possible Vundo-1

[chaozzz]

I am infected with this trojan and cannot get rid of it. Any help would be appreciated.

[Clark76]

Please follow the instructions in MicroBell's 5 Step Process found here Then reply to this post with the requested log(s) and an Analyst will be along to review the log(s) as soon as possible.

[chaozzz]

This is the Panda scan report I received. This is involving cleaning the possible Vundo-1 trojan.


Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15-3.inf
Adware:adware/dyfuca Not disinfected c:\windows\STWSI
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\cupp\Application Data\Mozilla\Firefox\Profiles\87b966tc.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@ad.yieldmanager[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@ads.addynamix[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@azjmp[1].txt
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@bilbo.counted[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@bs.serving-sys[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@ccbill[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@counter3.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@counter9.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@cs.sexcounter[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@fastclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@serving-sys[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@sexlist[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@sextracker[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@toplist[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@trafficmp[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@tribalfusion[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@webpower[2].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\cupp\Cookies\chaozzz@xxxcounter[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@2o7[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@ads.pointroll[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@atdmt[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@bluestreak[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@casalemedia[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@cgi-bin[4].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@citi.bridgetrack[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@server.iad.liveperson[2].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@sexlist[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@toplist[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\cupp\Local Settings\Temp\Cookies\chaozzz@tribalfusion[1].txt
Potentially unwanted tool:Application/JohnTheRipper.A Not disinfected C:\Downloads\john-1.6.tar.gz[C:\Downloads\john-1.6.tar][john-1.6/src/john.com]
Virus:Generic Malware Disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Hacktool:Hacktool/Hammer Not disinfected C:\Program Files\Robster Productions\Halflife Logo Creator\HLC.exe This is the deckard scan report created after I ran panda scan:

Deckard's System Scanner v20070711.54
Run by chaozzz on 2007-07-20 at 18:30:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-07-20 23:30:15 UTC - RP1 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as chaozzz.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:04 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\cupp\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\chaozzz.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {980174C0-9979-E8AF-2E92-B59E8C470791} - C:\WINDOWS\system32\eitt.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [ACD mPower Tools] C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [M04nRiJEO] lfcbce.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - http://www.playboycasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - http://www.playboycasino.com (file missing) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...d/install.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.aceshigh.com/download_helper/Nyoko.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098748038425
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhel...7/dlhelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://sunvegas.microgaming.com/sunvegas/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.games.myway.com/online...ploader_v6.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://grandbay.microgaming.com/grandbay/FlashAX2.cab
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 11493 bytes

-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,71
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,23
.inf - inffile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-151
.ini - inifile - DefaultIcon - C:\WINDOWS\system32\shell32.dll,69
.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.txt - txtfile - DefaultIcon - C:\Program Files\Stardock\Object Desktop\IconPackager\Themes\Darkness%20Icons\Darkness Icons.icl,30
.vbs - VBSFile - DefaultIcon - C:\WINDOWS\System32\WScript.exe,2


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R1 SSHDRV85 - c:\windows\system32\drivers\sshdrv85.sys <Not Verified; ; ProtectCD>
R1 tmtdi (Trend Micro TDI Driver) - c:\windows\system32\drivers\tmtdi.sys <Not Verified; Trend Micro Inc.; Trend Micro Network Security Component 1.0>
R2 CdaD10BA - c:\windows\system32\drivers\cdad10ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
R2 tm_cfw (Common Firewall Driver) - c:\windows\system32\drivers\tm_cfw.sys <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R3 pdiddcci (DDC/CI monitor) - c:\windows\system32\drivers\pdiddcci.sys <Not Verified; Portrait Displays, Inc.; Portrait Displays DDC/CI Monitor Device Driver>

S0 FGDSCSI - c:\windows\system32\drivers\fgdscsi.sys (file missing)
S0 fgdxbus - c:\windows\system32\drivers\fgdxbus.sys (file missing)
S2 Vcs (Vcs support) - c:\windows\system32\drivers\vcs.sys
S3 fsRamDsk (RamDisk Drive Service) - c:\windows\system32\drivers\fsramdsk.sys <Not Verified; FarStone; FarStone RamDisk>
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys (file missing)
S3 pfsvgae - c:\docume~1\ryan\locals~1\temp\pfsvgae.sys (file missing)
S3 SDDMI2 - c:\windows\system32\ddmi2.sys <Not Verified; Gteko Ltd.; DDMI>
S3 UintelC5 - c:\docume~1\cupp\locals~1\temp\uintelc5.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 DTSRVC (Portrait Displays Display Tune Service) - c:\program files\common files\portrait displays\shared\dtsrvc.exe
R2 fsbwsys - "c:\program files\f-secure internet security\backweb\4476822\program\fsbwsys.exe" <Not Verified; F-Secure Corp.; F-Secure BackWeb>
R2 PcCtlCom (Trend Micro Central Control Component) - c:\progra~1\trendm~1\intern~1\pcctlcom.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 Tmntsrv (Trend Micro Real-time Service) - c:\progra~1\trendm~1\intern~1\tmntsrv.exe <Not Verified; Trend Micro Incorporated.; Trend Micro Internet Security>
R2 TmPfw (Trend Micro Personal Firewall) - c:\progra~1\trendm~1\intern~1\tmpfw.exe <Not Verified; Trend Micro Inc.; Trend Network Security Component 1.0>
R2 tmproxy (Trend Micro Proxy Service) - c:\progra~1\trendm~1\intern~1\tmproxy.exe <Not Verified; Trend Micro Inc.; Trend Micro Network Security Components 1.0>

S2 BackWeb Plug-in - 4476822 (F-Secure Anti-Virus 2006) - c:\progra~1\f-secu~1\backweb\4476822\program\servic~1.exe <Not Verified; F-Secure Internet Security 2005; RunnerEXE Application>
S3 TUWinStylerThemeSvc (TuneUp WinStyler Theme Service) - "c:\program files\tuneup utilities 2004\winstylerthemesvc.exe" <Not Verified; TuneUp Software GmbH; TuneUp Utilities>


-- Scheduled Tasks -------------------------------------------------------------

2007-07-20 17:15:00 414 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2007-07-20 15:41:00 304 --a------ C:\WINDOWS\Tasks\WebReg Deskjet F300 series.job
2007-07-20 02:07:58 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-07-19 04:53:30 410 --a------ C:\WINDOWS\Tasks\Pareto UNS.job


