Active Pop-ups, Internet Explore random closing and Sounds

[Stan_22]

Hello Tech Support, hopefully I have followed the 5 steps before posting log instructions correctly.

A roughly about 4 days ago my computer started acting strange, running slow, pop-ups would appear and Internet Explorer would close on me without an error message or the computer would sometimes start making strange window sounds. When looking through msconfig start-up items I notice a weird sequence of numbers and letters (2c449ffc-81e4-99ab-1cf4-20a6203e3ffc) with the command C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\ {2c449ffc-81e4-99ab-1cf4-20a6203e3ffc}" I followed the path and deleted it the code but not the Rundll32.exe yet it still keep occurring I believe it was something called adsonmedia.

I started to following the 5 steps before posting a log and as I was removing all the programs I didn't use or felt was cracked I saw that my free space was not returning yet staying the same.

After installing SpyWareBlaster & Zonedout I noticed the pop-ups are still continuing but are coming up as Restricted Sites and just displays HTTP 404 Not Found.

After doing Deckards Scan the main.txt came up but the extra did not, but i did attach ActiveScan.txt. If anyone can help I would be grateful.


Deckard's System Scanner v20071014.68
Run by Windows User on 2008-06-27 16:28:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Windows User.exe) ----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29, on 2008-06-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\VW3y11hg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\Adobe\Director\SwDnld.exe
C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\setup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Windows User\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\WINDOW~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 5594 bytes

-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2008-06-27 15:13:52 35842 --a------ C:\WINDOWS\system32\VW3y11hg.exe
2008-06-27 15:03:06 0 d-------- C:\Documents and Settings\Windows User\Application Data\Macromedia
2008-06-27 15:03:06 0 d-------- C:\Documents and Settings\Windows User\Application Data\Adobe
2008-06-27 15:02:59 0 d-------- C:\WINDOWS\LastGood
2008-06-27 11:30:40 0 d-------- C:\Program Files\Panda Security
2008-06-27 02:11:24 0 d-------- C:\Program Files\ZonedOut
2008-06-27 02:02:19 0 d-------- C:\Program Files\SpywareBlaster
2008-06-27 01:10:21 68096 --a------ C:\WINDOWS\zip.exe
2008-06-27 01:10:21 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-27 01:10:21 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-27 01:10:21 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-27 01:10:21 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-27 01:10:21 98816 --a------ C:\WINDOWS\sed.exe
2008-06-27 01:10:21 80412 --a------ C:\WINDOWS\grep.exe
2008-06-27 01:10:21 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-26 23:34:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-26 23:34:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-26 19:39:19 0 d-------- C:\Program Files\Trend Micro
2008-06-26 08:36:40 0 d-------- C:\Program Files\Lavasoft
2008-06-26 08:36:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 14:28:56 0 d-------- C:\WINDOWS\Prefetch
2008-06-25 14:09:03 0 d-------- C:\WINDOWS\system32\scripting
2008-06-25 14:09:00 0 d-------- C:\WINDOWS\l2schemas
2008-06-25 14:08:59 0 d-------- C:\WINDOWS\system32\en
2008-06-25 14:08:59 0 d-------- C:\WINDOWS\system32\bits
2008-06-23 21:20:41 0 d-------- C:\Documents and Settings\NetworkService\My Documents
2008-06-22 22:01:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2008-06-22 22:00:28 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-06-22 22:00:15 0 d---s---- C:\Documents and Settings\NetworkService\Favorites
2008-06-22 21:14:44 20480 --a------ C:\WINDOWS\system32\RS3u11dc.dll
2008-06-21 19:16:41 29760 --a------ C:\WINDOWS\system32\XJXAg3nw.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-27 02:00:49 0 d-------- C:\Program Files\Common Files
2008-06-27 00:40:46 0 d-------- C:\Program Files\Macromedia
2008-06-27 00:40:46 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-27 00:38:58 0 d-------- C:\Program Files\Common Files\Macromedia
2008-06-25 14:10:07 0 d-------- C:\Program Files\Messenger
2008-06-25 14:08:58 0 d-------- C:\Program Files\Movie Maker
2008-06-25 14:02:05 0 d-------- C:\Program Files\Windows NT
2008-06-23 18:05:01 0 d-------- C:\Program Files\Java
2008-05-25 18:59:51 0 d-------- C:\Program Files\CeRegEditor
2008-05-18 14:27:20 0 d-------- C:\Program Files\TotalImageConverter
2008-05-17 00:56:10 0 d-------- C:\Documents and Settings\Windows User\Application Data\Softplicity
2008-04-29 22:17:06 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-29 10:36:31 0 d-------- C:\Program Files\Apple Software Update
2008-03-29 00:01:16 2528 --a----c- C:\Documents and Settings\Windows User\Application Data\$_hpcst$.hpc


