Trojan/Malware Removal Request

[Emin_ence]

DDS (Ver_09-02-01.01) - NTFSx86
Run by Emin at 13:43:15.64 on Fri 02/20/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.478 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Emin\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: NoExplorer - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: {2b724a82-87a0-4b68-8e3d-0ba992973808} - c:\windows\system32\cbXOhEvs.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {B9D1647F-A66A-4695-B249-07901A45FF59} - No File
uRun: [Aim6]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RegistryMechanic] "c:\program files\registry mechanic\RegMech.exe" /H
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"
mRun: [Explorer] "c:\windows\system32\msrstart.exe"
mRun: [ThreatFire] "c:\program files\threatfire\TFTray.exe"
mRun: [AVG8_TRAY] "c:\progra~1\avg\avg8\avgtray.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090131a.dll xccd16
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} - hxxp://musicmix.messenger.msn.com/Medialogic.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {31EE92CA-C0F5-48F7-AE60-B54CDF3BB76C} - hxxp://219.105.35.37/player/AcqVPlayerX_2_0_2_21.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189738225015
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\cbXOhEvs

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\emin\applic~1\mozilla\firefox\profiles\g4xgcheh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\documents and settings\emin\application data\mozilla\firefox\profiles\g4xgcheh.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-2-18 51472]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-2-18 39184]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2008-10-2 110304]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [2006-12-27 9006]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-2-18 33040]
S2 afisicx;afisicx;c:\windows\system32\afisicx.exe [2004-8-10 96768]
S2 gupdate1c93875f5b0a676;Google Update Service (gupdate1c93875f5b0a676);c:\program files\google\update\GoogleUpdate.exe [2008-10-27 133104]
S2 mabidwe;mabidwe;c:\windows\system32\mabidwe.exe [2004-8-10 65536]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 116736]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe --> c:\windows\system32\noytcyr.exe [?]
S2 roytctm;roytctm;c:\windows\system32\roytctm.exe --> c:\windows\system32\roytctm.exe [?]
S2 soxpeca;soxpeca;c:\windows\system32\soxpeca.exe --> c:\windows\system32\soxpeca.exe [?]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2005-8-16 26488]
S2 tdydowkc;tdydowkc;c:\windows\system32\tdydowkc.exe [2004-8-10 202752]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S2 wsldoekd;wsldoekd Service;c:\windows\system32\wsldoekd.exe [2004-8-10 202240]
S3 Dua1;Dua1;\??\c:\docume~1\emin\locals~1\temp\rar$ex00.718\dualengine2\dualengi.sys --> c:\docume~1\emin\locals~1\temp\rar$ex00.718\dualengine2\DualEngi.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-10-2 1548380]
S3 geebers12;geebers12;\??\c:\documents and settings\emin\desktop\blorbslayerengine\blorbslayerengine\blorbslayerengine\nvid888.sys --> c:\documents and settings\emin\desktop\blorbslayerengine\blorbslayerengine\blorbslayerengine\nvid888.sys [?]
S3 GGK;GGK;\??\c:\documents and settings\emin\desktop\ggk\ggk\ggk\ggk.sys --> c:\documents and settings\emin\desktop\ggk\ggk\ggk\ggk.sys [?]
S3 iCheat1;iCheat1;\??\c:\documents and settings\emin\desktop\v39 by kazu\v39 by kazu\nvid999.sys --> c:\documents and settings\emin\desktop\v39 by kazu\v39 by kazu\nvid999.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-17 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-17 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-17 81288]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\documents and settings\emin\desktop\dfiber_v48\moonlight_engine_1105\ilvmoney1105.sys --> c:\documents and settings\emin\desktop\dfiber_v48\moonlight_engine_1105\IlvMoney1105.sys [?]
S3 kaspersky1;kaspersky1;\??\c:\documents and settings\emin\desktop\emins folder\all hacks here\kaspersky engine 3[1].2\kaspersky.sys --> c:\documents and settings\emin\desktop\emins folder\all hacks here\kaspersky engine 3[1].2\kaspersky.sys [?]
S3 memxers12;memxers12;\??\c:\documents and settings\emin\desktop\new folder (all)\v0.39 noob haxing\v.39 hack pack\icheat (rev1021)\nvid999.sys --> c:\documents and settings\emin\desktop\new folder (all)\v0.39 noob haxing\v.39 hack pack\icheat (rev1021)\nvid999.sys [?]
S3 saruenGang;saruenGang;\??\c:\documents and settings\emil mehrabian\desktop\everything\saruengang102\saruengang.sys --> c:\documents and settings\emil mehrabian\desktop\everything\saruengang102\saruenGang.sys [?]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\screamingbaudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-17 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-17 1079176]
S3 sejt1;sejt1;\??\c:\documents and settings\emin\desktop\emins folder\all hacks here\akumaengine33\akumaengine33\akumaengine33\sejt.sys --> c:\documents and settings\emin\desktop\emins folder\all hacks here\akumaengine33\akumaengine33\akumaengine33\sejt.sys [?]
S3 spuce1;spuce1;\??\c:\documents and settings\emin\desktop\spuce 2.0\spuce.sys --> c:\documents and settings\emin\desktop\spuce 2.0\spuce.sys [?]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2008-10-2 565248]
S3 xp1;xp1;\??\c:\documents and settings\emin\desktop\emins folder\all hacks here\xpenginenopopup\xp.sys --> c:\documents and settings\emin\desktop\emins folder\all hacks here\xpenginenopopup\xp.sys [?]
S3 Yakir1;Yakir1;\??\c:\documents and settings\emin\desktop\new folder (all)\zenxengine v2(beta closed)\log evasion engine\zenx.sys --> c:\documents and settings\emin\desktop\new folder (all)\zenxengine v2(beta closed)\log evasion engine\ZenX.Sys [?]
S3 zenx1;zenx1;\??\c:\docume~1\emilme~1\locals~1\temp\rar$ex00.953\zenxengine\zenx.sys --> c:\docume~1\emilme~1\locals~1\temp\rar$ex00.953\zenxengine\zenx.sys [?]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\andy mehrabian\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 53248]

============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-02-20 01:02 152,576 a------- c:\windows\system32\taskmgr.exe
2009-02-18 17:50 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-18 17:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-18 14:17 51,472 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-02-18 14:17 39,184 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-02-18 14:17 33,040 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-02-18 14:17 12,560 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-02-18 14:17 <DIR> --d----- c:\program files\ThreatFire
2009-02-18 14:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-02-17 23:51 <DIR> --d----- c:\docume~1\emin\applic~1\Malwarebytes
2009-02-17 23:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-17 23:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 23:50 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-17 23:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-17 23:13 <DIR> --d----- C:\Binaries
2009-02-17 23:12 <DIR> --d----- c:\program files\Webroot
2009-02-17 23:10 164 a------- C:\install.dat
2009-02-17 14:26 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-17 14:26 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-17 14:26 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-17 14:26 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-17 14:26 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-17 13:45 81,931 a------- c:\windows\system32\16.tmp
2009-02-17 13:44 48 a------- c:\windows\system32\15.tmp
2009-02-16 23:01 81,931 a------- c:\windows\system32\14.tmp
2009-02-16 23:01 1 a------- c:\windows\system32\13.tmp
2009-02-16 23:01 88 a------- c:\windows\system32\12.tmp
2009-02-16 22:33 81,931 a------- c:\windows\system32\5F.tmp
2009-02-16 22:33 1 a------- c:\windows\system32\5E.tmp
2009-02-16 22:33 88 a------- c:\windows\system32\5D.tmp
2009-02-16 18:12 81,931 a------- c:\windows\system32\11.tmp
2009-02-16 18:12 88 a------- c:\windows\system32\3.tmp
2009-02-16 18:12 1 a------- c:\windows\system32\10.tmp
2009-02-16 15:24 81,931 a------- c:\windows\system32\F.tmp
2009-02-16 15:24 1 a------- c:\windows\system32\B.tmp
2009-02-16 15:24 88 a------- c:\windows\system32\A.tmp
2009-02-16 15:18 81,931 a------- c:\windows\system32\9.tmp
2009-02-16 15:18 1 a------- c:\windows\system32\8.tmp
2009-02-16 15:18 88 a------- c:\windows\system32\7.tmp
2009-02-16 15:08 81,931 a------- c:\windows\system32\E.tmp
2009-02-16 15:08 1 a------- c:\windows\system32\D.tmp
2009-02-16 15:08 88 a------- c:\windows\system32\C.tmp
2009-02-16 11:47 <DIR> --d----- c:\program files\AVG
2009-02-16 11:22 61 a------- c:\windows\system32\xcchit32.ini.tmp
2009-02-16 11:22 62,464 a------- c:\windows\Qcubobesitefesu.dll
2009-02-16 11:22 101,888 a------- c:\windows\system32\grcrt.exe
2009-02-16 11:22 44,032 a------- c:\windows\system32\grcrt2.exe
2009-02-16 11:21 676,352 a------- c:\windows\system32\rtl60.bpl
2009-02-16 11:21 158,720 a------- c:\windows\system32\w.exe
2009-02-16 11:21 8 a------- c:\windows\system32\comsa32.sys
2009-02-16 11:21 406,016 a------- c:\windows\system32\tmpxccacj0.exe
2009-02-16 11:21 198 a------- c:\windows\system32\xcchit32.ini
2009-02-16 11:20 605 a------- c:\windows\xccwinsys.ini
2009-02-16 11:20 <DIR> --d----- c:\windows\system32\inf
2009-02-16 11:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-16 11:20 81,931 a------- c:\windows\system32\6.tmp
2009-02-16 11:20 1 a------- c:\windows\system32\5.tmp
2009-02-16 11:20 88 a------- c:\windows\system32\4.tmp
2009-02-15 21:00 0 a------- c:\windows\system32\114.tmp
2009-02-15 20:28 <DIR> --d----- c:\docume~1\emin\applic~1\AVS4YOU
2009-02-15 20:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-02-15 20:24 <DIR> --d----- c:\program files\common files\AVSMedia
2009-02-15 20:24 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-02-15 20:24 24,576 a------- c:\windows\system32\msxml3a.dll
2009-02-15 20:24 <DIR> --d----- c:\program files\AVS4YOU
2009-02-14 19:36 37,027 a------- c:\windows\atmoUn.exe
2009-02-03 14:43 <DIR> --d----- c:\program files\MuhSound