-- Files created between 2007-06-20 and 2007-07-20 -----------------------------

2007-07-20 16:02:38 8576 --a------ C:\WINDOWS\system32\drivers\tdaybpurbutr.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-07-20 15:47:17 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-07-20 15:47:14 0 d-------- C:\WINDOWS\LastGood
2007-07-19 17:37:50 0 d-------- C:\MicroGaming
2007-07-19 04:53:25 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2007-07-18 23:05:16 0 d-------- C:\Program Files\Common Files\Java
2007-07-18 22:27:02 0 d-------- C:\VundoFix Backups
2007-07-18 21:42:25 0 d-------- C:\Documents and Settings\cupp\Application Data\WholeSecurity
2007-07-18 21:16:19 6405 ---hs---- C:\WINDOWS\system32\dccdd.bak1
2007-07-11 00:23:54 7864320 --a------ C:\Documents and Settings\cupp\ntuser.dat
2007-07-07 17:46:53 0 d-------- C:\Program Files\Ubisoft
2007-07-07 17:46:45 1 --a------ C:\WINDOWS\system32\SI.bin
2007-07-01 14:57:36 0 d-------- C:\Documents and Settings\cupp\Application Data\DisplayTune
2007-07-01 14:57:07 11776 --a------ C:\WINDOWS\system32\drivers\pdiddcci.sys <Not Verified; Portrait Displays, Inc.; Portrait Displays DDC/CI Monitor Device Driver>
2007-07-01 14:56:05 372736 --a------ C:\WINDOWS\ijl15.dll <Not Verified; Intel Corporation; Intel® JPEG Library>
2007-07-01 14:56:02 0 d-------- C:\Program Files\Common Files\Portrait Displays
2007-07-01 14:56:01 0 d-------- C:\Program Files\Portrait Displays
2007-07-01 08:25:42 0 d-------- C:\Documents and Settings\All Users\Application Data\WildTangent
2007-07-01 08:23:53 0 d-------- C:\Program Files\WildGames
2007-06-28 17:53:36 0 d-------- C:\Program Files\Prism Casino
2007-06-24 05:05:33 0 d-------- C:\Program Files\My Way Games
2007-06-22 18:39:02 0 d-------- C:\Program Files\Club Player Casino
2007-06-22 18:33:04 0 d-------- C:\Program Files\Cirrus Casino


-- Find3M Report ---------------------------------------------------------------

2007-07-20 18:33:54 0 d-------- C:\Program Files\Trend Micro
2007-07-20 17:44:50 0 d-------- C:\Program Files\Windows Defender
2007-07-18 23:05:54 0 d-------- C:\Program Files\Java
2007-07-13 17:51:53 0 d-------- C:\Program Files\HP
2007-07-13 17:51:37 0 d-------- C:\Program Files\Hewlett-Packard
2007-07-07 17:46:52 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-07 10:44:40 0 d-------- C:\Program Files\Valve
2007-07-05 20:54:57 0 d-------- C:\Program Files\UltimateBet
2007-07-01 08:25:25 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-06-27 15:24:35 0 d-------- C:\Program Files\HotPepperCasino
2007-06-24 13:18:22 0 d-------- C:\Program Files\PopCap Games
2007-06-24 11:55:38 31 --a------ C:\WINDOWS\popcinfo.dat
2007-06-20 17:55:13 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2007-06-20 17:55:13 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2007-06-20 17:55:12 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2007-06-19 12:57:04 0 d-------- C:\Program Files\LimeWire
2007-06-13 17:32:53 61678 --a------ C:\Documents and Settings\cupp\Application Data\PFP120JPR.{PB
2007-06-13 17:32:53 12358 --a------ C:\Documents and Settings\cupp\Application Data\PFP120JCM.{PB
2007-06-13 17:32:50 0 d-------- C:\Documents and Settings\cupp\Application Data\Corel
2007-06-06 18:23:14 0 d-------- C:\Program Files\Common Files\CasinoVegasShared
2007-06-04 16:53:05 202240 --a------ C:\WINDOWS\system32\Rush Screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
2007-06-01 16:45:22 0 d-------- C:\Program Files\AMX Mod X
2007-05-31 20:50:23 0 d-------- C:\Documents and Settings\cupp\Application Data\Microgaming


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"UserFaultCheck"="%systemroot%\\system32\\dumprep 0 -u"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~2\\mimboot.exe"
"ACD mPower Tools"="C:\\Program Files\\ACD Systems\\mPower Tools\\1.0\\mPowerTools.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"WD Button Manager"="WDBtnMgr.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2005\\pccguide.exe\""
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DT HPW"="C:\\Program Files\\Portrait Displays\\HP My Display\\DTHtml.exe -startup_folder"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"M04nRiJEO"="lfcbce.exe"
"Road Runner PhotoShow Media Manager"="C:\\PROGRA~1\\ROADRU~1\\ROADRU~1\\data\\Xtras\\mssysmgr.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^News 10 NewsCentral.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\News 10 NewsCentral.lnk"
"backup"="C:\\WINDOWS\\pss\\News 10 NewsCentral.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\NEWS10~1\\TRUEWE~1.EXE -d 10,000"
"item"="News 10 NewsCentral"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^cupp^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\cupp\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Xfire\\Xfire.exe "
"item"="Xfire"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^MX240a.lnk]
"path"="C:\\Documents and Settings\\Ryan\\Start Menu\\Programs\\Startup\\MX240a.lnk"
"backup"="C:\\WINDOWS\\pss\\MX240a.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MX240a\\MX240A~1.EXE "
"item"="MX240a"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CursorXP"
"hkey"="HKCU"
"command"="C:\\Program Files\\CursorXP\\CursorXP.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="logonstudio"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="steam"
"hkey"="HKCU"
"command"="\"c:\\valve\\steam\\steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMetrix]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SysMetrix"
"hkey"="HKLM"
"command"="C:\\Program Files\\SysMetrix\\SysMetrix.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{997ea71a-26d1-11d9-9639-806d6172696f}]
Shell\AutoRun\command E:\AutoRun.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_RKPAVPROC
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SDTHOOK
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_TDAYBPURBUTR


-- Hosts -----------------------------------------------------------------------

200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com
200.124.131.116 casinocontroller.com


-- End of Deckard's System Scanner: finished at 2007-07-20 at 18:34:55 ---------

Thanks!!

[chaozzz]

Sorry forgot to send the extra file from deckard scan. Here it is:

Deckard's System Scanner v20070711.54
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.60GHz
Percentage of Memory in Use: 62%
Physical Memory (total/avail): 1022 MiB / 379.53 MiB
Pagefile Memory (total/avail): 2928.39 MiB / 2444.21 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1955.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 33.71 GiB total, 5.34 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Trend Micro PC-cillin Internet Security (Firewall) v12 (Trend Micro, Inc.)
AV: Trend Micro PC-cillin Internet Security v12.4.1015 (Trend Micro, Inc.)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe"="C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe:*:Enabled:F-Secure Anti-Virus 2006"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Xfire\\ua_lsp_inst.exe"="C:\\Program Files\\Xfire\\ua_lsp_inst.exe:*:Enabled:ua_lsp_inst"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP"
"C:\\Program Files\\Microsoft Games\\New Folder\\haloded.exe"="C:\\Program Files\\Microsoft Games\\New Folder\\haloded.exe:*:Disabled:Halo"
"C:\\Program Files\\Microsoft Games\\New Folder\\Ded. Server.exe"="C:\\Program Files\\Microsoft Games\\New Folder\\Ded. Server.exe:*:Disabled:Halo"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Disabled:Halo"
"C:\\Program Files\\Microsoft Games\\Halo Server\\haloded.exe"="C:\\Program Files\\Microsoft Games\\Halo Server\\haloded.exe:*:Disabled:Halo"
"C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"="C:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe:*:Disabled:Halo"
"C:\\Documents and Settings\\cupp\\My Documents\\My Skype Received Files\\haloded.exe"="C:\\Documents and Settings\\cupp\\My Documents\\My Skype Received Files\\haloded.exe:*:Disabled:Halo"
"C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"="C:\\Program Files\\Teamspeak2_RC2\\server_windows.exe:*:Disabled:Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe"="C:\\Program Files\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe:*:Enabled:F-Secure Anti-Virus 2006"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\cupp\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RANDY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\cupp
LOGONSERVER=\\RANDY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\PROGRAM FILES\COMMON FILES\ACD SYSTEMS\EN\;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\cupp\LOCALS~1\Temp
TMP=C:\DOCUME~1\cupp\LOCALS~1\Temp
USERDOMAIN=RANDY
USERNAME=chaozzz
USERPROFILE=C:\Documents and Settings\cupp
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

cupp (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Age of Mythology --> "C:\Program Files\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
AMX Mod X Installer 1.76d --> C:\Program Files\AMX Mod X\uninst.exe
Audio Converter 5.5.2 --> "C:\Program Files\Audio Converter\unins000.exe"
CD to MP3 Ripper --> C:\PROGRA~1\CDTOMP~1\UNWISE.EXE C:\PROGRA~1\CDTOMP~1\INSTALL.LOG
Challenge Casino --> C:\MicroGaming\Casino\challengev2\install.exe -uninstall
Cirrus Casino --> "C:\Program Files\Cirrus Casino\Install.exe" -u
City Navigator North America v7 --> MsiExec.exe /X{8F971101-FCBD-4293-B917-D5A14FD1DAF9}
Club Player Casino --> "C:\Program Files\Club Player Casino\Install.exe" -u
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Solution Center --> MsiExec.exe /X{11F1920A-56A2-4642-B6E0-3B31A12C9288}
Dell Support --> MsiExec.exe /X{43FCA273-9534-40DB-B7C5-D7758875616A}
Dell Support 5.0.0 (766) --> rundll32 C:\PROGRA~1\DELLSU~1\AUInst.dll,ExUninstall
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
Dr Watson for Microsoft Windows OneCare Live v1.0.0971.12 --> MsiExec.exe /I{C544F99D-39EF-4E6D-95BE-4E41C1D8C4CB}
eTrust EZ Armor --> C:\Program Files\CA\eTrust EZ Armor\uninst.exe
FATE --> "C:\Program Files\WildGames\FATE\Uninstall.exe"
Game Console - WildGames --> "C:\Program Files\WildGames\Game Console\Uninstall.exe"
Garmin WebUpdater --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2FD94FBC-07AE-475C-B522-BFE899B9048E}\setup.exe" -l0x9
Heroes of Might and Magic V --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28101984-0BA6-40FD-9ABE-72F62F80C06C}\setup.exe" -l0x9
HHD Software Hex Editor --> MsiExec.exe /X{D111D725-97AB-4654-B866-21700C703E86}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Imaging Device Functions 6.1 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP My Display --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15733AD1-1CEF-459A-9245-0924FC63BDD5}\setup.exe" -l0x9 -removeonly
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP PrecisionScan LTX --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\HPUninstallIs.dll"
HP PSC & OfficeJet 6.1.A --> "C:\Program Files\HP\Digital Imaging\{E5A8DDAB-AE80-48C6-A75B-D0FAB83B299D}\setup\hpzscr01.exe" -datfile hposcr08.dat
HP Software Update --> MsiExec.exe /X{ECFDD6BD-E0C0-41CC-A171-E6D6AF4C0E93}
HP Solution Center and Imaging Support Tools 6.1 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel(R) 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP V9x DF PCI Modem"
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kohan Ahriman's Gift --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5EBCE362-20B7-431D-AF05-5CDDC9065AA8}\setup.exe"
Lexmark 510 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBZUN5C.EXE -dLexmark 510 Series
LimeWire 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
LogonStudio --> C:\PROGRA~1\WINCUS~1\LOGONS~1\UNWISE.EXE C:\PROGRA~1\WINCUS~1\LOGONS~1\INSTALL.LOG
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
Mask of Eternity --> C:\WINDOWS\IsUninst.exe -fC:\SIERRA\Mask\Uninst.isu -c"C:\SIERRA\Mask\UNINST.DLL"
Matrix Code Emulator 1.50 --> "C:\WINDOWS\unins000.exe"
MGI Photovista 2.02(Remove only) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\Photovista\Uninst.isu"
Microsoft Baseline Security Analyzer 1.2.1 --> MsiExec.exe /I{DF15059E-A356-47B2-B14B-6380ED32AB68}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
News 10 NewsCentral --> C:\WINDOWS\wnUninstall.exe "News 10 NewsCentral"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Photo Explosion SE --> MsiExec.exe /X{5BC304B7-84B4-43B3-8A62-EB9BC2051544}
Play United --> "C:\Program Files\Casino\Install.exe" -u
Portofino Casino --> "C:\Program Files\Portofino Casino\Install.exe" -u
PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Prism Casino --> "C:\Program Files\Prism Casino\Install.exe" -u
Red Faction --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{47E6B460-04BA-4215-9F5D-3858BF920D07}\setup.exe" anything
Road Runner Medic 5.4 --> "C:\WINDOWS\unins001.exe"
Rush Screensaver --> C:\WINDOWS\system32\Rush Screensaver.scr /u
SAM3 (remove only) --> "C:\Program Files\SpacialAudio\SAMBC\uninstall.exe"
SDK --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA342C-15CB-4F52-97B6-06A9C4B9C06F}\setup.exe" -l0x9
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sierra Utilities --> C:\Program Files\Sierra On-Line\sutil32.exe uninstall
SIGamp for Winamp --> MsiExec.exe /I{16D9AD05-E1ED-4B5C-8F44-CCE339E9C046}
SmartFTP --> MsiExec.exe /I{11C762F9-95EA-486A-A8E7-683A50C231C1}
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
The 4th Coming --> C:\WINDOWS\T4CUNST.EXE C:\WINDOWS\T4CINS~1.LOG
The Sims Deluxe Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\setup.exe" -l0009
Trend Micro PC-cillin Internet Security 2005 --> MsiExec.exe /X{7698EDA5-A90F-4205-99CB-8FF6F9048ED9}
TuneUp Utilities 2004 --> MsiExec.exe /I{2C3738C9-56FA-410A-BCB5-79C5DFD238F0}
UltimateBet --> C:\PROGRA~1\ULTIMA~1\UNWISE.EXE C:\PROGRA~1\ULTIMA~1\INSTALL.LOG
Ventrilo Server --> MsiExec.exe /I{85DD724B-15E5-4572-81BF-CF9031D83848}
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
Westwood Shared Internet Components --> C:\Westwood\Internet\UnstllAP.EXE
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- End of Deckard's System Scanner: finished at 2007-07-20 at 18:34:55 ---------

[sUBs]

1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[chaozzz]

This is the combofix log:

"chaozzz" - 2007-07-21 19:24:43 - ComboFix 07-07-22.2 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\cupp\APPLIC~1.\ymante~1
C:\DOCUME~1\cupp\Desktop\internet.lnk
C:\DOCUME~1\cupp\MYDOCU~1.\fnts~1
C:\DOCUME~1\cupp\MYDOCU~1.\scurit~1
C:\DOCUME~1\cupp\MYDOCU~1.\wnsxs~1
C:\Program Files\asks~1
C:\Program Files\Common Files\mantec~1
C:\Program Files\dobe~1
C:\WINDOWS\system32\wnscpsv.exe


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-21 19:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 18:29 <DIR> d-------- C:\Deckard
2007-07-20 15:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-07-20 15:47 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-19 17:37 <DIR> d-------- C:\MicroGaming
2007-07-19 04:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-07-18 22:27 <DIR> d-------- C:\VundoFix Backups
2007-07-18 21:42 <DIR> d-------- C:\DOCUME~1\cupp\APPLIC~1\WholeSecurity
2007-07-18 21:16 6,405 ---hs---- C:\WINDOWS\SYSTEM32\dccdd.bak1
2007-07-11 00:23 7,864,320 --a------ C:\DOCUME~1\cupp\ntuser.dat
2007-07-07 17:55 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2007-07-07 17:46 1 --a------ C:\WINDOWS\SYSTEM32\SI.bin
2007-07-07 17:46 <DIR> d-------- C:\Program Files\Ubisoft
2007-07-01 14:57 11,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pdiddcci.sys
2007-07-01 14:57 <DIR> d-------- C:\DOCUME~1\cupp\APPLIC~1\DisplayTune
2007-07-01 14:56 974,848 --a------ C:\WINDOWS\mfc70.dll
2007-07-01 14:56 95,744 --a------ C:\WINDOWS\atl80.dll
2007-07-01 14:56 69,632 --a------ C:\WINDOWS\mfcm80.dll
2007-07-01 14:56 626,688 --a------ C:\WINDOWS\msvcr80.dll
2007-07-01 14:56 57,344 --a------ C:\WINDOWS\mfcm80u.dll
2007-07-01 14:56 548,864 --a------ C:\WINDOWS\msvcp80.dll
2007-07-01 14:56 487,424 --a------ C:\WINDOWS\msvcp70.dll
2007-07-01 14:56 479,232 --a------ C:\WINDOWS\msvcm80.dll
2007-07-01 14:56 372,736 --a------ C:\WINDOWS\ijl15.dll
2007-07-01 14:56 344,064 --a------ C:\WINDOWS\msvcr70.dll
2007-07-01 14:56 15,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PdiPorts.sys
2007-07-01 14:56 1,392,671 --a------ C:\WINDOWS\msvbvm60.dll
2007-07-01 14:56 1,093,632 --a------ C:\WINDOWS\mfc80.dll
2007-07-01 14:56 1,079,808 --a------ C:\WINDOWS\mfc80u.dll
2007-07-01 14:56 <DIR> d-------- C:\Program Files\Portrait Displays
2007-07-01 14:56 <DIR> d-------- C:\Program Files\Common Files\Portrait Displays
2007-07-01 08:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent
2007-07-01 08:23 <DIR> d-------- C:\Program Files\WildGames
2007-06-28 17:53 <DIR> d-------- C:\Program Files\Prism Casino
2007-06-24 05:05 <DIR> d-------- C:\Program Files\My Way Games
2007-06-22 18:39 <DIR> d-------- C:\Program Files\Club Player Casino
2007-06-22 18:33 <DIR> d-------- C:\Program Files\Cirrus Casino


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 23:33:54 -------- d-----w C:\Program Files\Trend Micro
2007-07-20 22:44:50 -------- d-----w C:\Program Files\Windows Defender
2007-07-13 22:51:53 -------- d-----w C:\Program Files\HP
2007-07-13 22:51:37 -------- d-----w C:\Program Files\Hewlett-Packard
2007-07-07 22:46:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 15:44:40 -------- d-----w C:\Program Files\Valve
2007-07-06 01:54:57 -------- d-----w C:\Program Files\UltimateBet
2007-07-01 13:25:25 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-27 20:24:35 -------- d-----w C:\Program Files\HotPepperCasino
2007-06-24 18:18:22 -------- d-----w C:\Program Files\PopCap Games
2007-06-24 16:55:38 31 ----a-w C:\WINDOWS\popcinfo.dat
2007-06-20 22:55:13 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-06-20 22:55:13 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-06-20 22:55:12 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-06-19 17:57:04 -------- d-----w C:\Program Files\LimeWire
2007-06-13 22:32:50 -------- d-----w C:\DOCUME~1\cupp\APPLIC~1\Corel
2007-06-13 00:00:54 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-06-13 00:00:50 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-06-12 23:52:00 1,126,328 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2007-06-06 23:23:14 -------- d-----w C:\Program Files\Common Files\CasinoVegasShared
2007-06-04 21:53:05 202,240 ----a-w C:\WINDOWS\system32\Rush Screensaver.scr
2007-06-01 21:45:22 -------- d-----w C:\Program Files\AMX Mod X
2007-06-01 01:50:23 -------- d-----w C:\DOCUME~1\cupp\APPLIC~1\Microgaming
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-01-23 11:49:18 88 ----a-w C:\Program Files\INSTALL.LOG
2005-04-29 17:45:03 120 ----a-w C:\DOCUME~1\cupp\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-03-12 07:25]
"ACD mPower Tools"="C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe" []
"nwiz"="nwiz.exe" [2005-02-24 08:32 C:\WINDOWS\SYSTEM32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-02-18 18:40 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" [2005-11-25 20:51]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2004-01-30 08:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-13 15:49]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-01-16 17:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M04nRiJEO"="lfcbce.exe" []
"Road Runner PhotoShow Media Manager"="C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe" [2006-01-06 20:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 13:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\cupp\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
DESKTOP.INI [2002-09-03 09:00:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^News 10 NewsCentral.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\News 10 NewsCentral.lnk
backup=C:\WINDOWS\pss\News 10 NewsCentral.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^cupp^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\cupp\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^MX240a.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\MX240a.lnk
backup=C:\WINDOWS\pss\MX240a.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
C:\Program Files\CursorXP\CursorXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
"C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMetrix]
C:\Program Files\SysMetrix\SysMetrix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

cdad10ba - \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS - CdaD10BA
drvmcdb - system32\drivers\drvmcdb.sys
drvnddm - system32\drivers\drvnddm.sys
fax - %systemroot%\system32\fxssvc.exe - Fax
fgdscsi - system32\DRIVERS\fgdscsi.sys
fgdxbus - system32\DRIVERS\fgdxbus.sys
p3 - System32\DRIVERS\p3.sys - Intel PentiumIII Processor Driver
sscdbhk5 - system32\drivers\sscdbhk5.sys
sshdrv85 - \??\C:\WINDOWS\system32\drivers\SSHDRV85.sys - SSHDRV85
ssrtln - system32\drivers\ssrtln.sys
tfsnboio - system32\dla\tfsnboio.sys
tfsncofs - system32\dla\tfsncofs.sys
tfsndrct - system32\dla\tfsndrct.sys
tfsndres - system32\dla\tfsndres.sys
tfsnifs - system32\dla\tfsnifs.sys
tfsnopio - system32\dla\tfsnopio.sys
tfsnpool - system32\dla\tfsnpool.sys
tfsnudf - system32\dla\tfsnudf.sys
tfsnudfa - system32\dla\tfsnudfa.sys
tmfilter - system32\drivers\TmXPFlt.sys - Tmfilter
tmpreflt - system32\drivers\Tmpreflt.sys - Tmpreflt
tmtdi - \SystemRoot\System32\Drivers\tmtdi.sys - Trend Micro TDI Driver
tm_cfw - \SystemRoot\System32\Drivers\tm_cfw.sys - Common Firewall Driver
vcs - \??\C:\WINDOWS\system32\Drivers\Vcs.sys - Vcs support
vsapint - system32\drivers\Vsapint.sys - Vsapint

*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK
*Newly Created Service* - TDAYBPURBUTR

Contents of the 'Scheduled Tasks' folder
2007-07-20 22:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-07-21 07:07:35 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-19 09:53:30 C:\WINDOWS\tasks\Pareto UNS.job
2007-07-21 20:41:00 C:\WINDOWS\tasks\WebReg Deskjet F300 series.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 19:29:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-21 19:30:49
C:\ComboFix-quarantined-files.txt ... 2007-07-21 19:30

--- E O F ---
This is the new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:30 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {980174C0-9979-E8AF-2E92-B59E8C470791} - C:\WINDOWS\system32\eitt.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [ACD mPower Tools] C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [M04nRiJEO] lfcbce.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - http://www.playboycasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - http://www.playboycasino.com (file missing) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...d/install.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.aceshigh.com/download_helper/Nyoko.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098748038425
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhel...7/dlhelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://sunvegas.microgaming.com/sunvegas/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.games.myway.com/online...ploader_v6.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://grandbay.microgaming.com/grandbay/FlashAX2.cab
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 10893 bytes

Thanks for the help!

[sUBs]

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {980174C0-9979-E8AF-2E92-B59E8C470791} - C:\WINDOWS\system32\eitt.dll (file missing)
O4 - HKCU\..\Run: [M04nRiJEO] lfcbce.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...d/install.html


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\SYSTEM32\dccdd.bak1
C:\WINDOWS\pss\MX240a.lnkStartup
Folder::
C:\VundoFix Backups
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M04nRiJEO"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^MX240a.lnk]

Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe


---------------


Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. We only require a report from it.
  It does not provide an option to clean/disinfect.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan
* If you're downloading torrents in the background, please disconnect all of them.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


---------------


In your next post, please include fresh logs from:

1. Fresh Hijackthis log taken just before replying
2. Online scan
3. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[chaozzz]

Okay, ran all the processes with no problem. Even though Kaspersky still says I have 2 viruses I am not getting the Vundo warning anymore and the computer seems to be running pretty good. I have enclosed the 3 logs taken after the processes were complete. Thanks!!

KASPERSKY ONLINE SCANNER REPORT
Saturday, July 21, 2007 11:35:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 22/07/2007
Kaspersky Anti-Virus database records: 366282
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 116051
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 02:35:43

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\22cd849a65bb2d810877cb86292b1563_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f9794e571dac5744883aa093d90f82a_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-07212007-194426.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edbtmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\cupp\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\History\History.IE5\MSHist012007072120070722\index.dat Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Temp\JETEC25.tmp Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Temp\~DF9C69.tmp Object is locked skipped
C:\Documents and Settings\cupp\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cupp\ntuser.dat Object is locked skipped
C:\Documents and Settings\cupp\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\radmin22.exe/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Downloads\radmin22.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Downloads\radmin22.exe/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Downloads\radmin22.exe Gentee: infected - 3 skipped
C:\Program Files\F-Secure Internet Security\backweb\4476822\Users\Default\Data\fsbwupst.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:56 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [ACD mPower Tools] C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - http://www.playboycasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - http://www.playboycasino.com (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.aceshigh.com/download_helper/Nyoko.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098748038425
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhel...7/dlhelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://sunvegas.microgaming.com/sunvegas/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.games.myway.com/online...ploader_v6.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://grandbay.microgaming.com/grandbay/FlashAX2.cab
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 10204 bytes

"chaozzz" - 2007-07-21 23:59:41 - ComboFix 07-07-22.2 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-21 20:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-07-21 20:15 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-21 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-21 19:45 81,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-07-21 19:45 105,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys
2007-07-21 19:42 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-07-21 19:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 18:29 <DIR> d-------- C:\Deckard
2007-07-20 15:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-07-19 17:37 <DIR> d-------- C:\MicroGaming
2007-07-19 04:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-07-18 22:27 <DIR> d-------- C:\VundoFix Backups
2007-07-18 21:42 <DIR> d-------- C:\DOCUME~1\cupp\APPLIC~1\WholeSecurity
2007-07-18 21:16 6,405 ---hs---- C:\WINDOWS\SYSTEM32\dccdd.bak1
2007-07-11 00:23 7,864,320 --a------ C:\DOCUME~1\cupp\ntuser.dat
2007-07-07 17:55 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2007-07-07 17:46 1 --a------ C:\WINDOWS\SYSTEM32\SI.bin
2007-07-07 17:46 <DIR> d-------- C:\Program Files\Ubisoft
2007-07-01 14:57 11,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pdiddcci.sys
2007-07-01 14:57 <DIR> d-------- C:\DOCUME~1\cupp\APPLIC~1\DisplayTune
2007-07-01 14:56 974,848 --a------ C:\WINDOWS\mfc70.dll
2007-07-01 14:56 95,744 --a------ C:\WINDOWS\atl80.dll
2007-07-01 14:56 69,632 --a------ C:\WINDOWS\mfcm80.dll
2007-07-01 14:56 626,688 --a------ C:\WINDOWS\msvcr80.dll
2007-07-01 14:56 57,344 --a------ C:\WINDOWS\mfcm80u.dll
2007-07-01 14:56 548,864 --a------ C:\WINDOWS\msvcp80.dll
2007-07-01 14:56 487,424 --a------ C:\WINDOWS\msvcp70.dll
2007-07-01 14:56 479,232 --a------ C:\WINDOWS\msvcm80.dll
2007-07-01 14:56 372,736 --a------ C:\WINDOWS\ijl15.dll
2007-07-01 14:56 344,064 --a------ C:\WINDOWS\msvcr70.dll
2007-07-01 14:56 15,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PdiPorts.sys
2007-07-01 14:56 1,392,671 --a------ C:\WINDOWS\msvbvm60.dll
2007-07-01 14:56 1,093,632 --a------ C:\WINDOWS\mfc80.dll
2007-07-01 14:56 1,079,808 --a------ C:\WINDOWS\mfc80u.dll
2007-07-01 14:56 <DIR> d-------- C:\Program Files\Portrait Displays
2007-07-01 14:56 <DIR> d-------- C:\Program Files\Common Files\Portrait Displays
2007-07-01 08:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent
2007-07-01 08:23 <DIR> d-------- C:\Program Files\WildGames
2007-06-28 17:53 <DIR> d-------- C:\Program Files\Prism Casino
2007-06-24 05:05 <DIR> d-------- C:\Program Files\My Way Games
2007-06-22 18:39 <DIR> d-------- C:\Program Files\Club Player Casino
2007-06-22 18:33 <DIR> d-------- C:\Program Files\Cirrus Casino


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 23:33:54 -------- d-----w C:\Program Files\Trend Micro
2007-07-20 22:44:50 -------- d-----w C:\Program Files\Windows Defender
2007-07-13 22:51:53 -------- d-----w C:\Program Files\HP
2007-07-13 22:51:37 -------- d-----w C:\Program Files\Hewlett-Packard
2007-07-07 22:46:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 15:44:40 -------- d-----w C:\Program Files\Valve
2007-07-06 01:54:57 -------- d-----w C:\Program Files\UltimateBet
2007-07-01 13:25:25 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-27 20:24:35 -------- d-----w C:\Program Files\HotPepperCasino
2007-06-24 18:18:22 -------- d-----w C:\Program Files\PopCap Games
2007-06-24 16:55:38 31 ----a-w C:\WINDOWS\popcinfo.dat
2007-06-20 22:55:13 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-06-20 22:55:13 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-06-20 22:55:12 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-06-19 17:57:04 -------- d-----w C:\Program Files\LimeWire
2007-06-13 22:32:50 -------- d-----w C:\DOCUME~1\cupp\APPLIC~1\Corel
2007-06-06 23:23:14 -------- d-----w C:\Program Files\Common Files\CasinoVegasShared
2007-06-04 21:53:05 202,240 ----a-w C:\WINDOWS\system32\Rush Screensaver.scr
2007-06-01 21:45:22 -------- d-----w C:\Program Files\AMX Mod X
2007-06-01 01:50:23 -------- d-----w C:\DOCUME~1\cupp\APPLIC~1\Microgaming
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-01-23 11:49:18 88 ----a-w C:\Program Files\INSTALL.LOG
2005-04-29 17:45:03 120 ----a-w C:\DOCUME~1\cupp\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-03-12 07:25]
"ACD mPower Tools"="C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe" []
"nwiz"="nwiz.exe" [2005-02-24 08:32 C:\WINDOWS\SYSTEM32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-02-18 18:40 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2004-01-30 08:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-13 15:49]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-01-16 17:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-06-11 12:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Road Runner PhotoShow Media Manager"="C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe" [2006-01-06 20:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 13:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\cupp\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
DESKTOP.INI [2002-09-03 09:00:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^News 10 NewsCentral.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\News 10 NewsCentral.lnk
backup=C:\WINDOWS\pss\News 10 NewsCentral.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^cupp^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\cupp\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^MX240a.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\MX240a.lnk
backup=C:\WINDOWS\pss\MX240a.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
C:\Program Files\CursorXP\CursorXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
"C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMetrix]
C:\Program Files\SysMetrix\SysMetrix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

cdad10ba - \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS - CdaD10BA
drvmcdb - system32\drivers\drvmcdb.sys
drvnddm - system32\drivers\drvnddm.sys
fax - %systemroot%\system32\fxssvc.exe - Fax
fgdscsi - system32\DRIVERS\fgdscsi.sys
fgdxbus - system32\DRIVERS\fgdxbus.sys
msfwdrv - system32\DRIVERS\msfwdrv.sys - MSFWDrv
msfwhlpr - system32\DRIVERS\msfwhlpr.sys - MSFWHLPR
msfwsvc - OneCare Firewall - "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
onecaremp - "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe" - OneCare AntiSpyware and AntiVirus
p3 - System32\DRIVERS\p3.sys - Intel PentiumIII Processor Driver
sscdbhk5 - system32\drivers\sscdbhk5.sys
sshdrv85 - \??\C:\WINDOWS\system32\drivers\SSHDRV85.sys - SSHDRV85
ssrtln - system32\drivers\ssrtln.sys
tfsnboio - system32\dla\tfsnboio.sys
tfsncofs - system32\dla\tfsncofs.sys
tfsndrct - system32\dla\tfsndrct.sys
tfsndres - system32\dla\tfsndres.sys
tfsnifs - system32\dla\tfsnifs.sys
tfsnopio - system32\dla\tfsnopio.sys
tfsnpool - system32\dla\tfsnpool.sys
tfsnudf - system32\dla\tfsnudf.sys
tfsnudfa - system32\dla\tfsnudfa.sys
tm_cfw - \SystemRoot\System32\Drivers\tm_cfw.sys - Common Firewall Driver
vcs - \??\C:\WINDOWS\system32\Drivers\Vcs.sys - Vcs support


Contents of the 'Scheduled Tasks' folder
2007-07-20 22:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-07-19 09:53:30 C:\WINDOWS\tasks\Pareto UNS.job
2007-07-21 20:41:00 C:\WINDOWS\tasks\WebReg Deskjet F300 series.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 00:13:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-22 0:23:14
C:\ComboFix-quarantined-files.txt ... 2007-07-22 00:22
C:\ComboFix2.txt ... 2007-07-21 20:57
C:\ComboFix3.txt ... 2007-07-21 19:30

--- E O F ---

[sUBs]

You ran CFScript incorrectly. Please do it once more

[chaozzz]

I tried it again. How does this look??

"chaozzz" - 2007-07-22 6:36:29 - ComboFix 07-07-22.2 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-21 20:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-07-21 20:15 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-21 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-21 19:45 81,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-07-21 19:45 105,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys
2007-07-21 19:42 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-07-21 19:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 18:29 <DIR> d-------- C:\Deckard
2007-07-20 15:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-07-19 17:37 <DIR> d-------- C:\MicroGaming
2007-07-19 04:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-07-18 22:27 <DIR> d-------- C:\VundoFix Backups
2007-07-18 21:42 <DIR> d-------- C:\DOCUME~1\cupp\APPLIC~1\WholeSecurity
2007-07-18 21:16 6,405 ---hs---- C:\WINDOWS\SYSTEM32\dccdd.bak1
2007-07-11 00:23 7,864,320 --a------ C:\DOCUME~1\cupp\ntuser.dat
2007-07-07 17:55 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2007-07-07 17:46 1 --a------ C:\WINDOWS\SYSTEM32\SI.bin
2007-07-07 17:46 <DIR> d-------- C:\Program Files\Ubisoft
2007-07-01 14:57 11,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pdiddcci.sys
2007-07-01 14:57 <DIR> d-------- C:\DOCUME~1\cupp\APPLIC~1\DisplayTune
2007-07-01 14:56 974,848 --a------ C:\WINDOWS\mfc70.dll
2007-07-01 14:56 95,744 --a------ C:\WINDOWS\atl80.dll
2007-07-01 14:56 69,632 --a------ C:\WINDOWS\mfcm80.dll
2007-07-01 14:56 626,688 --a------ C:\WINDOWS\msvcr80.dll
2007-07-01 14:56 57,344 --a------ C:\WINDOWS\mfcm80u.dll
2007-07-01 14:56 548,864 --a------ C:\WINDOWS\msvcp80.dll
2007-07-01 14:56 487,424 --a------ C:\WINDOWS\msvcp70.dll
2007-07-01 14:56 479,232 --a------ C:\WINDOWS\msvcm80.dll
2007-07-01 14:56 372,736 --a------ C:\WINDOWS\ijl15.dll
2007-07-01 14:56 344,064 --a------ C:\WINDOWS\msvcr70.dll
2007-07-01 14:56 15,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PdiPorts.sys
2007-07-01 14:56 1,392,671 --a------ C:\WINDOWS\msvbvm60.dll
2007-07-01 14:56 1,093,632 --a------ C:\WINDOWS\mfc80.dll
2007-07-01 14:56 1,079,808 --a------ C:\WINDOWS\mfc80u.dll
2007-07-01 14:56 <DIR> d-------- C:\Program Files\Portrait Displays
2007-07-01 14:56 <DIR> d-------- C:\Program Files\Common Files\Portrait Displays
2007-07-01 08:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent
2007-07-01 08:23 <DIR> d-------- C:\Program Files\WildGames
2007-06-28 17:53 <DIR> d-------- C:\Program Files\Prism Casino
2007-06-24 05:05 <DIR> d-------- C:\Program Files\My Way Games
2007-06-22 18:39 <DIR> d-------- C:\Program Files\Club Player Casino
2007-06-22 18:33 <DIR> d-------- C:\Program Files\Cirrus Casino


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 23:33:54 -------- d-----w C:\Program Files\Trend Micro
2007-07-20 22:44:50 -------- d-----w C:\Program Files\Windows Defender
2007-07-13 22:51:53 -------- d-----w C:\Program Files\HP
2007-07-13 22:51:37 -------- d-----w C:\Program Files\Hewlett-Packard
2007-07-07 22:46:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 15:44:40 -------- d-----w C:\Program Files\Valve
2007-07-06 01:54:57 -------- d-----w C:\Program Files\UltimateBet
2007-07-01 13:25:25 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-27 20:24:35 -------- d-----w C:\Program Files\HotPepperCasino
2007-06-24 18:18:22 -------- d-----w C:\Program Files\PopCap Games
2007-06-24 16:55:38 31 ----a-w C:\WINDOWS\popcinfo.dat
2007-06-20 22:55:13 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-06-20 22:55:13 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-06-20 22:55:12 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-06-19 17:57:04 -------- d-----w C:\Program Files\LimeWire
2007-06-13 22:32:50 -------- d-----w C:\DOCUME~1\cupp\APPLIC~1\Corel
2007-06-06 23:23:14 -------- d-----w C:\Program Files\Common Files\CasinoVegasShared
2007-06-04 21:53:05 202,240 ----a-w C:\WINDOWS\system32\Rush Screensaver.scr
2007-06-01 21:45:22 -------- d-----w C:\Program Files\AMX Mod X
2007-06-01 01:50:23 -------- d-----w C:\DOCUME~1\cupp\APPLIC~1\Microgaming
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-01-23 11:49:18 88 ----a-w C:\Program Files\INSTALL.LOG
2005-04-29 17:45:03 120 ----a-w C:\DOCUME~1\cupp\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-03-12 07:25]
"ACD mPower Tools"="C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe" []
"nwiz"="nwiz.exe" [2005-02-24 08:32 C:\WINDOWS\SYSTEM32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-02-18 18:40 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2004-01-30 08:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-13 15:49]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-01-16 17:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-06-11 12:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Road Runner PhotoShow Media Manager"="C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe" [2006-01-06 20:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 13:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\cupp\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
DESKTOP.INI [2002-09-03 09:00:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^News 10 NewsCentral.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\News 10 NewsCentral.lnk
backup=C:\WINDOWS\pss\News 10 NewsCentral.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^cupp^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\cupp\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^MX240a.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\MX240a.lnk
backup=C:\WINDOWS\pss\MX240a.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
C:\Program Files\CursorXP\CursorXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
"C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMetrix]
C:\Program Files\SysMetrix\SysMetrix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

cdad10ba - \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS - CdaD10BA
drvmcdb - system32\drivers\drvmcdb.sys
drvnddm - system32\drivers\drvnddm.sys
fax - %systemroot%\system32\fxssvc.exe - Fax
fgdscsi - system32\DRIVERS\fgdscsi.sys
fgdxbus - system32\DRIVERS\fgdxbus.sys
msfwdrv - system32\DRIVERS\msfwdrv.sys - MSFWDrv
msfwhlpr - system32\DRIVERS\msfwhlpr.sys - MSFWHLPR
msfwsvc - OneCare Firewall - "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
onecaremp - "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe" - OneCare AntiSpyware and AntiVirus
p3 - System32\DRIVERS\p3.sys - Intel PentiumIII Processor Driver
sscdbhk5 - system32\drivers\sscdbhk5.sys
sshdrv85 - \??\C:\WINDOWS\system32\drivers\SSHDRV85.sys - SSHDRV85
ssrtln - system32\drivers\ssrtln.sys
tfsnboio - system32\dla\tfsnboio.sys
tfsncofs - system32\dla\tfsncofs.sys
tfsndrct - system32\dla\tfsndrct.sys
tfsndres - system32\dla\tfsndres.sys
tfsnifs - system32\dla\tfsnifs.sys
tfsnopio - system32\dla\tfsnopio.sys
tfsnpool - system32\dla\tfsnpool.sys
tfsnudf - system32\dla\tfsnudf.sys
tfsnudfa - system32\dla\tfsnudfa.sys
tm_cfw - \SystemRoot\System32\Drivers\tm_cfw.sys - Common Firewall Driver
vcs - \??\C:\WINDOWS\system32\Drivers\Vcs.sys - Vcs support


Contents of the 'Scheduled Tasks' folder
2007-07-20 22:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-07-19 09:53:30 C:\WINDOWS\tasks\Pareto UNS.job
2007-07-21 20:41:00 C:\WINDOWS\tasks\WebReg Deskjet F300 series.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 06:39:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-22 6:41:02
C:\ComboFix-quarantined-files.txt ... 2007-07-22 06:40
C:\ComboFix2.txt ... 2007-07-22 00:23
C:\ComboFix3.txt ... 2007-07-21 20:57

--- E O F ---

[chaozzz]

Here is another hijack this file also.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:48 AM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O1 - Hosts: 200.124.131.116 casinocontroller.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [ACD mPower Tools] C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - http://www.playboycasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - http://www.playboycasino.com (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.aceshigh.com/download_helper/Nyoko.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...4/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098748038425
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhel...7/dlhelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...21/mcgdmgr.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://sunvegas.microgaming.com/sunvegas/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.games.myway.com/online...ploader_v6.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://grandbay.microgaming.com/grandbay/FlashAX2.cab
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 10203 bytes

[sUBs]

It's still incorrect. If it's done correctly, ComboFix's log header would look something like this ...

Quote:

"chaozzz" - 2007-07-22 6:36:29 - ComboFix 07-07-22.2 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\chaozzz\Desktop\CFScript.txt

Let's backup a bit. Did you run Notepad.exe to create a text file named, CFScript.txt?

Did you drag CFScript.txt into ComboFix.exe?

[chaozzz]

yes, I then drag and drop this text into combo.exe. When I do it dissapears from my screen( i assume it has gone into combofix) and the program runs.

[sUBs]

Humour me once more & please repeat it.

[chaozzz]

I think it worked this time.

"chaozzz" - 2007-07-22 7:27:08 - ComboFix 07-07-22.2 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\cupp\Desktop\CFScipt.txt


