TratBHO, CTX, Trojan-gen, Agent-HIV, help please.

[Ielgnim]

Nothing has happened yet, but I want to get rid of it as fast as possible.
Not really sure what the trojan/virus/malware is doing. Sorry I can't be
any more descriptive.

Thank you for you help if possible.

Deckard's System Scanner v20071014.68
Run by Ming on 2008-01-21 0354
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-21 11:07:10 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 81% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Ming.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-21 03:09:45
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\updater\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\DOCUME~1\Ming\LOCALS~1\Temp\ir_ext_temp_39\autorun.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ming\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {5AAF23D8-4489-43D8-A064-319D1254ABCA} - C:\WINDOWS\system32\wvurqnk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {C2F2AE30-1D41-4A5B-BE34-958350B15772} - (no file)
O2 - BHO: (no name) - {FFCAA6F7-7171-4FCA-88D5-AEEC2F0BCF93} - C:\WINDOWS\system32\vtsts.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O20 - Winlogon Notify: wvurqnk - C:\WINDOWS\system32\wvurqnk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wqffvqnn.exe /service
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


--
End of file - 5163 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20071222-231210-131 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071222-231210-214 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20071222-231210-379 O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
backup-20071222-231210-589 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
backup-20071222-231210-775 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20071222-231211-109 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
backup-20071222-231211-344 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20071222-231211-429 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20071222-231211-500 O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
backup-20071222-231211-693 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20071222-231211-831 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
backup-20071222-231211-886 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
backup-20071222-231211-994 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
backup-20071222-231212-116 O11 - Options group: [INTERNATIONAL] International*
backup-20071222-231212-625 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20071222-231212-830 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
backup-20071222-231213-226 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1194850201343
backup-20071222-231213-500 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
backup-20071222-231213-806 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
backup-20071222-231214-456 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
backup-20071222-231214-531 O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wqffvqnn.exe (file missing)
backup-20071222-231214-657 O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...81/mcfscan.cab

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 tmcomm - c:\windows\system32\drivers\tmcomm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 DomainService - c:\windows\system32\wqffvqnn.exe /service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-21 01:44:39 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-01-21 00:59:31 446 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job
2008-01-03 09:27:09 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-21 and 2008-01-21 -----------------------------

2008-01-21 02:22:21 6559 --ahs---- C:\WINDOWS\system32\ststv.ini2
2008-01-21 02:22:11 340992 -----n--- C:\WINDOWS\system32\vtsts.dll
2008-01-21 01:57:39 0 dr-h----- C:\Documents and Settings\Ming\Recent
2008-01-21 01:39:09 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-21 01:39:06 0 d-------- C:\WINDOWS\LastGood
2008-01-21 01:12:51 0 d-------- C:\Documents and Settings\Ming\Application Data\True Sword
2008-01-20 14:16:04 38400 --a------ C:\WINDOWS\system32\wvurqnk.dll
2008-01-18 18:54:51 0 d-------- C:\Music
2008-01-18 18:53:45 0 d-------- C:\Documents and Settings\Ming\Application Data\iPod2PC3
2008-01-18 18:53:38 0 d-------- C:\Program Files\iPod2PC
2008-01-18 18:49:56 0 d-------- C:\Program Files\EphPod
2008-01-17 2218 0 d-------- C:\Documents and Settings\Ming\Application Data\CopyTrans
2008-01-17 22:05:55 0 d-------- C:\Program Files\WindSolutions
2008-01-08 22:20:46 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 2
2007-12-26 18:42:42 0 d-------- C:\Documents and Settings\Ming\Application Data\Media Player Classic
2007-12-26 18:29:49 0 d-------- C:\Program Files\Common Files\ReGet Shared
2007-12-26 18:29:48 0 d-------- C:\Program Files\ReGetDx
2007-12-25 17:20:42 0 d-------- C:\Program Files\QuickTime
2007-12-25 17:20:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-25 17:19:01 0 d-------- C:\Program Files\Apple Software Update
2007-12-25 17:19:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-24 16:18:55 0 d-------- C:\Documents and Settings\Ming\Application Data\skypePM
2007-12-24 16:18:55 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-24 16:15:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-12-23 22:43:48 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-12-23 22:43:46 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback
2007-12-23 22:43:24 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2007-12-23 15:29:38 0 d-------- C:\Program Files\SpywareBlaster
2007-12-23 15:27:23 0 d-------- C:\Program Files\Alwil Software
2007-12-22 23:50:10 0 d-------- C:\ie-spyad_zo
2007-12-21 23:29:41 2546 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-21 23:29:15 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-21 23:29:15 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-21 23:29:15 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-21 23:29:15 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2007-12-21 23:29:15 51200 --a------ C:\WINDOWS\system32\dumphive.exe


-- Find3M Report ---------------------------------------------------------------

2008-01-21 03:05:59 0 d-------- C:\Program Files\Yahoo!
2008-01-21 02:14:40 0 d-------- C:\Program Files\Windows Defender
2008-01-20 14:13:59 0 d-------- C:\Documents and Settings\Ming\Application Data\Adobe
2008-01-14 21:12:25 0 d-------- C:\Documents and Settings\Ming\Application Data\LimeWire
2008-01-14 07:19:59 0 d-------- C:\Documents and Settings\Ming\Application Data\Azureus
2007-12-29 00:37:29 0 d-------- C:\Program Files\Common Files
2007-12-23 15:40:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-22 23:37:08 526707 --ahs---- C:\WINDOWS\system32\orutv.ini2
2007-12-20 23:43:36 0 d-------- C:\Program Files\CCleaner
2007-12-20 1942 0 d-------- C:\Program Files\Norton Security Scan
2007-12-19 23:04:29 294 --ahs---- C:\WINDOWS\system32\tustsmxp.ini2
2007-12-15 18:38:44 923 --a------ C:\WINDOWS\mozver.dat
2007-12-15 18:38:24 0 d-------- C:\Program Files\DivX
2007-12-13 20:51:20 0 d-------- C:\Program Files\InstallShield Installation Information
2007-12-13 18:57:50 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-09 00:43:51 0 d-------- C:\Program Files\Lavasoft
2007-12-07 02:08:03 0 d-------- C:\Program Files\DAEMON Tools
2007-12-07 01:02:29 0 d-------- C:\Documents and Settings\Ming\Application Data\Winamp
2007-12-06 23:31:56 0 d-------- C:\Program Files\Temporary
2007-12-03 23:12:32 0 d-------- C:\Program Files\K-Lite Codec Pack
2007-12-02 21:28:36 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-01 23:17:34 0 d-------- C:\Program Files\LimeWire
2007-11-26 23:19:10 0 d-------- C:\Program Files\Microsoft Works
2007-11-26 23:16:26 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-11-24 20:42:45 0 d-------- C:\Program Files\The KMPlayer
2007-11-24 16:30:10 0 d-------- C:\Documents and Settings\Ming\Application Data\Help
2007-11-12 01:59:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-12 01:59:14 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-11 23:14:46 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-11 19:51:49 0 -rahs---- C:\MSDOS.SYS
2007-11-11 19:51:49 0 -rahs---- C:\IO.SYS
2007-11-11 19:51:49 0 --a------ C:\CONFIG.SYS
2007-11-11 19:51:49 0 --a------ C:\AUTOEXEC.BAT
2007-11-11 19:41:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-10-25 10:26:48 53248 --a------ C:\WINDOWS\bdoscandel.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AAF23D8-4489-43D8-A064-319D1254ABCA}]
01/20/2008 02:16 PM 38400 --a------ C:\WINDOWS\system32\wvurqnk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2F2AE30-1D41-4A5B-BE34-958350B15772}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFCAA6F7-7171-4FCA-88D5-AEEC2F0BCF93}]
01/21/2008 02:22 AM 340992 --------- C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/04/2007 05:14 PM]
"nwiz"="nwiz.exe" [10/04/2007 05:14 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/04/2007 05:14 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [10/05/2001 04:34 PM]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [08/23/2001 01:52 PM]
"Updater"="C:\WINDOWS\system32\updater\explorer.exe" [11/24/2007 02:08 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 05:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AAF23D8-4489-43D8-A064-319D1254ABCA}"= C:\WINDOWS\system32\wvurqnk.dll [01/20/2008 02:16 PM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurqnk]
wvurqnk.dll 01/20/2008 02:16 PM 38400 C:\WINDOWS\system32\wvurqnk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df917bc2-52ff-11d6-a368-806d6172696f}]
AutoRun\command- D:\autoplay.exe

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-01-21 03:13:11 ------------

[Ielgnim]

I noticed that ComboFix is a pretty popular program to use to try and fix any problems, so I decided to try it and post it up just incase.

ComboFix 08-01-20.1 - Ming 2008-01-21 3:46:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.69 [GMT -8:00]
Running from: C:\Documents and Settings\Ming\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ming\Favorites\Online Security Guide.lnk
C:\Program Files\Temporary
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\ststv.ini2
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tustsmxp.ini
C:\WINDOWS\system32\tustsmxp.ini2
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\wvurqnk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 03:43 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-21 03:06 . 2008-01-21 03:06 <DIR> d-------- C:\Deckard
2008-01-21 01:39 . 2008-01-21 02:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-21 01:39 . 2008-01-21 01:41 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-21 01:39 . 2008-01-21 01:41 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-21 01:39 . 2008-01-21 01:41 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-21 01:12 . 2008-01-21 01:12 <DIR> d-------- C:\Documents and Settings\Ming\Application Data\True Sword
2008-01-18 18:54 . 2008-01-18 19:06 <DIR> d-------- C:\Music
2008-01-18 18:54 . 2008-01-18 18:54 6 -rahs---- C:\WINDOWS\iPod2PC3.obl
2008-01-18 18:53 . 2008-01-20 14:14 <DIR> d-------- C:\Program Files\iPod2PC
2008-01-18 18:53 . 2008-01-18 18:53 <DIR> d-------- C:\Documents and Settings\Ming\Application Data\iPod2PC3
2008-01-18 18:49 . 2008-01-18 18:50 <DIR> d-------- C:\Program Files\EphPod
2008-01-17 22:06 . 2008-01-17 22:06 <DIR> d-------- C:\Documents and Settings\Ming\Application Data\CopyTrans
2008-01-17 22:05 . 2008-01-18 18:49 <DIR> d-------- C:\Program Files\WindSolutions
2008-01-08 22:20 . 2008-01-10 19:17 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 2
2007-12-26 18:42 . 2007-12-26 18:42 <DIR> d-------- C:\Documents and Settings\Ming\Application Data\Media Player Classic
2007-12-26 18:29 . 2008-01-09 19:51 <DIR> d-------- C:\Program Files\ReGetDx
2007-12-26 18:29 . 2008-01-21 02:11 <DIR> d-------- C:\Program Files\Common Files\ReGet Shared
2007-12-25 17:20 . 2007-12-25 17:23 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 17:20 . 2007-12-25 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-25 17:19 . 2007-12-25 17:19 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-25 17:19 . 2007-12-25 17:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-24 16:18 . 2007-12-27 12:29 <DIR> d-------- C:\Documents and Settings\Ming\Application Data\skypePM
2007-12-24 16:18 . 2007-12-24 16:18 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-24 16:15 . 2007-12-29 00:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-12-23 22:43 . 2007-12-23 22:43 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Talkback
2007-12-23 15:29 . 2008-01-21 01:34 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 15:29 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-23 15:28 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-23 15:28 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-23 15:28 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-23 15:27 . 2007-12-23 15:27 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-23 15:27 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-23 15:27 . 2003-03-18 12:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-12-23 15:27 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-12-23 15:27 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-12-23 15:27 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-23 15:27 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-22 23:50 . 2007-12-22 23:50 <DIR> d-------- C:\ie-spyad_zo
2007-12-21 23:29 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-21 23:29 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-21 23:29 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-21 23:29 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-21 23:29 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-21 23:29 . 2007-12-21 23:31 2,546 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-21 23:04 . 2007-12-21 23:04 991,542 --ahs---- C:\WINDOWS\system32\ujtjmyos.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-21 11:05 --------- d-----w C:\Program Files\Yahoo!
2008-01-21 10:14 --------- d-----w C:\Program Files\Windows Defender
2008-01-15 05:12 --------- d-----w C:\Documents and Settings\Ming\Application Data\LimeWire
2008-01-14 15:19 --------- d-----w C:\Documents and Settings\Ming\Application Data\Azureus
2007-12-23 23:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-21 07:43 --------- d-----w C:\Program Files\CCleaner
2007-12-21 03:06 --------- d-----w C:\Program Files\Norton Security Scan
2007-12-16 02:38 --------- d-----w C:\Program Files\DivX
2007-12-14 04:51 --------- d-----w C:\Program Files\InstallShield Installation Information
2007-12-14 02:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-09 08:43 --------- d-----w C:\Program Files\Lavasoft
2007-12-09 08:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-07 10:08 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-07 09:02 --------- d-----w C:\Documents and Settings\Ming\Application Data\Winamp
2007-12-07 05:51 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-04 07:12 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-03 05:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 07:17 --------- d-----w C:\Program Files\LimeWire
2007-11-27 07:19 --------- d-----w C:\Program Files\Microsoft Works
2007-11-27 07:16 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-26 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Broderbund LLC
2007-11-26 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Broderbund
2007-11-25 04:42 --------- d-----w C:\Program Files\The KMPlayer
2007-11-12 03:59 155,995 ----a-w C:\WINDOWS\java\Packages\MXRJHRFP.ZIP
2007-10-25 18:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 17:14 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 16:34 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 13:52 331830]
"Updater"="C:\WINDOWS\system32\updater\explorer.exe" [2007-11-24 14:08 1478612]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]


