evilight

Hi people, sorry for the hijackthis post.

My computer has a virus in the system32 folder under the name winxp.exe.
I have tried deleting it directly from the folder under safe mode with system restore off, but it still keeps coming back. I have tried fixing the file with hijackthis but still to no avail. The file comes back whenever I try to open the C drive. I have tried everything including adaware and avg scanner but I have no idea how to get rid of it. Any help would be appreciated. Here are my logs:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Bryan at 1:05:22.40 on Thu 07/02/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.324 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\Wscript.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Bryan\Desktop\dds.scr
C:\Documents and Settings\Bryan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
BHO: ShoppingReport: {100eb1fd-d03e-47fd-81f3-ee91287f9465} - c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: ShopperReports: {a7cddcdc-beeb-4685-a062-978f5e07ceee} - c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 7\PCSync2.exe" /NoDialog
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [WUSB54Gv4] c:\program files\linksys wireless-g usb wireless network monitor\InvokeSvc3.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl05a\BrStDvPt.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CTFMON] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\winjpg.jpg
mRun: [Tech Wonders] c:\windows\system32\Tech Wonder.exe
mRun: [regdiit] c:\windows\system32\winxp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {EAB15366-0E81-476D-83CC-1052FDF017C8} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {F552DDE6-2090-4bf4-B924-6141E87789A5} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bryan\applic~1\mozilla\firefox\profiles\9glzo0so.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 140.127.81.86
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 5\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 5\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 5\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-31 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-31 27784]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2008-8-27 33824]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-3 298776]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2008-5-4 79616]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 gupdate1c9f7fee7e7c5d0;Google Update Service (gupdate1c9f7fee7e7c5d0);c:\program files\google\update\GoogleUpdate.exe [2009-6-28 133104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\bryan\desktop\cabalsea\ntprocdrv.sys --> c:\documents and settings\bryan\desktop\cabalsea\NtProcDrv.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-7-1 29584]
S3 XDva132;XDva132;\??\c:\windows\system32\xdva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\xdva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva165;XDva165;\??\c:\windows\system32\xdva165.sys --> c:\windows\system32\XDva165.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\xdva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva170;XDva170;\??\c:\windows\system32\xdva170.sys --> c:\windows\system32\XDva170.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\xdva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\xdva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva187;XDva187;\??\c:\windows\system32\xdva187.sys --> c:\windows\system32\XDva187.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva193;XDva193;\??\c:\windows\system32\xdva193.sys --> c:\windows\system32\XDva193.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva204;XDva204;\??\c:\windows\system32\xdva204.sys --> c:\windows\system32\XDva204.sys [?]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-07-01 23:32 10,240 a------- c:\windows\system32\winxp.exe
2009-07-01 22:57 <DIR> --d----- c:\program files\Trend Micro
2009-07-01 22:55 29,584 a------- c:\windows\system32\drivers\regguard.sys
2009-07-01 22:55 2 a--shrot c:\windows\winstart.bat
2009-07-01 22:54 <DIR> --d----- c:\program files\Greatis
2009-07-01 22:45 305 a------- c:\windows\system32\Tech Wonder
2009-07-01 22:45 10,240 a------- c:\windows\system32\Tech Wonder.exe
2009-07-01 22:18 <DIR> --d----- c:\program files\CCleaner
2009-07-01 22:07 51,978 a--shr-- C:\winfile.jpg
2009-07-01 22:07 51,978 a--shr-- c:\windows\system32\winjpg.jpg
2009-07-01 22:07 110 a--shr-- C:\autorun.inf
2009-06-28 22:43 <DIR> --d----- c:\program files\common files\DivX Shared
2009-06-26 22:54 <DIR> --d----- c:\program files\ShoppingReport
2009-06-20 13:18 <DIR> --d----- c:\docume~1\bryan\applic~1\Canneverbe_Limited
2009-06-20 12:16 <DIR> --d----- c:\docume~1\bryan\applic~1\AVS4YOU
2009-06-20 12:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-06-20 12:14 974,848 a------- c:\windows\system32\mfc70.dll
2009-06-20 12:14 487,424 a------- c:\windows\system32\msvcp70.dll
2009-06-20 12:14 344,064 a------- c:\windows\system32\msvcr70.dll
2009-06-20 12:14 <DIR> --d----- c:\program files\common files\AVSMedia
2009-06-20 12:14 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-06-20 12:14 24,576 a------- c:\windows\system32\msxml3a.dll
2009-06-20 12:14 <DIR> --d----- c:\program files\AVS4YOU
2009-06-11 10:04 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 10:04 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-08 00:34 <DIR> --d----- c:\docume~1\bryan\applic~1\DragonicaSCB
2009-06-07 23:25 <DIR> --d----- c:\program files\IAHGames

