tmp Infected: EICAR-Test-File skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\30.tmp Infected: Trojan-Clicker.HTML.IFrame.fp skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\32.tmp Infected: Trojan-Clicker.HTML.IFrame.fp skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\618.tmp Infected: Trojan-Clicker.HTML.IFrame.fp skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\B2.tmp Infected: Trojan-Clicker.HTML.IFrame.fp skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\C.tmp Infected: EICAR-Test-File skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CF.tmp Infected: Exploit.Multi.Qtp.b skipped
C:\Program Files\vmntoolbar\vmntoolbar.dll Infected: not-a-virus:AdWare.Win32.BHO.ajt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lphc1ojj0eg9l.exe.vir Infected: Trojan.Win32.Pakes.dfs skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pphc1ojj0eg9l.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d skipped
C:\QooBox\Quarantine\C\WINDOWS\system321lkdoiuekrewr.bin.vir/stream/data0007 Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system321lkdoiuekrewr.bin.vir/stream Infected: not-a-virus:FraudTool.Win32.AdvancedXPFixer.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system321lkdoiuekrewr.bin.vir NSIS: infected - 2 skipped
C:\SDFix\backups\backups.zip/backups/sysrest.sys Infected: Email-Worm.Win32.Zhelatin.vl skipped
C:\SDFix\backups\backups.zip/backups/sysrest32.exe Infected: Trojan.Win32.Pakes.czg skipped
C:\SDFix\backups\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{606F19FC-2A1F-470D-8A53-6E5DB1B21359}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D03EA27F-4286-409A-8195-52D4546F2E93}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Deckard's System Scanner v20071014.68
Run by Cat on 2008-07-01 23:56:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Cat.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:22 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Cat\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Cat.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll (file missing)
O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMrhc5ojj0eg9l] C:\Program Files\rhc5ojj0eg9l\rhc5ojj0eg9l.exe
O4 - HKLM\..\Run: [SMshc7ojj0eg9l] C:\Program Files\shc7ojj0eg9l\shc7ojj0eg9l.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
O4 - HKUS\S-1-5-21-1252542235-2180964211-3798684835-1007\..\Run: [SetDefaultMIDI] MIDIDef.exe (User '?')
O4 - HKUS\S-1-5-21-1252542235-2180964211-3798684835-1007\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R (User '?')
O4 - HKUS\S-1-5-21-1252542235-2180964211-3798684835-1007\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB (User '?')
O4 - HKUS\S-1-5-21-1252542235-2180964211-3798684835-1007\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User '?')
O4 - HKUS\S-1-5-21-1252542235-2180964211-3798684835-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1252542235-2180964211-3798684835-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus...an_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136683721640
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceServi