Help Needed for self imposed hardship: facebook email/Video site virus/trojans

[scr3w3d]

Any help is greatly appreciated so thanks in advance. I seem to have a restore point the day before the issue so if the simple solution is to go back to that than I am all for it. I have data on this box and transact personal finance on the machine so I have changed all the passwords on the applicable web sites and institutions. I have also locked the box down with zone alarm.

12/2 - email in facebook inbox from friend
-clicked on email and not paying attention clicked right through the obvious fake site telling me to update my flash player.
- Became aware of the issue when I launched IE and watched in horror as it ran through its script, logging me into facebook and starting to send a mail. I shut the browser down and started calling my friends to make sure I did not propogate the virus.
12/3 - ran unhackme and adaware, before I came across this site and the warnings about doing so. I found 2 issues, tinyproxy and bulivar27. Thought I had it all clean, downloaded zonealarm firewall and locked the box down. Also downloaded and ran AVG Free.
12/6 - heard my audio crackling a few times and thought it was strange, no apps that would play audio loaded. A Greenday song played for about 30 seconds. Got nervous and ran netstat -a to see what ports were open. Saw some unfamiliar IP's so I locked it down with zone alarm
ran some scans and found tinyproxy again. downloaded stopzilla and it found about 10 more issues. decided it was time to post here and determins if I can clean it or if I need to scrap it and turn it into a linux box.

DDS Log output:

DDS (Version 1.0) - NTFSx86
Run by at 22:02:36.46 on Sat 12/06/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.512 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
f:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
F:\Program Files\VMware\VMware Server\vmware-authd.exe
f:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
F:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\system32\vmnat.exe
f:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\vmnetdhcp.exe
F:\Program Files\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\system32\dllhost.exe
F:\Program Files\STOPzilla!\SZOptions.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
F:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
F:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\V0350Mon.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Quicken\bagent.exe
F:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Documents and Settings\Michael Hickey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
F:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael Hickey\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1827766B-9F49-4854-8034-F6EE26FCB1EC} - f:\program files\stopzilla!\SZSG.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - f:\program files\avg\avg8\avgssie.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - f:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - f:\program files\stopzilla!\SZIEBHO.dll
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - f:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {98828DED-A591-462F-83BA-D2F62A68B8B8} - f:\program files\stopzilla!\SZSG.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - f:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "f:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [QuickenScheduledUpdates] f:\program files\quicken\bagent.exe
uRun: [Creative Live! Cam Manager] "f:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe"
uRun: [CTRegRun] c:\windows\CTRegRun.EXE
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [Google Update] "c:\documents and settings\michael hickey\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [UnHackMe Monitor] f:\program files\unhackme\hackmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [HPAIO_PrintFolderMgr] c:\windows\system32\spool\drivers\w32x86\hpoopm07.exe
mRun: [DVDLauncher] "f:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Windows Defender] "f:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [V0350Mon.exe] c:\windows\V0350Mon.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] f:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "f:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - f:\progra~1\window~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 MtxDma0;Matrox Dma Manager (0);c:\windows\system32\drivers\MtxDma0.sys [2007-4-22 182248]
R0 szkg5;szkg;c:\windows\system32\drivers\szkg.sys [2008-10-8 49664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-3 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-3 26824]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-12-3 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-3 394952]
R2 aawservice;Lavasoft Ad-Aware Service;"f:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 avg8emc;AVG Free8 E-mail Scanner;f:\progra~1\avg\avg8\avgemc.exe [2008-12-3 875288]
R2 avg8wd;AVG Free8 WatchDog;f:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-3 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-3 76040]
R2 vmserverdWin32;VMware Registration Service;f:\program files\vmware\vmware server\vmserverdWin32.exe [2007-9-6 1650781]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R2 WinDefend;Windows Defender;"f:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\drivers\V0350Afx.sys [2008-5-9 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\drivers\V0350VFx.sys [2008-5-9 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\drivers\V0350Vid.sys [2008-5-9 170368]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-12-3 30946]

=============== Created Last 30 ================

2008-12-06 22:02 250 ac------ c:\windows\gmer.ini
2008-12-06 16:52 552 ac------ c:\windows\system32\drivers\kgpcpy.cfg
2008-12-06 16:47 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\SITEguard
2008-12-06 16:39 <DIR> -cd----- c:\program files\common files\iS3
2008-12-06 16:39 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2008-12-04 01:00 <DIR> -cd-h--- C:\$AVG8.VAULT$
2008-12-03 22:13 8,402,976 ac-sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-03 22:13 96,344 ac-sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-03 22:12 <DIR> -cd----- c:\program files\ZoneAlarmSB
2008-12-03 22:11 4,212 -c--h--- c:\windows\system32\zllictbl.dat
2008-12-03 22:11 75,248 ac------ c:\windows\zllsputility.exe
2008-12-03 22:09 <DIR> -cd----- c:\windows\Internet Logs
2008-12-03 22:04 10,520 ac------ c:\windows\system32\avgrsstx.dll
2008-12-03 22:04 <DIR> -cd----- c:\windows\system32\drivers\Avg
2008-12-03 22:04 <DIR> -cd----- c:\docume~1\michae~1\applic~1\AVGTOOLBAR
2008-12-03 22:04 97,928 ac------ c:\windows\system32\drivers\avgldx86.sys
2008-12-03 22:04 76,040 ac------ c:\windows\system32\drivers\avgtdix.sys
2008-12-03 22:04 <DIR> -cd----- c:\program files\AVG
2008-12-03 22:04 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-03 21:36 123 ac------ c:\windows\rootkitno.ini
2008-12-03 20:09 <DIR> -cd----- c:\program files\common files\Wise Installation Wizard
2008-12-03 19:39 30,946 ac------ c:\windows\system32\drivers\Partizan.sys
2008-12-03 19:39 28,672 ac------ c:\windows\system32\Partizan.exe
2008-12-03 19:39 2 ac-shrot c:\windows\winstart.bat
2008-12-03 19:39 8,944 ac------ c:\windows\system32\drivers\UnHackMeDrv.sys
2008-12-02 21:28 1 -c--h--- c:\windows\bemark2.dat
2008-12-02 21:27 1 -c--h--- c:\windows\f49f4daa.dat
2008-12-02 21:27 <DIR> -cd----- c:\windows\system32\351631
2008-12-02 21:27 <DIR> -cd----- c:\program files\tinyproxy
2008-12-02 21:26 1 -c--h--- c:\windows\fmark2.dat
2008-11-12 03:48 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 03:48 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-11 14:35 364,544 ac---r-- c:\windows\system32\IS3DBA5.dll

==================== Find3M ====================

2008-11-26 12:42 563,712 ac------ c:\documents and settings\michael hickey\gotomypc_370.exe
2008-10-24 06:21 455,296 ac------ c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 10:01 17,408 ac---r-- c:\windows\system32\SZIO5.dll
2008-10-23 10:00 278,528 ac---r-- c:\windows\system32\SZBase5.dll
2008-10-23 10:00 536,576 ac---r-- c:\windows\system32\SZComp5.dll
2008-10-16 14:06 268,648 ac------ c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ac------ c:\windows\system32\muweb.dll
2008-10-12 11:52 61,224 ac------ c:\documents and settings\michael hickey\GoToAssistDownloadHelper.exe
2008-10-08 13:27 49,664 ac---r-- c:\windows\system32\drivers\SZKG.sys
2008-09-29 13:08 126,976 ac---r-- c:\windows\system32\IS3HTUI5.dll
2008-09-29 13:07 372,736 ac---r-- c:\windows\system32\IS3UI5.dll
2008-09-29 13:07 61,440 ac---r-- c:\windows\system32\IS3Hks5.dll
2008-09-29 13:07 23,040 ac---r-- c:\windows\system32\IS3XDat5.dll
2008-09-29 13:06 212,992 ac---r-- c:\windows\system32\IS3Win325.dll
2008-09-29 13:06 94,208 ac---r-- c:\windows\system32\IS3Inet5.dll
2008-09-29 13:06 90,112 ac---r-- c:\windows\system32\IS3Svc5.dll
2008-09-29 13:03 708,608 ac---r-- c:\windows\system32\IS3Base5.dll
2008-09-15 07:12 1,846,400 ac------ c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 -c------ c:\windows\system32\msxml6.dll
2008-09-09 06:11 89,063 ac------ c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-07-09 15:34 12,592,648 ac------ c:\documents and settings\michael hickey\EVA technical presentation.zip
2005-11-25 15:26 483,401 ac------ c:\documents and settings\michael hickey\314_gotomypc.exe
2007-07-14 17:53 32,768 ac-sh--- c:\windows\temp\history\history.ie5\index.dat
2007-07-14 17:53 65,536 ac-sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:03:40.67 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[scr3w3d]

Thanks for the assistance. I did not post the output from Stopzilla. It had 1 instances of drvun, 3 of newweb, inet2000, expdwnldr and tinyproxy.

Here is the output after the comborun.

Thank you,
mike




ComboFix 08-12-06.06 - 2008-12-07 8:20:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510 [GMT -5:00]
Running from: c:\documents and settings\Michael Hickey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael Hickey\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\TinyProxy
c:\windows\f49f4daa.dat
c:\windows\fmark2.dat

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 22:02 . 2008-12-06 22:09 250 --a--c--- c:\windows\gmer.ini
2008-12-06 16:52 . 2008-12-06 22:02 552 --a--c--- c:\windows\system32\drivers\kgpcpy.cfg
2008-12-06 16:47 . 2008-12-06 17:34 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SITEguard
2008-12-06 16:39 . 2008-12-06 16:39 <DIR> d----c--- c:\program files\Common Files\iS3
2008-12-06 16:39 . 2008-12-07 08:15 <DIR> d----c--- c:\documents and settings\All Users\Application Data\STOPzilla!
2008-12-04 01:00 . 2008-12-04 02:59 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-12-03 22:13 . 2008-12-07 08:24 8,900,640 --ahsc--- c:\windows\system32\drivers\fidbox.dat
2008-12-03 22:13 . 2008-12-06 16:50 96,344 --ahsc--- c:\windows\system32\drivers\fidbox.idx
2008-12-03 22:12 . 2008-12-03 22:12 <DIR> d----c--- c:\program files\ZoneAlarmSB
2008-12-03 22:11 . 2008-12-03 22:11 <DIR> d----c--- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-03 22:11 . 2008-07-09 09:05 75,248 --a--c--- c:\windows\zllsputility.exe
2008-12-03 22:11 . 2008-12-03 22:12 4,212 ---h-c--- c:\windows\system32\zllictbl.dat
2008-12-03 22:09 . 2008-12-07 08:15 <DIR> d----c--- c:\windows\Internet Logs
2008-12-03 22:04 . 2008-12-06 09:19 <DIR> d----c--- c:\windows\system32\drivers\Avg
2008-12-03 22:04 . 2008-12-03 22:04 <DIR> d----c--- c:\program files\AVG
2008-12-03 22:04 . 2008-12-05 17:07 <DIR> d----c--- c:\documents and settings\Michael Hickey\Application Data\AVGTOOLBAR
2008-12-03 22:04 . 2008-12-03 22:04 <DIR> d----c--- c:\documents and settings\All Users\Application Data\avg8
2008-12-03 22:04 . 2008-12-03 22:04 97,928 --a--c--- c:\windows\system32\drivers\avgldx86.sys
2008-12-03 22:04 . 2008-12-03 22:04 76,040 --a--c--- c:\windows\system32\drivers\avgtdix.sys
2008-12-03 22:04 . 2008-12-03 22:04 10,520 --a--c--- c:\windows\system32\avgrsstx.dll
2008-12-03 21:36 . 2008-12-03 21:36 123 --a--c--- c:\windows\rootkitno.ini
2008-12-03 20:10 . 2008-12-03 20:10 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-03 20:09 . 2008-12-03 20:09 <DIR> d----c--- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 19:39 . 2008-12-03 19:39 30,946 --a--c--- c:\windows\system32\drivers\Partizan.sys
2008-12-03 19:39 . 2008-12-03 19:39 28,672 --a--c--- c:\windows\system32\Partizan.exe
2008-12-03 19:39 . 2005-04-03 15:02 8,944 --a--c--- c:\windows\system32\drivers\UnHackMeDrv.sys
2008-12-03 19:39 . 2008-12-03 19:39 (2) -rahscot- c:\windows\winstart.bat
2008-12-02 21:28 . 2008-12-02 21:28 1 ---h-c--- c:\windows\bemark2.dat
2008-12-02 21:27 . 2008-12-03 19:56 <DIR> d----c--- c:\windows\system32\351631
2008-11-12 03:48 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 03:48 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 14:35 . 2008-11-11 14:35 364,544 -ra--c--- c:\windows\system32\IS3DBA5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 13:12 --------- dc----w c:\documents and settings\Michael Hickey\Application Data\OpenOffice.org2
2008-12-07 13:11 --------- dc----w c:\documents and settings\Michael Hickey\Application Data\gtk-2.0
2008-12-06 21:53 --------- dc----w c:\documents and settings\LocalService\Application Data\VMware
2008-12-06 21:52 --------- dc----w c:\documents and settings\All Users\Application Data\VMware
2008-12-04 06:00 --------- dc----w c:\program files\DIGStream
2008-12-04 03:01 --------- dc----w c:\windows\system32\config\systemprofile\Application Data\VMware
2008-12-04 02:56 --------- dc----w c:\program files\McAfee.com
2008-12-04 02:56 --------- dc----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-04 02:54 --------- dc----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-03 02:34 --------- dc----w c:\documents and settings\All Users\Application Data\DIGStream
2008-12-02 21:29 --------- dc----w c:\documents and settings\Michael Hickey\Application Data\Creative
2008-12-02 21:29 --------- dc----w c:\documents and settings\All Users\Application Data\Creative
2008-11-30 13:22 --------- dc----w c:\documents and settings\Michael Hickey\Application Data\Skype
2008-11-30 13:02 --------- dc----w c:\documents and settings\Michael Hickey\Application Data\skypePM
2008-11-28 21:58 --------- dc----w c:\documents and settings\Traci Hickey\Application Data\OpenOffice.org2
2008-11-26 23:24 --------- dc----w c:\program files\Mozilla Thunderbird
2008-11-26 17:42 563,712 -c--a-w c:\documents and settings\Michael Hickey\gotomypc_370.exe
2008-11-13 21:58 563,712 -c--a-w c:\documents and settings\Traci Hickey\gotomypc_370.exe
2008-10-31 20:11 --------- dc----w c:\program files\Microsoft Silverlight
2008-10-25 20:11 --------- dc----w c:\program files\MSBuild
2008-10-25 20:09 --------- dc----w c:\program files\Reference Assemblies
2008-10-25 19:50 --------- dc----w c:\documents and settings\Michael Hickey\Application Data\Microsoft Robocopy GUI
2008-10-24 11:21 455,296 -c--a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 15:01 17,408 -c--a-r c:\windows\system32\SZIO5.dll
2008-10-23 15:00 536,576 -c--a-r c:\windows\system32\SZComp5.dll
2008-10-23 15:00 278,528 -c--a-r c:\windows\system32\SZBase5.dll
2008-10-16 19:13 202,776 -c--a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 -c--a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 -c--a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 -c--a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 -c--a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 -c--a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 -c--a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 -c--a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 -c--a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 -c--a-w c:\windows\system32\muweb.dll
2008-10-15 23:19 --------- dc----w c:\documents and settings\Michael Hickey\Application Data\McAfee
2008-10-12 17:03 --------- dc----w c:\documents and settings\All Users\Application Data\Citrix
2008-10-12 16:52 61,224 -c--a-w c:\documents and settings\Michael Hickey\GoToAssistDownloadHelper.exe
2008-10-10 11:50 --------- dc----w c:\program files\iTunes
2008-10-10 11:50 --------- dc----w c:\program files\iPod
2008-10-10 11:50 --------- dc----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-08 18:27 49,664 -c--a-r c:\windows\system32\drivers\SZKG.sys
2008-09-29 18:08 126,976 -c--a-r c:\windows\system32\IS3HTUI5.dll
2008-09-29 18:07 61,440 -c--a-r c:\windows\system32\IS3Hks5.dll
2008-09-29 18:07 372,736 -c--a-r c:\windows\system32\IS3UI5.dll
2008-09-29 18:07 23,040 -c--a-r c:\windows\system32\IS3XDat5.dll
2008-09-29 18:06 94,208 -c--a-r c:\windows\system32\IS3Inet5.dll
2008-09-29 18:06 90,112 -c--a-r c:\windows\system32\IS3Svc5.dll
2008-09-29 18:06 212,992 -c--a-r c:\windows\system32\IS3Win325.dll
2008-09-29 18:03 708,608 -c--a-r c:\windows\system32\IS3Base5.dll
2008-09-15 12:12 1,846,400 -c--a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 -c----w c:\windows\system32\msxml6.dll
2008-07-09 20:34 12,592,648 -c--a-w c:\documents and settings\Michael Hickey\EVA technical presentation.zip
2006-07-18 00:39 563,712 -c--a-w c:\documents and settings\Traci Hickey\370_gotomypc.exe
2006-05-19 17:16 483,401 -c--a-w c:\documents and settings\Conor Hickey\314_gotomypc.exe
2005-11-25 20:26 483,401 -c--a-w c:\documents and settings\Michael Hickey\314_gotomypc.exe
2005-11-15 12:38 483,401 -c--a-w c:\documents and settings\Traci Hickey\314_gotomypc.exe
2007-12-13 18:57 44,360 -c--a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-12-13 18:57 107,928 -c--a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 68856]
"QuickenScheduledUpdates"="f:\program files\Quicken\bagent.exe" [2006-10-30 57344]
"Creative Live! Cam Manager"="f:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-06-07 155648]
"CTRegRun"="c:\windows\CTRegRun.EXE" [2006-10-06 53248]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Google Update"="c:\documents and settings\Michael Hickey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"UnHackMe Monitor"="f:\program files\UnHackMe\hackmon.exe" [2007-09-17 228352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"HPAIO_PrintFolderMgr"="c:\windows\System32\spool\DRIVERS\W32X86\hpoopm07.exe" [2000-07-26 61440]
"DVDLauncher"="f:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"V0350Mon.exe"="c:\windows\V0350Mon.exe" [2007-08-23 28672]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVG8_TRAY"="f:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-03 1261336]
"ZoneAlarm Client"="f:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"CTHelper"="CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Traci Hickey\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - f:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-09-23 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 MtxDma0;Matrox Dma Manager (0);c:\windows\system32\drivers\MtxDma0.sys [2007-04-22 182248]
R0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys [2008-10-08 49664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-03 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;f:\progra~1\AVG\AVG8\avgemc.exe [2008-12-03 875288]
R2 avg8wd;AVG Free8 WatchDog;f:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-03 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-03 76040]
R2 vmserverdWin32;VMware Registration Service;f:\program files\VMware\VMware Server\vmserverdWin32.exe [2007-09-06 1650781]
R2 WinDefend;Windows Defender;"f:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 VF0350Afx;VF0350 Audio FX;c:\windows\system32\Drivers\V0350Afx.sys [2008-05-09 142656]
R3 VF0350Vfx;VF0350 Video FX;c:\windows\system32\DRIVERS\V0350VFx.sys [2008-05-09 7424]
R3 VF0350Vid;Live! Cam Video IM (VF0350);c:\windows\system32\DRIVERS\V0350Vid.sys [2008-05-09 170368]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-12-03 30946]

*Newly Created Service* - GMER
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Michael Hickey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 20:55]

2008-12-07 c:\windows\Tasks\MP Scheduled Scan.job
- f:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKCU-Run-updateMgr - f:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll

c:\windows\Downloaded Program Files\TLIEFlashCtrlU.dll - O16 -: {94B82441-A413-4E43-8422-D49930E69764}
hxxps://echat.us.dell.com/Media/VisitorChatENU/TLIEFlash.CAB
FireFox -: Profile - c:\documents and settings\Michael Hickey\Application Data\Mozilla\Firefox\Profiles\k0c51sus.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://www.google.com/ig?hl=en
FF -: plugin - c:\documents and settings\Michael Hickey\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPActX.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npImgCtl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
FF -: plugin - f:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin6.dll
FF -: plugin - f:\program files\QuickTime\Plugins\npqtplugin7.dll
FF -: plugin - f:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF -: plugin - f:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF -: plugin - f:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 08:24:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\msacm32.drv

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\avgrsstx.dll
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
Completion time: 2008-12-07 8:25:44
ComboFix-quarantined-files.txt 2008-12-07 13:25:40

Pre-Run: 1,525,944,320 bytes free
Post-Run: 2,029,948,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

257 --- E O F --- 2008-12-06 16:58:42

[sUBs]

Log is looking good. Let's do a perfunctory scan

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[scr3w3d]

quick update running now, posting this from laptop. Everything is disabled.

If you do a netstat -a on the infected PC is shows port 1123 established to 212.47.219.86 using http.

From whois:

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 212.0.0.0 - 212.255.255.255
CIDR: 212.0.0.0/8
NetName: RIPE-NCC-212
NetHandle: NET-212-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1997-11-14
Updated: 2005-08-03

# ARIN WHOIS database, last updated 2008-12-06 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database

[scr3w3d]

Here is the output from the scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 09:20:51
Records in database: 1441946
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 112556
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:15:41

No malware has been detected. The scan area is clean.

The selected area was scanned.

[sUBs]

http://212.47.219.86/ is Kaspersky

Your system is now clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
4. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[scr3w3d]

Thank You!!!!!!!!!!