==================== Find3M ====================

2009-06-12 10:02 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-13 13:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 09:26 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 23:44 344,064 a------- c:\windows\system32\localspl.dll
2009-04-17 17:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-15 23:11 584,192 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 1:05:41.20 ===============

Attached Files

	ark.zip (1.4 KB, 2 views)
	Attach.zip (4.1 KB, 2 views)

sjb007

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you throughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Vista users please make sure you all run commands with administrator rights (right click icon - run as administrator)

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

evilight

Hello Steve, thank you for taking the time to address my problem. Here is my Combofix scan result:

ComboFix 09-07-02.02 - Bryan 07/03/2009 17:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.462 [GMT 8:00]
Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\Bryan\Application Data\ShoppingReport
c:\documents and settings\Bryan\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Bryan\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Bryan\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Bryan\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Bryan\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Bryan\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Bryan\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
c:\program files\ShoppingReport
c:\program files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
c:\program files\ShoppingReport\Uninst.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\Installer\19f90c4.msp
c:\windows\Installer\6ea58.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 13:27 . 2009-06-17 03:16 2052888 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcorex.dll
2009-07-01 15:32 . 2009-07-03 06:28 10240 ----a-w- c:\windows\system32\winxp.exe
2009-07-01 15:15 . 2009-07-01 15:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-01 14:57 . 2009-07-01 14:57 -------- d-----w- c:\program files\Trend Micro
2009-07-01 14:55 . 2009-07-01 14:55 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-07-01 14:55 . 2009-07-01 14:55 2 --shatr- c:\windows\winstart.bat
2009-07-01 14:54 . 2009-07-01 14:54 -------- d-----w- c:\program files\Greatis
2009-07-01 14:45 . 2009-07-01 15:18 10240 ----a-w- c:\windows\system32\Tech Wonder.exe
2009-07-01 14:18 . 2009-07-01 14:18 -------- d-----w- c:\program files\CCleaner
2009-06-28 21:01 . 2009-06-28 21:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-28 14:44 . 2009-06-28 14:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-28 14:43 . 2009-06-28 14:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-20 05:18 . 2009-06-20 05:18 -------- d-----w- c:\documents and settings\Bryan\Application Data\Canneverbe_Limited
2009-06-20 05:18 . 2009-06-20 05:18 -------- d-----w- c:\program files\CDBurnerXP
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\Bryan\Application Data\AVS4YOU
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\Bryan\Application Data\DivX
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-06-20 04:14 . 2009-06-20 04:18 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-06-20 04:14 . 2009-01-28 12:49 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-06-20 04:14 . 2009-01-28 12:49 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-06-20 04:14 . 2009-01-28 12:49 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-06-20 04:14 . 2009-06-20 04:18 -------- d-----w- c:\program files\AVS4YOU
2009-06-20 04:14 . 2009-01-28 12:49 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-06-20 04:14 . 2009-01-28 12:49 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-11 02:04 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 02:04 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-07 16:34 . 2009-06-07 16:34 -------- d-----w- c:\documents and settings\Bryan\Application Data\DragonicaSCB
2009-06-07 15:25 . 2009-06-07 15:25 -------- d-----w- c:\program files\IAHGames
2009-06-04 04:25 . 2009-06-04 05:23 -------- d-----w- c:\documents and settings\Bryan\Application Data\ImgBurn
2009-06-04 04:23 . 2009-06-04 04:23 -------- d-----w- c:\program files\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 06:41 . 2008-05-03 16:17 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-07-01 14:25 . 2008-05-04 13:27 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-01 13:50 . 2008-05-05 00:06 -------- d-----w- c:\documents and settings\Bryan\Application Data\uTorrent
2009-06-28 14:58 . 2008-12-03 01:06 -------- d-----w- c:\program files\DivX
2009-06-28 14:47 . 2008-08-27 02:14 -------- d-----w- c:\program files\Google
2009-06-19 03:29 . 2008-05-10 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-17 03:16 . 2008-07-30 16:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-12 02:02 . 2008-07-30 16:06 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-11 06:37 . 2008-05-03 15:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 06:37 . 2009-02-12 16:40 -------- d-----w- c:\program files\Garena
2009-06-09 11:29 . 2008-12-23 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-06-09 11:29 . 2008-12-23 15:46 -------- d-----w- c:\program files\Spyware Terminator
2009-06-09 11:11 . 2008-12-23 15:46 -------- d-----w- c:\documents and settings\Bryan\Application Data\Spyware Terminator
2009-06-09 03:15 . 2008-05-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-06-08 17:13 . 2008-10-22 01:39 -------- d-----w- c:\program files\IObit
2009-06-08 17:01 . 2008-12-22 04:26 -------- d-----w- c:\documents and settings\Bryan\Application Data\IObit
2009-06-08 16:59 . 2009-05-28 10:16 -------- d-----w- c:\program files\eToro
2009-06-08 16:59 . 2009-05-05 14:49 -------- d-----w- c:\documents and settings\Bryan\Application Data\Raptr
2009-06-08 16:59 . 2008-08-21 16:12 -------- d-----w- c:\program files\LimeWire
2009-06-08 16:59 . 2008-06-01 05:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-29 06:18 . 2008-08-21 16:14 -------- d-----w- c:\documents and settings\Bryan\Application Data\LimeWire
2009-05-19 04:49 . 2008-11-14 06:33 -------- d-----w- c:\program files\Warcraft III
2009-05-13 05:15 . 2007-07-27 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-08 01:26 . 2009-02-03 01:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:44 . 2007-07-27 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 14:52 . 2008-09-08 06:44 -------- d--h--w- c:\documents and settings\Bryan\Application Data\ijjigame
2009-05-05 14:51 . 2009-05-05 14:51 -------- d-----w- c:\documents and settings\Bryan\Application Data\com.raptr.Raptr.848BBC53270CAC248E8FA0F339176201CDEB525F.1
2009-05-05 14:49 . 2009-05-05 14:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-04-17 09:58 . 2007-07-27 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2007-07-27 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-07-27 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-01 1124352]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-04-30 2329936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WUSB54Gv4"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"Tech Wonders"="c:\windows\system32\Tech Wonder.exe" [2009-07-01 10240]
"regdiit"="c:\windows\system32\winxp.exe" [2009-07-03 10240]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-07-13 14679552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-5-4 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 01:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/31/2008 12:06 AM 327688]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/3/2009 9:49 AM 298776]
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [5/4/2008 12:09 AM 79616]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 gupdate1c9f7fee7e7c5d0;Google Update Service (gupdate1c9f7fee7e7c5d0);c:\program files\Google\Update\GoogleUpdate.exe [6/28/2009 10:43 PM 133104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Bryan\Desktop\Cabalsea\NtProcDrv.sys --> c:\documents and settings\Bryan\Desktop\Cabalsea\NtProcDrv.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [7/1/2009 10:55 PM 29584]
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]
S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys --> c:\windows\system32\XDva167.sys [?]
S3 XDva170;XDva170;\??\c:\windows\system32\XDva170.sys --> c:\windows\system32\XDva170.sys [?]
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S3 XDva187;XDva187;\??\c:\windows\system32\XDva187.sys --> c:\windows\system32\XDva187.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
S3 XDva193;XDva193;\??\c:\windows\system32\XDva193.sys --> c:\windows\system32\XDva193.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva204;XDva204;\??\c:\windows\system32\XDva204.sys --> c:\windows\system32\XDva204.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D6849BBC-56CC-A8E1-D991-4640F2ACAFC8}]
c:\windows\system32\Tech Wonder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]
c:\documents and settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 09:57]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 14:43]

2009-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 14:43]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\9glzo0so.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 140.127.81.86
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox 3 Beta 5\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox 3 Beta 5\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 17:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Tech Wonders = c:\windows\system32\Tech Wonder.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{362FAC76-D925-F554-76F9-E9427C5D5638}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iadigiollmehkgfnof"=hex:69,61,64,6c,6d,6a,6c,67,67,6a,68,6b,62,6d,66,62,69,63,
00,00
"hajiajlkbehplkli"=hex:69,61,64,6c,6d,6a,6d,67,68,6a,61,6d,64,6e,64,69,66,67,
00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3148)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2009-07-03 17:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 09:41

Pre-Run: 20,887,212,032 bytes free
Post-Run: 20,789,714,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

302

Attached Files

ComboFix.zip (6.2 KB, 4 views)

sjb007

Hi there evilight

Does the Kaohsiung Pingtung Penghu Regional Network mean anything to you at all?

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:


Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

===================================================

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===================================================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Please note that this may take some time to complete

**Vista users - right click IE/Firefox icon and run as administrator

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back in your next reply with the log from combofix and the kaspersky results, update me on how things are running

evilight

Hi Steve.. Thanks. Here is my ComboFix report.
ComboFix 09-07-03.03 - Bryan 07/04/2009 9:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.388 [GMT 8:00]
Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bryan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe"
"c:\windows\system32\Tech Wonder.exe"
"c:\windows\system32\winxp.exe"
"c:\windows\system32\XDva132.sys"
"c:\windows\system32\XDva158.sys"
"c:\windows\system32\XDva165.sys"
"c:\windows\system32\XDva167.sys"
"c:\windows\system32\XDva170.sys"
"c:\windows\system32\XDva177.sys"
"c:\windows\system32\XDva186.sys"
"c:\windows\system32\XDva187.sys"
"c:\windows\system32\XDva190.sys"
"c:\windows\system32\XDva193.sys"
"c:\windows\system32\XDva195.sys"
"c:\windows\system32\XDva204.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Tech Wonder.exe
c:\windows\system32\winxp.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA132
-------\Legacy_XDVA158
-------\Legacy_XDVA165
-------\Legacy_XDVA167
-------\Legacy_XDVA170
-------\Legacy_XDVA177
-------\Legacy_XDVA186
-------\Legacy_XDVA187
-------\Legacy_XDVA190
-------\Legacy_XDVA193
-------\Legacy_XDVA195
-------\Legacy_XDVA204
-------\Service_XDva132
-------\Service_XDva158
-------\Service_XDva165
-------\Service_XDva167
-------\Service_XDva170
-------\Service_XDva177
-------\Service_XDva186
-------\Service_XDva187
-------\Service_XDva190
-------\Service_XDva193
-------\Service_XDva195
-------\Service_XDva204