.
Contents of the 'Scheduled Tasks' folder
"2008-01-03 17:27:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-21 11:58:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-21 11:55:53 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 03:56:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 3:59:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 11:59:05
.
2008-01-18 0211 --- E O F ---

[Ielgnim]

3-day bump, I think.

[Ielgnim]

It's been like 4-5 days already. Help anyone?

[Ielgnim]

Seriously why won't no one help me after 6 days? I haven't shut off my computer in all that time just because I don't want to spread the infection.

[Ielgnim]

Will anyone help me?

[Ielgnim]

Hello? Bump once again.

[Ielgnim]

It's been 17 days and no one will help. This is the longest time I've kept my computer on due to a virus and avast! telling me not to.

[tetonbob]

Part of the problem is there are simply too many people needing help with infected machines, and not enough people to do the helping. Some threads get overlooked. There are many other excellent forums which offer this type of help, so your persistence and patience is commendable.

One of the other problems is that by replying to your own thread so many times, it looks to the helpers like it's being taken care of. Our volunteers have limited time, and usually look for 0 reply or 1 reply threads. I just happened to take a look.

Some helpers will not take threads where the user is performing fixes on their own, as it can be more difficult to come in afterward.

All that said, if you still need help, I'll take a look.

Since it's been so long since the first set of logs, I'd like a new set of logs from DSS before we continue

Please run Deckard's System Scanner once again, this time using these instructions (this assumes DSS is on your desktop):

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.

Do not wrap the logs in any sort of bbcode tags, please. It makes them more difficult to review.

[Ielgnim]

Thanks.
This it the main.txt:

Deckard's System Scanner v20071014.68
Run by Ming on 2008-02-07 18:51:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
28: 2008-02-08 02:51:16 UTC - RP28 - Deckard's System Scanner Restore Point
27: 2008-02-07 23:09:53 UTC - RP27 - Software Distribution Service 3.0
26: 2008-02-07 07:27:12 UTC - RP26 - System Checkpoint
25: 2008-02-06 06:27:11 UTC - RP25 - Software Distribution Service 3.0
24: 2008-02-05 05:45:01 UTC - RP24 - System Checkpoint


-- First Restore Point --
1: 2008-01-21 11:47:03 UTC - RP1 - System Checkpoint


Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as Ming.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:54 PM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ming\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ming.exe

O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_All.htm
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3351 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080128-220412-346 O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
backup-20080128-220412-504 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
backup-20080128-220412-523 O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
backup-20080128-220412-613 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
backup-20080128-220412-688 O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
backup-20080128-220412-712 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20080128-220412-958 O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
backup-20080128-220413-619 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/actives...ree/asinst.cab
backup-20080128-220413-693 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
backup-20080128-220413-798 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20080128-220617-261 O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
backup-20080128-220617-315 O4 - HKLM\..\Run: [Updater] C:\WINDOWS\system32\updater\explorer.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 tmcomm - c:\windows\system32\drivers\tmcomm.sys (file missing)
S3 Bcim (Bandwidth Controller kernel component) - c:\windows\system32\drivers\bcim.sys (file missing)
S3 catchme - c:\docume~1\ming\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 2056)
2007-10-04 17:14:00 1478656 --a------ C:\WINDOWS\system32\nview.dll
2007-09-20 18:34:58 129024 --a------ C:\Program Files\WinRAR\RarExt.dll

C:\WINDOWS\system32\rundll32.exe (pid 2700)
2007-10-04 17:14:00 1478656 --a------ C:\WINDOWS\system32\nview.dll
2007-10-04 17:14:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll


-- Scheduled Tasks -------------------------------------------------------------

2008-02-07 17:00:00 446 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job
2008-02-07 09:27:37 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-07 02:27:42 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-01-07 and 2008-02-07 -----------------------------

2008-02-02 19:16:49 0 d-------- C:\Program Files\SoftPerfect Bandwidth Manager
2008-02-02 18:15:18 0 d-------- C:\Documents and Settings\Ming\Application Data\Locktime
2008-02-02 18:14:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-01-30 18:44:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-01-30 18:44:03 0 d-------- C:\Program Files\Logitech
2008-01-30 18:44:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-01-30 18:40:31 0 d-------- C:\Program Files\Common Files\logishrd
2008-01-29 22:34:27 0 d-------- C:\Documents and Settings\Ming\Application Data\Move Networks
2008-01-28 22:32:35 0 d-------- C:\WINDOWS\ERUNT
2008-01-28 22:01:22 0 d-------- C:\Program Files\Trend Micro
2008-01-27 23:40:48 0 dr-h----- C:\Documents and Settings\Ming\Recent
2008-01-23 18:23:36 0 d-------- C:\VundoFix Backups
2008-01-22 16:33:38 0 d-------- C:\Documents and Settings\Ming\Application Data\vlc
2008-01-22 16:28:34 0 d-------- C:\Program Files\VideoLAN
2008-01-21 14:44:02 0 d-------- C:\Program Files\Common Files\NSV
2008-01-21 01:39:09 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-21 01:12:51 0 d-------- C:\Documents and Settings\Ming\Application Data\True Sword
2008-01-18 18:54:51 0 d-------- C:\Music
2008-01-18 18:53:45 0 d-------- C:\Documents and Settings\Ming\Application Data\iPod2PC3
2008-01-17 2218 0 d-------- C:\Documents and Settings\Ming\Application Data\CopyTrans
2008-01-17 22:05:55 0 d-------- C:\Program Files\WindSolutions
2008-01-08 22:20:46 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 2


-- Find3M Report ---------------------------------------------------------------

2008-01-30 23:11:49 0 d-------- C:\Documents and Settings\Ming\Application Data\Azureus
2008-01-30 22:41:29 0 d-------- C:\Documents and Settings\Ming\Application Data\Adobe
2008-01-30 18:40:31 0 d-------- C:\Program Files\Common Files
2008-01-24 18:12:56 0 d-------- C:\Program Files\Java
2008-01-21 03:05:59 0 d-------- C:\Program Files\Yahoo!
2008-01-21 02:14:40 0 d-------- C:\Program Files\Windows Defender
2008-01-21 02:11:54 0 d-------- C:\Program Files\Common Files\ReGet Shared
2008-01-21 01:34:25 0 d-------- C:\Program Files\SpywareBlaster
2008-01-14 21:12:25 0 d-------- C:\Documents and Settings\Ming\Application Data\LimeWire
2008-01-09 19:51:42 0 d-------- C:\Program Files\ReGetDx
2007-12-27 12:29:09 0 d-------- C:\Documents and Settings\Ming\Application Data\skypePM
2007-12-26 18:42:46 0 d-------- C:\Documents and Settings\Ming\Application Data\Media Player Classic
2007-12-25 17:23:30 0 d-------- C:\Program Files\QuickTime
2007-12-25 17:19:05 0 d-------- C:\Program Files\Apple Software Update
2007-12-23 15:40:43 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-23 15:27:23 0 d-------- C:\Program Files\Alwil Software
2007-12-21 23:31:49 2546 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-20 23:43:36 0 d-------- C:\Program Files\CCleaner
2007-12-20 23:11:52 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2007-12-15 18:38:44 923 --a------ C:\WINDOWS\mozver.dat
2007-12-15 18:38:24 0 d-------- C:\Program Files\DivX
2007-12-13 20:51:20 0 d-------- C:\Program Files\InstallShield Installation Information
2007-12-13 18:57:50 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-09 00:43:51 0 d-------- C:\Program Files\Lavasoft
2007-12-07 02:08:03 0 d-------- C:\Program Files\DAEMON Tools
2007-12-07 01:02:29 0 d-------- C:\Documents and Settings\Ming\Application Data\Winamp
2007-11-12 01:59:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-12 01:59:14 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-11 23:14:46 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-11 19:51:49 0 -rahs---- C:\MSDOS.SYS
2007-11-11 19:51:49 0 -rahs---- C:\IO.SYS
2007-11-11 19:51:49 0 --a------ C:\CONFIG.SYS
2007-11-11 19:51:49 0 --a------ C:\AUTOEXEC.BAT
2007-11-11 19:41:48 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/04/2007 05:14 PM]
"nwiz"="nwiz.exe" [10/04/2007 05:14 PM C:\WINDOWS\system32\nwiz.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 05:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [10/25/2007 04:37 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-02-07 18:54:30 ------------



And here is the extra.txt:


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.00GHz
Percentage of Memory in Use: 75%
Physical Memory (total/avail): 255.01 MiB / 62.79 MiB
Pagefile Memory (total/avail): 617.34 MiB / 316.16 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1903.02 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 127.99 GiB total, 107.47 GiB free.
D: is CDROM (CDFS)
E: is Fixed (NTFS) - 76.69 GiB total, 8.57 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - HDS728080PLAT20 - 76.69 GiB - 1 partition
\PARTITION0 - Installable File System - 76.69 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD1600JB-75GVC0 - 149.01 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 127.99 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.7.1098 [VPS 080207-0] v4.7.1098 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\\Program Files\\Azureus\\Azureus.exe"="E:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ming\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FRANCING
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ming
LOGONSERVER=\\FRANCING
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Ming\LOCALS~1\Temp
TMP=C:\DOCUME~1\Ming\LOCALS~1\Temp
USERDOMAIN=FRANCING
USERNAME=Ming
USERPROFILE=C:\Documents and Settings\Ming
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ming (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.42 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Canon PIXMA iP3000 --> C:\WINDOWS\system32\CNMCP61.exe "-PRINTERNAMECanon PIXMA iP3000" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP3000 Installer\Inst2\cnmi0409.dll"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant HSF V92 56K Data Fax PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_021213E0\HxFSETUP.EXE -U -IVEN_14F1&DEV_2013&SUBSYS_021213E0
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
K-Lite Codec Pack 3.5.7 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
LimeWire PRO 4.14.10 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech QuickCam --> MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Mavis Beacon Teaches Typing Deluxe 17 --> C:\WINDOWS\TLCUninstall.exe -f "E:\Program Files\Broderbund\Mavis Beacon Teaches Typing Deluxe 17\Uninstall.xml"
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe D:\
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Mozilla Firefox (2.0.0.11) --> E:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickTime --> MsiExec.exe /I{E0D51394-1D45-460A-B62D-383BC4F8B335}
ReGet Deluxe 4.2 --> C:\Program Files\ReGetDx\regetdx.exe -uninstall
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
The KMPlayer (remove only) --> "C:\Program Files\The KMPlayer\uninstall.exe"
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp --> "E:\Program Files\Winamp\UninstWA.exe"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
Zune Desktop Theme --> MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}


-- Application Event Log -------------------------------------------------------

Event Record #/Type61524 / Error
Event Submitted/Written: 02/05/2008 11:05:32 PM
Event ID/Source: 0 / bwmservice
Event Description:
Unable to to initialize system threads (SoftPerfect Bandwidth Manager is unable to detect any available network adapters. Please make sure that you have configured at least one network adapter and then restart the system)

Event Record #/Type61523 / Error
Event Submitted/Written: 02/05/2008 11:05:31 PM
Event ID/Source: 0 / bwmservice
Event Description:
Unable to to initialize system threads (SoftPerfect Bandwidth Manager is unable to detect any available network adapters. Please make sure that you have configured at least one network adapter and then restart the system)

Event Record #/Type61522 / Warning
Event Submitted/Written: 02/05/2008 10:24:20 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'

Event Record #/Type61521 / Warning
Event Submitted/Written: 02/05/2008 10:24:20 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\InstallerKeys\QCDesktopShortcutKey' does not exist.

Event Record #/Type61520 / Warning
Event Submitted/Written: 02/05/2008 10:24:20 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}', feature 'QuickCam' failed during request for component '{62BA7C13-20BB-41F7-A6A4-482632CE53D4}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4401 / Warning
Event Submitted/Written: 02/06/2008 00:44:51 PM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type4400 / Warning
Event Submitted/Written: 02/06/2008 07:23:39 AM
Event ID/Source: 1073 / USER32
Event Description:
The attempt to power off FRANCING failed

Event Record #/Type4368 / Error
Event Submitted/Written: 02/05/2008 10:23:39 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The tmcomm service failed to start due to the following error:
%%2

Event Record #/Type4343 / Error
Event Submitted/Written: 02/04/2008 04:41:31 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The tmcomm service failed to start due to the following error:
%%2

Event Record #/Type4336 / Warning
Event Submitted/Written: 02/03/2008 10:55:17 PM / 02/03/2008 10:55:18 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-02-07 18:54:30 ------------

[tetonbob]

That looks pretty good now. Are you still experiencing malware related issues? This machine could use more memory. 256 is barely enough to run Windows XP. 512 is the real minimum, 1 GB is better.

Avast seems to be disabled..is it current?

Does this file exist on the machine still?

C:\WINDOWS\system32\updater\explorer.exe

Is there anything else in that folder?

C:\WINDOWS\system32\updater

[Ielgnim]

Yes. explorer.exe does exist there. And it's weird because avast catches the virus, deletes and in a few minutes, hours, days, I can't shut down the PC again because avast found a medium and it's the same virus.