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= C:\WINDOWS\system32\RS3u11dc.dll [2008-06-25 11:35 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
"C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cingular Communication Manager]
"C:\Program Files\Cingular\Communication Manager\CingularCCM.exe" -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
regsvr32 /s mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6f2dd6f7-4270-64cf-b28a-158cfc4a21af}]
C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{2c449ffc-81e4-99ab-1cf4-20a6203e3ffc}.dll" DllStart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-06-27 16:33:37 ------------

[Stan_22]

Bump Please

[forhockey]

Hi Stan_22,


Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

No AntiVirus Onboard

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are three very good free Antivirus products which are available:

• Avira Personal Edition Classic
• Avast!
• AVG

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

--------------------------------------------------------------

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix


IMPORTANT: Make sure you install the Recovery Console before running ComboFix.

Reply back with the following:

• C:\ComboFix.txt
• New HiJackThis Log

[Stan_22]

Thank you so much for helping I did everything as followed here is the ComboFix.txt and a new HijackThis Log


ComboFix 08-06-30.2 - Windows User 2008-07-01 11:43:27.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.481 [GMT -4:00]
Running from: C:\Documents and Settings\Windows User\Desktop\ComboF.exe
Command switches used :: C:\Documents and Settings\Windows User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 11:22 . 2008-06-21 19:16 0 --a------ C:\WINDOWS\system32\XJXAg3nw.exe.a_a
2008-07-01 11:22 . 2008-06-22 22:11 0 --a------ C:\WINDOWS\system32\VW3y11hg.exe.a_a
2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Program Files\Avira
2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-27 15:39 . 2008-06-27 15:39 <DIR> d-------- C:\Deckard
2008-06-27 11:30 . 2008-06-27 11:31 <DIR> d-------- C:\Program Files\Panda Security
2008-06-27 02:11 . 2008-06-27 02:12 <DIR> d-------- C:\Program Files\ZonedOut
2008-06-27 02:02 . 2008-06-27 02:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-26 19:39 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 08:36 . 2008-06-26 08:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-26 08:36 . 2008-06-26 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-25 12:56 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-06-25 12:56 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-06-25 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-06-25 12:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-06-25 12:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-22 21:14 . 2008-06-25 11:35 20,480 --a------ C:\WINDOWS\system32\RS3u11dc.dll
2008-06-11 13:16 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 13:16 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 05:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-27 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 04:40 --------- d-----w C:\Program Files\Macromedia
2008-06-27 04:38 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-23 22:05 --------- d-----w C:\Program Files\Java
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 22:59 --------- d-----w C:\Program Files\CeRegEditor
2008-05-18 18:27 --------- d-----w C:\Program Files\TotalImageConverter
2008-05-17 04:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Softplicity
2008-05-14 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29 126976]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 20:12 169984]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= "C:\WINDOWS\system32\RS3u11dc.dll" [2008-06-25 11:35 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2007-06-15 19:43 22528 C:\Program Files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 20:11 177152 C:\WINDOWS\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging]
"LogSuccessfulConnections"= 0 (0x0)
"LogDroppedPackets"= 0 (0x0)
"LogFileSize"= 0 (0x0)
"LogFilePath"=

S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-09-04 12:20]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 23:27:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-01 04:39:10 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 13:00:01 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 14:24:40 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 15:00:05 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 16:00:10 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 17:00:10 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 18:00:10 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 19:00:10 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 20:00:10 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 21:00:10 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 22:00:10 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 05:00:10 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 23:00:10 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 00:00:10 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 01:00:10 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 02:00:10 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 03:00:10 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-07-01 04:41:11 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 05:00:10 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 06:00:10 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-29 07:00:10 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 08:00:10 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 06:00:10 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 09:00:10 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 10:00:10 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 11:00:10 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 12:00:10 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 13:00:10 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 14:00:10 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 15:00:05 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 16:00:10 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 17:00:10 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 18:00:10 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-29 07:00:02 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-30 19:00:10 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 20:00:10 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 21:00:10 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 22:00:10 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-30 23:00:10 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 00:00:10 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 01:00:10 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 02:00:10 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-07-01 03:00:10 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\VW3y11hg.exe
"2008-06-27 08:00:01 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 09:00:01 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 10:00:01 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 11:00:01 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
"2008-06-27 12:00:01 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\XJXAg3nw.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Cingular Communication Manager - C:\Program Files\Cingular\Communication Manager\CingularCCM.exe
MSConfigStartUp-DAEMON Tools - C:\Program Files\DAEMON Tools\daemon.exe
MSConfigStartUp-McAfeeUpdaterUI - C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe
MSConfigStartUp-Network Associates Error Reporting Service - C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
MSConfigStartUp-ShStatEXE - C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
MSConfigStartUp-Yahoo! Pager - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-{6f2dd6f7-4270-64cf-b28a-158cfc4a21af} - C:\WINDOWS\system32\{2c449ffc-81e4-99ab-1cf4-20a6203e3ffc}.dll
MSConfigStartUp-= - (no file)
MSConfigStartUp-Aim6 - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 11:46:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-01 11:49:53
ComboFix-quarantined-files.txt 2008-07-01 15:48:49

Pre-Run: 51,918,753,792 bytes free
Post-Run: 51,932,512,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

310 --- E O F --- 2008-06-23 16:27:17



here is the hijackthis.log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:38, on 2008-07-01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis_199.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://officialhomepage.org/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 5997 bytes

[forhockey]

Hello Stan_22,

This is going to take a few posts to cleanup, so please stick with me until the end when I declare your machine is malware free.

Thanks


--------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Viewpoint Manager <<<this is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Read this article: http://www.clickz.com/news/article.php/3561546

Additional info: http://vil.nai.com/vil/content/v_137262.htm

--------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\XJXAg3nw.exe
C:\WINDOWS\system32\VW3y11hg.exe
C:\WINDOWS\system32\XJXAg3nw.exe.a_a
C:\WINDOWS\system32\VW3y11hg.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint

Save this as CFScript




Referring to the picture above, drag CFScript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINDOWS\system32\RS3u11dc.dll
  
  
• Then click the "Send File" button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

If VirusTotal is busy, try the same at Jotti

--------------------------------------------------------------

Please reply back with the following:

C:\ComboFix.txt
Virus Total Results

[Stan_22]

Here is the recent ComboFix.txt

ComboFix 08-06-30.2 - Windows User 2008-07-01 14:35:30.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.489 [GMT -4:00]
Running from: C:\Documents and Settings\Windows User\Desktop\ComboF.exe
Command switches used :: C:\Documents and Settings\Windows User\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\VW3y11hg.exe
C:\WINDOWS\system32\VW3y11hg.exe.a_a
C:\WINDOWS\system32\XJXAg3nw.exe
C:\WINDOWS\system32\XJXAg3nw.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\WINDOWS\system32\VW3y11hg.exe.a_a
C:\WINDOWS\system32\XJXAg3nw.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Program Files\Avira
2008-07-01 10:08 . 2008-07-01 10:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-27 15:39 . 2008-06-27 15:39 <DIR> d-------- C:\Deckard
2008-06-27 11:30 . 2008-06-27 11:31 <DIR> d-------- C:\Program Files\Panda Security
2008-06-27 02:11 . 2008-06-27 02:12 <DIR> d-------- C:\Program Files\ZonedOut
2008-06-27 02:02 . 2008-06-27 02:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-26 19:39 . 2008-06-26 19:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-26 08:36 . 2008-06-26 08:36 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-26 08:36 . 2008-06-26 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-25 14:09 . 2008-06-25 14:09 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-25 14:08 . 2008-06-25 14:08 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-25 12:56 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-06-25 12:56 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-06-25 12:56 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-06-25 12:54 . 2008-04-13 20:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-06-25 12:53 . 2008-04-13 20:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-22 21:14 . 2008-06-25 11:35 20,480 --a------ C:\WINDOWS\system32\RS3u11dc.dll
2008-06-11 13:16 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 13:16 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 15:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-27 04:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-27 04:40 --------- d-----w C:\Program Files\Macromedia
2008-06-27 04:38 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-06-23 22:05 --------- d-----w C:\Program Files\Java
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-25 22:59 --------- d-----w C:\Program Files\CeRegEditor
2008-05-18 18:27 --------- d-----w C:\Program Files\TotalImageConverter
2008-05-17 04:56 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Softplicity
2008-05-14 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-05-13 15:30 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-05-13 15:29 126976]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26 368706]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-11-01 14:51 995328]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-11-01 14:47 1101824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 20:12 169984]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= "C:\WINDOWS\system32\RS3u11dc.dll" [2008-06-25 11:35 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2007-06-15 19:43 22528 C:\Program Files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2007-12-03 14:21 3461120 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 20:11 177152 C:\WINDOWS\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"bmwebcfg"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\javaw.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Logging]
"LogSuccessfulConnections"= 0 (0x0)
"LogDroppedPackets"= 0 (0x0)
"LogFileSize"= 0 (0x0)
"LogFilePath"=