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-03 09:45 . 2009-07-03 09:46 6378 ----a-w- C:\ComboFix.zip
2009-07-02 13:27 . 2009-06-17 03:16 2052888 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcorex.dll
2009-07-01 15:15 . 2009-07-01 15:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-01 14:57 . 2009-07-01 14:57 -------- d-----w- c:\program files\Trend Micro
2009-07-01 14:55 . 2009-07-01 14:55 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-07-01 14:55 . 2009-07-01 14:55 2 --shatr- c:\windows\winstart.bat
2009-07-01 14:54 . 2009-07-01 14:54 -------- d-----w- c:\program files\Greatis
2009-07-01 14:18 . 2009-07-01 14:18 -------- d-----w- c:\program files\CCleaner
2009-06-28 21:01 . 2009-06-28 21:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-28 14:44 . 2009-06-28 14:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-28 14:43 . 2009-06-28 14:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-20 05:18 . 2009-06-20 05:18 -------- d-----w- c:\documents and settings\Bryan\Application Data\Canneverbe_Limited
2009-06-20 05:18 . 2009-06-20 05:18 -------- d-----w- c:\program files\CDBurnerXP
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\Bryan\Application Data\AVS4YOU
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\Bryan\Application Data\DivX
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-06-20 04:14 . 2009-06-20 04:18 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-06-20 04:14 . 2009-01-28 12:49 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-06-20 04:14 . 2009-01-28 12:49 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-06-20 04:14 . 2009-01-28 12:49 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-06-20 04:14 . 2009-06-20 04:18 -------- d-----w- c:\program files\AVS4YOU
2009-06-20 04:14 . 2009-01-28 12:49 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-06-20 04:14 . 2009-01-28 12:49 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-11 02:04 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 02:04 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-07 16:34 . 2009-06-07 16:34 -------- d-----w- c:\documents and settings\Bryan\Application Data\DragonicaSCB
2009-06-07 15:25 . 2009-06-07 15:25 -------- d-----w- c:\program files\IAHGames
2009-06-04 04:25 . 2009-06-04 05:23 -------- d-----w- c:\documents and settings\Bryan\Application Data\ImgBurn
2009-06-04 04:23 . 2009-06-04 04:23 -------- d-----w- c:\program files\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 00:53 . 2008-05-03 16:17 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-07-01 14:25 . 2008-05-04 13:27 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-01 13:50 . 2008-05-05 00:06 -------- d-----w- c:\documents and settings\Bryan\Application Data\uTorrent
2009-06-28 14:58 . 2008-12-03 01:06 -------- d-----w- c:\program files\DivX
2009-06-28 14:47 . 2008-08-27 02:14 -------- d-----w- c:\program files\Google
2009-06-19 03:29 . 2008-05-10 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-17 03:16 . 2008-07-30 16:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-12 02:02 . 2008-07-30 16:06 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-11 06:37 . 2008-05-03 15:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 06:37 . 2009-02-12 16:40 -------- d-----w- c:\program files\Garena
2009-06-09 11:29 . 2008-12-23 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-06-09 11:29 . 2008-12-23 15:46 -------- d-----w- c:\program files\Spyware Terminator
2009-06-09 11:11 . 2008-12-23 15:46 -------- d-----w- c:\documents and settings\Bryan\Application Data\Spyware Terminator
2009-06-09 03:15 . 2008-05-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-06-08 17:13 . 2008-10-22 01:39 -------- d-----w- c:\program files\IObit
2009-06-08 17:01 . 2008-12-22 04:26 -------- d-----w- c:\documents and settings\Bryan\Application Data\IObit
2009-06-08 16:59 . 2009-05-28 10:16 -------- d-----w- c:\program files\eToro
2009-06-08 16:59 . 2009-05-05 14:49 -------- d-----w- c:\documents and settings\Bryan\Application Data\Raptr
2009-06-08 16:59 . 2008-08-21 16:12 -------- d-----w- c:\program files\LimeWire
2009-06-08 16:59 . 2008-06-01 05:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-29 06:18 . 2008-08-21 16:14 -------- d-----w- c:\documents and settings\Bryan\Application Data\LimeWire
2009-05-19 04:49 . 2008-11-14 06:33 -------- d-----w- c:\program files\Warcraft III
2009-05-13 05:15 . 2007-07-27 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-08 01:26 . 2009-02-03 01:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:44 . 2007-07-27 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-05 14:52 . 2008-09-08 06:44 -------- d--h--w- c:\documents and settings\Bryan\Application Data\ijjigame
2009-05-05 14:51 . 2009-05-05 14:51 -------- d-----w- c:\documents and settings\Bryan\Application Data\com.raptr.Raptr.848BBC53270CAC248E8FA0F339176201CDEB525F.1
2009-05-05 14:49 . 2009-05-05 14:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-04-17 09:58 . 2007-07-27 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2007-07-27 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll ---
Company: Microsoft Corporation
File Description: Microsoft® C Runtime Library
File Version: 8.00.50727.1433
Product Name: Microsoft® Visual Studio® 2005
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: MSVCR80.DLL
File size: 635904
Created time: 2007-10-23 17:47
Modified time: 2007-10-23 17:47
MD5: 6C34B81172080D41F1003AF9EB35EC14
SHA1: CD6E9506B4EB72DFD665075B3D7C31DBA1480891


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-07-27 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-01 1124352]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-04-30 2329936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WUSB54Gv4"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-07-13 14679552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-5-4 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 01:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/31/2008 12:06 AM 327688]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/3/2009 9:49 AM 298776]
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [5/4/2008 12:09 AM 79616]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 gupdate1c9f7fee7e7c5d0;Google Update Service (gupdate1c9f7fee7e7c5d0);c:\program files\Google\Update\GoogleUpdate.exe [6/28/2009 10:43 PM 133104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Bryan\Desktop\Cabalsea\NtProcDrv.sys --> c:\documents and settings\Bryan\Desktop\Cabalsea\NtProcDrv.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [7/1/2009 10:55 PM 29584]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 09:57]

2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 14:43]

2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 14:43]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Tech Wonders - c:\windows\system32\Tech Wonder.exe
ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\9glzo0so.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 140.127.81.86
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox 3 Beta 5\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox 3 Beta 5\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 09:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Tech Wonders = c:\windows\system32\Tech Wonder.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5048)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
c:\program files\AVG\AVG8\avgupd.exe
.
**************************************************************************
.
Completion time: 2009-07-04 9:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 01:08
ComboFix2.txt 2009-07-03 09:41

Pre-Run: 20,529,496,064 bytes free
Post-Run: 20,518,363,136 bytes free

310

Attached Files

	KAS.zip (785 Bytes, 1 views)
	ComboFix.zip (5.8 KB, 0 views)

sjb007

Hi there evilight

Great work, so far so good. Not fully out of the woods yet though, still a couple of items that need attention...

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

post back with the combofix results, also update me on how things are running now

evilight

Hi Steve, so far things have been running smoothly. Thanks alot for your help!

Here is my scan log.
ComboFix 09-07-05.04 - Bryan 07/07/2009 0:13.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.291 [GMT 8:00]
Running from: c:\documents and settings\Bryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bryan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\winjpg.jpg"
"C:\winfile.jpg"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winjpg.jpg
C:\winfile.jpg