Edit: Oh yea, I disabled avast to run DSS, I enabled it once again after DSS was finished.

[tetonbob]

Quote:

I can't shut down the PC again because avast found a medium and it's the same virus.

Please explain?

===========================

I'd like to identify this file if we can. It does not belong there.

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following in BOLD:
  
  C:\WINDOWS\system32\updater\explorer.exe
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

[Ielgnim]

Well, when I shut down, avast sometimes warns me not to shut down because it's found a medium, and won't let me shut it down. It's right before it's about to shut down, then avast pops up and read Medium Detected.



File has already been analysed:
MD5: 2519df50405afcde47302c80708c6afc
Date: 01.27.2008 18:59:10 (CET) [>11D]
Results: 2/32
Permalink: analisis/73636d4461b93ac47883e4f594827394

[tetonbob]

A medium level threat? I'm not understanding what Avast's term means...

Please click on reanalyze file at VirusTotal.

[Ielgnim]

Antivirus Version Last Update Result
AhnLab-V3 2008.2.6.10 2008.02.05 -
AntiVir 7.6.0.62 2008.02.07 -
Authentium 4.93.8 2008.02.08 -
Avast 4.7.1098.0 2008.02.07 -
AVG 7.5.0.516 2008.02.07 -
BitDefender 7.2 2008.02.08 -
CAT-QuickHeal 9.00 2008.02.04 -
ClamAV 0.92 2008.02.08 -
DrWeb 4.44.0.09170 2008.02.07 -
eSafe 7.0.15.0 2008.01.28 Suspicious Archive Structure
eTrust-Vet 31.3.5520 2008.02.07 -
Ewido 4.0 2008.02.07 -
FileAdvisor 1 2008.02.08 -
Fortinet 3.14.0.0 2008.02.07 -
F-Prot 4.4.2.54 2008.02.07 -
F-Secure 6.70.13260.0 2008.02.08 -
Ikarus T3.1.1.20 2008.02.08 -
Kaspersky 7.0.0.125 2008.02.08 -
McAfee 5225 2008.02.07 -
Microsoft 1.3204 2008.02.07 -
NOD32v2 2857 2008.02.07 error - password-protected file
Norman 5.80.02 2008.02.07 -
Panda 9.0.0.4 2008.02.07 -
Prevx1 V2 2008.02.08 Heuristic: Suspicious File With Bad Child Associations
Rising 20.29.22.00 2008.01.30 -
Sophos 4.26.0 2008.02.07 -
Sunbelt 2.2.907.0 2008.02.08 -
Symantec 10 2008.02.08 -
TheHacker 6.2.9.212 2008.02.07 -
VBA32 3.12.6.0 2008.02.07 -
VirusBuster 4.3.26:9 2008.02.07 -
Webwasher-Gateway 6.6.2 2008.02.07 -

[tetonbob]

Ok, let's get to work...

First, there's something which needs our attention.

ComboFix is frequently updated.

Please delete your existing version.This machine does not have the Windows XP Recovery Console installed.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

---------------------------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please do this:

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
   
2. Go to Microsoft's website => http://support.microsoft.com/kb/310994
   Select the download that's appropriate for your Operating System
   
   
   
   
   
   For you, it's Microsoft Windows XP Home Edition (build 2600) SP 2.0
   
   http://www.microsoft.com/downloads/d...displaylang=en
   
3. Download the file & save it as it's originally named, next to ComboFix.exe.
   
4. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it as indicated in the image below.
   
   
   
5. Follow the prompts to start ComboFix (type 1 and press Enter) and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
   
6. ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.
   
7. When complete, a log named CF_RC.txt will open. Please post the contents of that log.
   
   Please do not reboot your machine until we have reviewed the log.

[Ielgnim]

I'm suppose to do this in safe mode or just normally as it is now?

[tetonbob]

Since I said nothing about safe mode.....normal mode, please.

[Ielgnim]

Lol ok