S3 swmsflt;swmsflt;C:\WINDOWS\system32\drivers\swmsflt.sys [2007-09-04 12:20]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 14:56]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-26 23:27:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-= - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 14:37:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-01 14:40:48
ComboFix-quarantined-files.txt 2008-07-01 18:39:44
ComboFix2.txt 2008-07-01 15:49:55

Pre-Run: 51,950,137,344 bytes free
Post-Run: 51,934,400,512 bytes free

301 --- E O F --- 2008-06-23 16:27:17





Here is VirusTotal Results




MD5: 818b3c875e87e92e764fee1e984df614
First received: 06.21.2008 17:48:22 (CET)
Date: 07.01.2008 15:10:09 (CET) [<1D]
Results: 4/33
Permalink: analisis/8645ddd4fbcea2dd4925e071ce6c9364


File BfBlNwwp.vll received on 07.01.2008 15:09:08 (CET)
Current status: finished

Result: 4/33 (12.12%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.1.0 2008.07.01 -
AntiVir 7.8.0.59 2008.07.01 -
Authentium 5.1.0.4 2008.07.01 -
Avast 4.8.1195.0 2008.06.30 -
AVG 7.5.0.516 2008.07.01 -
BitDefender 7.2 2008.07.01 -
CAT-QuickHeal 9.50 2008.06.30 -
ClamAV 0.93.1 2008.07.01 -
DrWeb 4.44.0.09170 2008.07.01 -
eSafe 7.0.17.0 2008.06.30 Suspicious File
eTrust-Vet 31.6.5917 2008.07.01 -
Ewido 4.0 2008.06.27 -
F-Prot 4.4.4.56 2008.07.01 -
F-Secure 7.60.13501.0 2008.07.01 -
Fortinet 3.14.0.0 2008.07.01 -
GData 2.0.7306.1023 2008.07.01 -
Ikarus T3.1.1.26.0 2008.07.01 -
Kaspersky 7.0.0.125 2008.07.01 -
McAfee 5328 2008.06.30 -
Microsoft 1.3704 2008.07.01 -
NOD32v2 3232 2008.07.01 -
Norman 5.80.02 2008.06.30 -
Panda 9.0.0.4 2008.07.01 Suspicious file
Prevx1 V2 2008.07.01 Cloaked Malware
Rising 20.51.12.00 2008.07.01 -
Sophos 4.30.0 2008.07.01 Mal/HckPk-E
Sunbelt 3.1.1509.1 2008.07.01 -
Symantec 10 2008.07.01 -
TheHacker 6.2.96.365 2008.07.01 -
TrendMicro 8.700.0.1004 2008.07.01 -
VBA32 3.12.6.8 2008.06.30 -
VirusBuster 4.5.11.0 2008.06.30 -
Webwasher-Gateway 6.6.2 2008.07.01 -
Additional information
File size: 20480 bytes
MD5...: 818b3c875e87e92e764fee1e984df614
SHA1..: 33cb84fa890c599a001d023b794f4cb4eb4712fd
SHA256: cbc260caadfa66bdac93188334c38dfe4c0f2eab9ec215ecb65584e68bf63b0f
SHA512: c662f5ea5b9bb17562faef07af469edb00764265c6d5d607f4efa98d5872984b
6cfe6c5d1d355f483a4849d45da71bb6888aaa0fdfc229f6769faec8a255db36
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000d082
timedatestamp.....: 0x48588964 (Wed Jun 18 04:04:52 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xa000 0x4000 0x3400 7.87 347fab63e1126ae3c2ab779b134d90b5
.rsrc 0xe000 0x2000 0x1800 4.92 1ee8d9bca289f56f3a82bb4965923a07

( 10 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree
> ADVAPI32.dll: RegCloseKey
> ATL80.DLL: -
> MSVCR80.dll: free
> ole32.dll: CoCreateInstance
> OLEAUT32.dll: -
> SHELL32.dll: ShellExecuteA
> SHLWAPI.dll: StrStrA
> USER32.dll: wsprintfA
> WININET.dll: InternetOpenW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

Prevx info: http://info.prevx.com/aboutprogramte...488B00EF775A0B
packers (F-Prot): UPX