.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 12:37 . 2009-07-06 16:09 -------- d-----w- c:\program files\PeerGuardian2
2009-07-06 11:58 . 2009-07-06 11:58 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-06 11:58 . 2009-07-06 11:58 152576 ----a-w- c:\documents and settings\Bryan\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-04 01:09 . 2009-06-12 02:02 327688 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgldx86.sys
2009-07-04 01:09 . 2009-06-12 02:02 3402008 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgui.exe
2009-07-04 01:09 . 2009-06-12 02:02 1204504 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgabout.dll
2009-07-04 01:09 . 2009-06-17 03:16 829208 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcfgx.dll
2009-07-04 01:09 . 2009-06-17 03:16 3298072 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\setup.exe
2009-07-04 01:08 . 2009-06-12 02:01 1085208 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.exe
2009-07-04 01:08 . 2009-06-17 03:16 1454360 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgupd.dll
2009-07-03 09:45 . 2009-07-03 09:46 6378 ----a-w- C:\ComboFix.zip
2009-07-02 13:27 . 2009-07-02 13:27 2052376 ----a-w- c:\documents and settings\All Users\Application Data\Avg8\update\backup\avgcorex.dll
2009-07-01 15:15 . 2009-07-01 15:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-01 14:57 . 2009-07-01 14:57 -------- d-----w- c:\program files\Trend Micro
2009-07-01 14:55 . 2009-07-01 14:55 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-07-01 14:55 . 2009-07-01 14:55 2 --shatr- c:\windows\winstart.bat
2009-07-01 14:54 . 2009-07-01 14:54 -------- d-----w- c:\program files\Greatis
2009-07-01 14:18 . 2009-07-01 14:18 -------- d-----w- c:\program files\CCleaner
2009-06-28 21:01 . 2009-06-28 21:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-28 14:44 . 2009-06-28 14:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-28 14:43 . 2009-06-28 14:43 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-20 05:18 . 2009-06-20 05:18 -------- d-----w- c:\documents and settings\Bryan\Application Data\Canneverbe_Limited
2009-06-20 05:18 . 2009-06-20 05:18 -------- d-----w- c:\program files\CDBurnerXP
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\Bryan\Application Data\AVS4YOU
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\Bryan\Application Data\DivX
2009-06-20 04:16 . 2009-06-20 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-06-20 04:14 . 2009-06-20 04:18 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-06-20 04:14 . 2009-01-28 12:49 974848 ----a-w- c:\windows\system32\mfc70.dll
2009-06-20 04:14 . 2009-01-28 12:49 487424 ----a-w- c:\windows\system32\msvcp70.dll
2009-06-20 04:14 . 2009-01-28 12:49 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-06-20 04:14 . 2009-06-20 04:18 -------- d-----w- c:\program files\AVS4YOU
2009-06-20 04:14 . 2009-01-28 12:49 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2009-06-20 04:14 . 2009-01-28 12:49 24576 ----a-w- c:\windows\system32\msxml3a.dll
2009-06-11 02:04 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 02:04 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-07 16:34 . 2009-06-07 16:34 -------- d-----w- c:\documents and settings\Bryan\Application Data\DragonicaSCB
2009-06-07 15:25 . 2009-06-07 15:25 -------- d-----w- c:\program files\IAHGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 16:09 . 2008-05-05 00:06 -------- d-----w- c:\documents and settings\Bryan\Application Data\uTorrent
2009-07-06 13:09 . 2008-05-03 16:17 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-07-06 11:58 . 2008-05-21 00:19 -------- d-----w- c:\program files\Java
2009-07-04 01:09 . 2008-07-30 16:06 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 14:25 . 2008-05-04 13:27 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-28 14:58 . 2008-12-03 01:06 -------- d-----w- c:\program files\DivX
2009-06-28 14:47 . 2008-08-27 02:14 -------- d-----w- c:\program files\Google
2009-06-19 03:29 . 2008-05-10 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-17 03:16 . 2008-07-30 16:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-11 06:37 . 2008-05-03 15:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 06:37 . 2009-02-12 16:40 -------- d-----w- c:\program files\Garena
2009-06-09 11:29 . 2008-12-23 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-06-09 11:29 . 2008-12-23 15:46 -------- d-----w- c:\program files\Spyware Terminator
2009-06-09 11:11 . 2008-12-23 15:46 -------- d-----w- c:\documents and settings\Bryan\Application Data\Spyware Terminator
2009-06-09 03:15 . 2008-05-04 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-06-08 17:13 . 2008-10-22 01:39 -------- d-----w- c:\program files\IObit
2009-06-08 17:01 . 2008-12-22 04:26 -------- d-----w- c:\documents and settings\Bryan\Application Data\IObit
2009-06-08 16:59 . 2009-05-28 10:16 -------- d-----w- c:\program files\eToro
2009-06-08 16:59 . 2009-05-05 14:49 -------- d-----w- c:\documents and settings\Bryan\Application Data\Raptr