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-21 20:15 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-07-21 20:15 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-21 20:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-21 19:45 81,024 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwdrv.sys
2007-07-21 19:45 105,856 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\msfwhlpr.sys
2007-07-21 19:42 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-07-21 19:24 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 18:29 <DIR> d-------- C:\Deckard
2007-07-20 15:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-07-19 17:37 <DIR> d-------- C:\MicroGaming
2007-07-19 04:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ParetoLogic Anti-Spyware
2007-07-18 22:27 <DIR> d-------- C:\VundoFix Backups
2007-07-18 21:42 <DIR> d-------- C:\DOCUME~1\cupp\APPLIC~1\WholeSecurity
2007-07-18 21:16 6,405 ---hs---- C:\WINDOWS\SYSTEM32\dccdd.bak1
2007-07-11 00:23 7,864,320 --a------ C:\DOCUME~1\cupp\ntuser.dat
2007-07-07 17:55 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2007-07-07 17:46 1 --a------ C:\WINDOWS\SYSTEM32\SI.bin
2007-07-07 17:46 <DIR> d-------- C:\Program Files\Ubisoft
2007-07-01 14:57 11,776 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pdiddcci.sys
2007-07-01 14:57 <DIR> d-------- C:\DOCUME~1\cupp\APPLIC~1\DisplayTune
2007-07-01 14:56 974,848 --a------ C:\WINDOWS\mfc70.dll
2007-07-01 14:56 95,744 --a------ C:\WINDOWS\atl80.dll
2007-07-01 14:56 69,632 --a------ C:\WINDOWS\mfcm80.dll
2007-07-01 14:56 626,688 --a------ C:\WINDOWS\msvcr80.dll
2007-07-01 14:56 57,344 --a------ C:\WINDOWS\mfcm80u.dll
2007-07-01 14:56 548,864 --a------ C:\WINDOWS\msvcp80.dll
2007-07-01 14:56 487,424 --a------ C:\WINDOWS\msvcp70.dll
2007-07-01 14:56 479,232 --a------ C:\WINDOWS\msvcm80.dll
2007-07-01 14:56 372,736 --a------ C:\WINDOWS\ijl15.dll
2007-07-01 14:56 344,064 --a------ C:\WINDOWS\msvcr70.dll
2007-07-01 14:56 15,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\PdiPorts.sys
2007-07-01 14:56 1,392,671 --a------ C:\WINDOWS\msvbvm60.dll
2007-07-01 14:56 1,093,632 --a------ C:\WINDOWS\mfc80.dll
2007-07-01 14:56 1,079,808 --a------ C:\WINDOWS\mfc80u.dll
2007-07-01 14:56 <DIR> d-------- C:\Program Files\Portrait Displays
2007-07-01 14:56 <DIR> d-------- C:\Program Files\Common Files\Portrait Displays
2007-07-01 08:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent
2007-07-01 08:23 <DIR> d-------- C:\Program Files\WildGames
2007-06-28 17:53 <DIR> d-------- C:\Program Files\Prism Casino
2007-06-24 05:05 <DIR> d-------- C:\Program Files\My Way Games
2007-06-22 18:39 <DIR> d-------- C:\Program Files\Club Player Casino
2007-06-22 18:33 <DIR> d-------- C:\Program Files\Cirrus Casino


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 23:33:54 -------- d-----w C:\Program Files\Trend Micro
2007-07-20 22:44:50 -------- d-----w C:\Program Files\Windows Defender
2007-07-13 22:51:53 -------- d-----w C:\Program Files\HP
2007-07-13 22:51:37 -------- d-----w C:\Program Files\Hewlett-Packard
2007-07-07 22:46:52 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 15:44:40 -------- d-----w C:\Program Files\Valve
2007-07-06 01:54:57 -------- d-----w C:\Program Files\UltimateBet
2007-07-01 13:25:25 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-06-27 20:24:35 -------- d-----w C:\Program Files\HotPepperCasino
2007-06-24 18:18:22 -------- d-----w C:\Program Files\PopCap Games
2007-06-24 16:55:38 31 ----a-w C:\WINDOWS\popcinfo.dat
2007-06-20 22:55:13 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-06-20 22:55:13 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-06-20 22:55:12 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-06-19 17:57:04 -------- d-----w C:\Program Files\LimeWire
2007-06-13 22:32:50 -------- d-----w C:\DOCUME~1\cupp\APPLIC~1\Corel
2007-06-06 23:23:14 -------- d-----w C:\Program Files\Common Files\CasinoVegasShared
2007-06-04 21:53:05 202,240 ----a-w C:\WINDOWS\system32\Rush Screensaver.scr
2007-06-01 21:45:22 -------- d-----w C:\Program Files\AMX Mod X
2007-06-01 01:50:23 -------- d-----w C:\DOCUME~1\cupp\APPLIC~1\Microgaming
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-01-23 11:49:18 88 ----a-w C:\Program Files\INSTALL.LOG
2005-04-29 17:45:03 120 ----a-w C:\DOCUME~1\cupp\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe" [2005-03-12 07:25]
"ACD mPower Tools"="C:\Program Files\ACD Systems\mPower Tools\1.0\mPowerTools.exe" []
"nwiz"="nwiz.exe" [2005-02-24 08:32 C:\WINDOWS\SYSTEM32\nwiz.exe]
"WD Button Manager"="WDBtnMgr.exe" [2006-02-18 18:40 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2004-01-30 08:44]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-13 15:49]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-01-16 17:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-06-11 12:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Road Runner PhotoShow Media Manager"="C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe" [2006-01-06 20:56]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-01-19 13:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\cupp\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50]
DESKTOP.INI [2002-09-03 09:00:00]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^News 10 NewsCentral.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\News 10 NewsCentral.lnk
backup=C:\WINDOWS\pss\News 10 NewsCentral.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^cupp^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\cupp\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ryan^Start Menu^Programs^Startup^MX240a.lnk]
path=C:\Documents and Settings\Ryan\Start Menu\Programs\Startup\MX240a.lnk
backup=C:\WINDOWS\pss\MX240a.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CursorXP]
C:\Program Files\CursorXP\CursorXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
"C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"c:\valve\steam\steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMetrix]
C:\Program Files\SysMetrix\SysMetrix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

cdad10ba - \??\C:\WINDOWS\system32\drivers\CdaD10BA.SYS - CdaD10BA
drvmcdb - system32\drivers\drvmcdb.sys
drvnddm - system32\drivers\drvnddm.sys
fax - %systemroot%\system32\fxssvc.exe - Fax
fgdscsi - system32\DRIVERS\fgdscsi.sys
fgdxbus - system32\DRIVERS\fgdxbus.sys
msfwdrv - system32\DRIVERS\msfwdrv.sys - MSFWDrv
msfwhlpr - system32\DRIVERS\msfwhlpr.sys - MSFWHLPR
msfwsvc - OneCare Firewall - "C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
onecaremp - "C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe" - OneCare AntiSpyware and AntiVirus
p3 - System32\DRIVERS\p3.sys - Intel PentiumIII Processor Driver
sscdbhk5 - system32\drivers\sscdbhk5.sys
sshdrv85 - \??\C:\WINDOWS\system32\drivers\SSHDRV85.sys - SSHDRV85
ssrtln - system32\drivers\ssrtln.sys
tfsnboio - system32\dla\tfsnboio.sys
tfsncofs - system32\dla\tfsncofs.sys
tfsndrct - system32\dla\tfsndrct.sys
tfsndres - system32\dla\tfsndres.sys
tfsnifs - system32\dla\tfsnifs.sys
tfsnopio - system32\dla\tfsnopio.sys
tfsnpool - system32\dla\tfsnpool.sys
tfsnudf - system32\dla\tfsnudf.sys
tfsnudfa - system32\dla\tfsnudfa.sys
tm_cfw - \SystemRoot\System32\Drivers\tm_cfw.sys - Common Firewall Driver
vcs - \??\C:\WINDOWS\system32\Drivers\Vcs.sys - Vcs support


Contents of the 'Scheduled Tasks' folder
2007-07-20 22:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-07-19 09:53:30 C:\WINDOWS\tasks\Pareto UNS.job
2007-07-21 20:41:00 C:\WINDOWS\tasks\WebReg Deskjet F300 series.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 07:28:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-22 7:30:19
C:\ComboFix-quarantined-files.txt ... 2007-07-22 07:29
C:\ComboFix2.txt ... 2007-07-22 06:41
C:\ComboFix3.txt ... 2007-07-22 00:23

--- E O F ---

[sUBs]

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
C:\WINDOWS\SYSTEM32\dccdd.bak1
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in (
C:\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[chaozzz]

I got a message that said "deleted successfully.

[sUBs]

Your system is clean.
Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start → Run → type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
6. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[chaozzz]

I really appreciate the patience and all the help. You guys are great. I will follow all your recommendations. Thanks again!!!!

Randy