Hijackthis Help. Trojans, and Popups

[nicoantique]

Hey. Thanks for your help! I'm sure I started having problems after downloading a bittorrent off Limewire. I have uninstalled Limewire and the bittorrent but I'm still experiencing trojans and 2 blank windows explorer popups coming up when I navigate to any new internet page. I ran spywaredoctor before knowing about hijackthis and it came up with

1: Trojan-Downloader .Agent!sd6 in C:\System Volume Information\_restore(46DE8921-1D39-44D2-A9E9-64119261F211)\RP250\A0027676.exe
2: Trojan-Downloader .Agent!sd6 in C:\WINDOWS\system32\GroupPolicyManifest\2.crack.zip
3: Trojan-Downloader .Agent!sd6 in C:WINDOWS\System32\devmgr32.dll

Also I noticed a decrease in overall speed. Sounds crazy, but sometimes over the last day it seems like someone else is controlling my mouse and keyboard! Interesting note...I had to use another uninfected computer to post this, as the infected one would not let me. The login screen for the forum just kept coming up! Thanks again for your help!


The DDS:


DDS (Version 1.0) - NTFSx86
Run by stephenj young at 16:22:02.62 on Thu 12/04/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1368 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\stephenj young\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080131
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080131
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
TB: {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - c:\program files\lexmark toolbar\toolband.dll
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [EstimateReview]
mRun: [lxdfmon.exe] "c:\program files\lexmark 6500 series\lxdfmon.exe"
mRun: [lxdfamon] "c:\program files\lexmark 6500 series\lxdfamon.exe"
mRun: [Lexmark 6500 Series Fax Server] "c:\program files\lexmark 6500 series\fm3032.exe" /s
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: 28663152509 - c:\windows\system32\devmgr32.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll,c:\windows\system32\devmgr32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-21 108648]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2007-8-21 108648]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\drivers\datunidr.sys [2007-8-23 5376]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-7-11 47640]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-7 99376]
R3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-1 40840]
R3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-1 66952]
R3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-1 81288]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081204.003\NAVENG.SYS [2008-12-4 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081204.003\NAVEX15.SYS [2008-12-4 876112]
R3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2008-1-30 1251720]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\\lxdfserv.exe [2008-3-19 99248]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\google\google desktop search\GoogleDesktop.exe" [2008-1-30 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-1 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-1 1079176]
S4 LMIRfsClientNP;LMIRfsClientNP; []

=============== Created Last 30 ================

2008-12-04 16:16 <DIR> --d-h--- c:\windows\PIF
2008-12-04 16:03 250 a------- c:\windows\gmer.ini
2008-12-04 15:28 <DIR> --d----- c:\program files\Trend Micro
2008-12-04 07:54 373,760 a--sh--- c:\windows\system32\28.tmp
2008-12-03 11:54 373,760 a--sh--- c:\windows\system32\10.tmp
2008-12-02 12:50 <DIR> --d----- c:\windows\pss
2008-12-02 11:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-02 11:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-02 11:15 373,248 a--sh--- c:\windows\system32\53.tmp
2008-12-01 16:08 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-01 16:08 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-01 16:08 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-01 16:08 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-01 16:08 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-01 16:08 <DIR> --d----- c:\docume~1\stephe~1\applic~1\PC Tools
2008-11-30 23:27 4,516 a------- c:\windows\GnuHashes.ini
2008-11-30 23:19 1,714 a--sh--- c:\windows\system32\GroupPolicy000.dat
2008-11-30 23:19 <DIR> --dsh--- c:\windows\system32\GroupPolicyManifest
2008-11-30 23:19 373,248 a--sh--- c:\windows\system32\2.tmp
2008-11-30 20:20 135,168 a------- c:\windows\system32\devmgr32.dll
2008-11-12 09:09 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:09 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 13:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\kinoma

==================== Find3M ====================

2008-12-04 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-12-04 13:16 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-12-02 16:33 <DIR> --d----- c:\program files\Digital Line Detect
2008-12-01 23:57 <DIR> --d----- c:\docume~1\stephe~1\applic~1\LimeWire
2008-12-01 16:34 <DIR> --d----- c:\program files\TomTom HOME 2
2008-11-17 15:29 <DIR> --d----- c:\program files\LogMeIn
2008-10-23 00:34 <DIR> --d----- c:\program files\Netflix
2008-10-21 10:10 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-21 10:10 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-21 10:10 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-21 10:10 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-21 10:10 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-06 21:46 <DIR> --d----- c:\program files\Yahoo!
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-17 13:58 88,319 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 07:12 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-14 15:31 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-09-09 20:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\dllcache\msxml6.dll
2008-09-08 20:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2008-09-08 05:41 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-09-07 14:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ThumbnailCache4R
2008-09-05 23:30 241,704 -------- c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 23:29 917,032 -------- c:\windows\system32\dllcache\WgaTray.exe
2008-07-11 09:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LogMeIn
2008-04-20 14:38 <DIR> --d----- c:\docume~1\stephe~1\applic~1\Automotix
2008-03-20 15:57 <DIR> --d----- c:\docume~1\stephe~1\applic~1\TomTom
2008-03-19 17:08 <DIR> --d----- c:\docume~1\stephe~1\applic~1\6500 Series
2008-03-19 16:56 <DIR> --d----- c:\docume~1\stephe~1\applic~1\Lexmark Productivity Studio
2008-03-19 16:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\6500 Series
2008-02-18 18:14 <DIR> --d----- c:\docume~1\stephe~1\applic~1\MSNInstaller
2008-02-08 22:05 <DIR> --d----- c:\docume~1\stephe~1\applic~1\Stamps.com Internet Postage
2008-02-07 07:17 <DIR> --d----- c:\docume~1\stephe~1\applic~1\Symantec
2008-02-06 14:27 <DIR> --d----- c:\docume~1\stephe~1\applic~1\McAfee
2008-02-06 14:10 <DIR> --d----- c:\docume~1\stephe~1\applic~1\Dell
2008-01-30 22:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SingleClick Systems
2008-01-30 22:35 <DIR> --d----- c:\docume~1\stephe~1\applic~1\Intel
2004-08-11 18:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 16:24:32.45 ===============

[nicoantique]

Bump,please

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Download & save ComboFix to your Desktop but don't run it yet
Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/320218-hijackthis-help-trojans-popups.html
File::
c:\windows\system32\28.tmp
c:\windows\system32\10.tmp
c:\windows\system32\53.tmp
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\2.tmp
Collect::
c:\windows\system32\devmgr32.dll
Folder::
c:\windows\system32\GroupPolicyManifest

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt.


------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------


In your next post, please include logs from:

1. Online scan
2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[nicoantique]

My laptop is rockin thanks to you! You Rock! Everything is 10 times faster, processing,browsing,applications. No more popup windows and 3 internet explorers running in the background all the time. I doesn't seem hijacked anymore!
One small note though...I had to manually shut it down after running thr first Combofix...everything just stopped for 20 minutes when the message, "windows will reboot,please wait". I figured something froze, which it did. I shut it down manually and redropped the copypaste notepad into combofix. Ran it again and it restarted windows and produced a log no problem. Thanks again. Let me know if there is anything else I should do besides staying off Limewire:)

Here's the logs:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 08, 2008 18:11:41
Records in database: 1444306
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 55719
Threat name: 2
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:05:08


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\2.crack.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\3.video.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\4.setup.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\5.unpack.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\6.limepro.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicyManifest\7.keygen.zip.vir Infected: Trojan-Downloader.Win32.Agent.aseo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_devmgr32_.dll.zip Infected: Trojan-Downloader.Win32.Agent.arsg 2
C:\Qoobox\Quarantine\[4]-Submit_2008-12-08@14.47.zip Infected: Trojan-Downloader.Win32.Agent.arsg 1

The selected area was scanned.



Combofix


ComboFix 08-12-07.01 - stephenj young 2008-12-08 15:27:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1454 [GMT -5:00]
Running from: c:\documents and settings\stephenj young\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\stephenj young\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\10.tmp
c:\windows\system32\2.tmp
c:\windows\system32\28.tmp
c:\windows\system32\53.tmp
c:\windows\system32\GroupPolicy000.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\devmgr32.dll
.
---- Previous Run -------
.
c:\windows\system32\10.tmp
c:\windows\system32\2.tmp
c:\windows\system32\28.tmp
c:\windows\system32\53.tmp
c:\windows\system32\devmgr32.dll
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\GroupPolicyManifest
c:\windows\system32\GroupPolicyManifest\1.music.mp3
c:\windows\system32\GroupPolicyManifest\1.music.mp3.kwd
c:\windows\system32\GroupPolicyManifest\2.crack.zip
c:\windows\system32\GroupPolicyManifest\2.crack.zip.kwd
c:\windows\system32\GroupPolicyManifest\3.video.zip
c:\windows\system32\GroupPolicyManifest\3.video.zip.kwd
c:\windows\system32\GroupPolicyManifest\4.setup.zip
c:\windows\system32\GroupPolicyManifest\4.setup.zip.kwd
c:\windows\system32\GroupPolicyManifest\5.unpack.zip
c:\windows\system32\GroupPolicyManifest\5.unpack.zip.kwd
c:\windows\system32\GroupPolicyManifest\6.limepro.zip
c:\windows\system32\GroupPolicyManifest\6.limepro.zip.kwd
c:\windows\system32\GroupPolicyManifest\7.keygen.zip
c:\windows\system32\GroupPolicyManifest\7.keygen.zip.kwd
c:\windows\system32\GroupPolicyManifest\8.mpgvideo.mpg
c:\windows\system32\GroupPolicyManifest\8.mpgvideo.mpg.kwd
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 12:37 . 2008-12-08 08:37 373,760 --ahs---- c:\windows\system32\33.tmp
2008-12-07 12:37 . 2008-12-07 12:37 0 --a------ c:\windows\system32\32.tmp
2008-12-06 13:32 . 2008-12-06 13:32 373,760 --ahs---- c:\windows\system32\26.tmp
2008-12-05 10:30 . 2008-12-05 17:32 373,760 --ahs---- c:\windows\system32\1B.tmp
2008-12-05 09:34 . 2008-12-05 09:34 0 --a------ c:\windows\system32\11.tmp
2008-12-04 16:16 . 2008-12-04 16:16 <DIR> d--h----- c:\windows\PIF
2008-12-04 16:03 . 2008-12-04 16:04 250 --a------ c:\windows\gmer.ini
2008-12-04 15:28 . 2008-12-04 15:28 <DIR> d-------- c:\program files\Trend Micro
2008-12-02 11:52 . 2008-12-02 11:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 11:52 . 2008-12-02 12:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 16:08 . 2008-12-08 02:07 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-01 16:08 . 2008-12-01 16:08 <DIR> d-------- c:\documents and settings\stephenj young\Application Data\PC Tools
2008-12-01 16:08 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-01 16:08 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-01 16:08 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-01 16:08 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-30 23:27 . 2008-11-30 23:27 4,516 --a------ c:\windows\GnuHashes.ini
2008-11-12 09:09 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 09:09 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 13:21 . 2008-11-11 13:21 <DIR> d-------- c:\program files\DIFX
2008-11-11 13:21 . 2008-11-11 13:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\kinoma

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 20:24 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-08 20:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-08 19:51 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-02 21:33 --------- d-----w c:\program files\Digital Line Detect
2008-12-02 04:57 --------- d-----w c:\documents and settings\stephenj young\Application Data\LimeWire
2008-12-01 21:34 --------- d-----w c:\program files\TomTom HOME 2
2008-11-17 20:29 --------- d-----w c:\program files\LogMeIn
2008-10-24 11:21 455,296 ------w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 05:34 --------- d-----w c:\program files\Netflix
2008-10-21 15:10 47,640 ----a-w c:\windows\system32\drivers\LMIRfsDriver.sys
2008-09-12 21:46 61,224 ----a-w c:\documents and settings\stephenj young\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-23 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-23 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-23 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-08-21 115816]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-21 771704]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"lxdfmon.exe"="c:\program files\Lexmark 6500 Series\lxdfmon.exe" [2007-06-11 455600]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"SigmatelSysTrayApp"="stsystra.exe" [2007-09-16 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-21 10:10 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dvd43"=c:\program files\dvd43\dvd43_tray.exe
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=c:\program files\Common Files\Nero\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\WINDOWS\\system32\\lxdfcoms.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\frun.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"c:\\Program Files\\Lexmark 6500 Series\\LXDFFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC

R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\system32\DRIVERS\datunidr.sys [2007-08-23 5376]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-11 47640]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-07 99376]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2008-03-19 99248]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-01 356920]
S4 LMIRfsClientNP;LMIRfsClientNP; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7c54497-f5e0-11dc-aeae-001ec900b904}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - stephenj young.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-21 01:02]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-EstimateReview - (no file)
Notify-28663152509 - c:\windows\System32\devmgr32.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 15:30:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(936)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\system32\lxdfcoms.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\stacsv.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-12-08 15:33:45 - machine was rebooted [stephenj young]
ComboFix-quarantined-files.txt 2008-12-08 20:33:34

Pre-Run: 87,493,062,656 bytes free
Post-Run: 87,397,781,504 bytes free

217 --- E O F --- 2008-11-22 10:45:34

Onlinescan

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
c:\windows\system32\33.tmp
c:\windows\system32\32.tmp
c:\windows\system32\26.tmp
c:\windows\system32\1B.tmp
c:\windows\system32\11.tmp
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[nicoantique]

It ran for a second and flashed, "deleted something" then closed.

[sUBs]

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[nicoantique]

I cannot even express my gratitude! Thankyou and I will be sending a donation. Again, You Rock.