2009-06-08 16:59 . 2008-08-21 16:12 -------- d-----w- c:\program files\LimeWire
2009-06-08 16:59 . 2008-06-01 05:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-04 05:23 . 2009-06-04 04:25 -------- d-----w- c:\documents and settings\Bryan\Application Data\ImgBurn
2009-06-04 04:23 . 2009-06-04 04:23 -------- d-----w- c:\program files\ImgBurn
2009-05-29 06:18 . 2008-08-21 16:14 -------- d-----w- c:\documents and settings\Bryan\Application Data\LimeWire
2009-05-19 04:49 . 2008-11-14 06:33 -------- d-----w- c:\program files\Warcraft III
2009-05-13 05:15 . 2007-07-27 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-08 01:26 . 2009-02-03 01:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-07 15:44 . 2007-07-27 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 09:58 . 2007-07-27 12:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2007-07-27 12:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-03_09.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-06 11:58 . 2009-07-06 11:58 16384 c:\windows\temp\Perflib_Perfdata_7c8.dat
+ 2008-11-07 07:31 . 2009-07-06 11:58 148888 c:\windows\system32\javaws.exe
+ 2008-11-07 07:31 . 2009-07-06 11:58 144792 c:\windows\system32\javaw.exe
+ 2008-11-07 07:31 . 2009-07-06 11:58 144792 c:\windows\system32\java.exe
+ 2009-07-06 11:58 . 2009-07-06 11:58 536576 c:\windows\Installer\298879.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-07-27 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-01 1124352]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-04-30 2329936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WUSB54Gv4"="c:\program files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 24576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-06 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-07-13 14679552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-5-4 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 01:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/31/2008 12:06 AM 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/3/2009 9:49 AM 298776]
R3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [5/4/2008 12:09 AM 79616]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S2 gupdate1c9f7fee7e7c5d0;Google Update Service (gupdate1c9f7fee7e7c5d0);c:\program files\Google\Update\GoogleUpdate.exe [6/28/2009 10:43 PM 133104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Bryan\Desktop\Cabalsea\NtProcDrv.sys --> c:\documents and settings\Bryan\Desktop\Cabalsea\NtProcDrv.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [7/1/2009 10:55 PM 29584]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPFILTERDRIVER
*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 09:57]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 14:43]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-28 14:43]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
FF - ProfilePath - c:\documents and settings\Bryan\Application Data\Mozilla\Firefox\Profiles\9glzo0so.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 140.127.81.86
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox 3 Beta 5\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox 3 Beta 5\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox 3 Beta 5\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 00:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-06 0:17
ComboFix-quarantined-files.txt 2009-07-06 16:17
ComboFix2.txt 2009-07-04 01:09
ComboFix3.txt 2009-07-03 09:41

Pre-Run: 17,609,547,776 bytes free
Post-Run: 17,671,081,984 bytes free

238

sjb007

Howdy there

Good work, your log looks clear from malware.

P2P - I see you have P2P software ( Limewire/uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may have contributed to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here and here.

I would strongly recommend that you uninstall them. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Now that you appear to be free from malware lets help you stay that way!

IMPORTANT

The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points:

Windows XP Users: Click Start > Select Run and copy/paste the following bolded text below into the Run box and click OK:

Windows Vista Users: Press the Windows key and r to brin up the run dialogue, copy and paste the text below into the run box and click OK:

ComboFix /u

Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there.

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Safer Browsing
Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as free without a licience as a scan on demand scanner.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

evilight

All right Steve, thanks for your advice and help. I'll follow them wisely. Thanks again!

sjb007

Not a problem, only too glad to lend a hand

As this issue is now resolved I will now mark this thread as solved and move it over to the solved section of the forum. Should you require any further assistance please start a new topic in the relevant section of the forums

Good luck and happy safe surfing!