==================== Find3M ====================

2009-02-13 21:04 53,032 a------- c:\docume~1\emin\applic~1\GDIPFONTCACHEV1.DAT
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 01:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 30,720 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-13 22:55 348,160 a------- c:\windows\system32\msvcr71.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-06 14:31 36,104 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2008-09-14 15:53 848 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2008-09-14 15:53 88 ---shr-- c:\docume~1\alluse~1\applic~1\21F8E5CE26.sys
2008-10-23 18:03 905,053 a--sh--- c:\windows\system32\KjijRXyb.ini2
2008-10-23 23:47 930,480 a--sh--- c:\windows\system32\svEhOXbc.ini2
2008-08-29 15:17 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082920080830\index.dat

============= FINISH: 13:44:38.96 ===============


I have malware/trojans/viruses and many other things that slow down my computer.

Previous Post: Hi I recently downloaded something miscilanious and it turned out to be trojan viruses i accidenttally allowed a couple with windows defender, but blocked the rest, then i downloaded AVG virus protection and it scanned my whole comp, gave me about 200 threats most being trojans, now in my processes it has the virus names, but i close those processes when they pop up, here are a list of problems i have...
1. My windows welcome screen does not show up, just a black screen asking for my username and PW
2.My DEP keeps popping up telling me it closed a program to help the comp stay safe, and random folders sometimes open (DEP = Data Execution Prevention)
3.it says viruses have been detected and removed, but they havent, because they keep showing up, and my computer is very slow now, or at least slower than usual.
4.Explorer.exe dosent load at startup, and i have to load it twice, because the first time DEP blocks it, same with task manager.
5. The "system" process now takes 60,000kb which is way too much.
7.sometimes processes dont show the usernames.
Now I can name the processes that are viruses if you'd like, but I'd have to restart for them to load them again, also system restore always fails for me.

I need some expert advice please!

EDIT: My windows welcome screen did show up after I disabled DEP, explorer.exe loaded this time as well, the processes that were viruses dont show up anymore, they're still there, I know, the "System" process dosent take too much memory anymore, and commit charge has dropped as well, I still know my system isnt right notepad.exe was replaced with nxtepad.exe trojan and when i opened microsoft word the same document that was transparent displayed on my desktop with ~ in the prefix and disapeared after I closed it, I also have lots of registry that's broken. (I closed the virus processes before as well) Here are some of the processes I think that I'm pretty sure that are trojans:

afisicx.exe
mabidwe.exe
noytcyr.exe
roytctm.exe
soxpeca.exe
tdydowkc.exe
wsidoekid.exe

I also scanned with EnumProcess:

Windows Firewall is on
[System Process]
System
\SystemRoot\System32\smss.exe
\??\C:\WINDOWS\system32\csrss.exe
\??\C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe (Microsoft Corporation / Services and Controller app)
C:\WINDOWS\system32\lsass.exe (Microsoft Corporation / LSA Shell (Export Version))
C:\WINDOWS\system32\svchost.exe (Microsoft Corporation / Generic Host Process for Win32 Services)
C:\WINDOWS\system32\svchost.exe (Microsoft Corporation / Generic Host Process for Win32 Services)
C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation / Service Executable)
C:\WINDOWS\System32\svchost.exe (Microsoft Corporation / Generic Host Process for Win32 Services)
C:\WINDOWS\system32\svchost.exe (Microsoft Corporation / Generic Host Process for Win32 Services)
C:\WINDOWS\system32\svchost.exe (Microsoft Corporation / Generic Host Process for Win32 Services)
C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation / Spooler SubSystem App)
C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc. / Google Installer)
C:\WINDOWS\system32\afisicx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc. / Apple Mobile Device Service)
C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o. / AVG Watchdog Service)
C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation / Media Center Receiver Service)
C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation / Media Center Scheduler Service)
C:\WINDOWS\eHome\ehRec.exe (Microsoft Corporation / Media Center Host Module)
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google / gusvc)
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\noytcyr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o. / AVG Resident Shield Service)
C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o. / AVG Network scanner Service)
C:\Nexon\Mabinogi\npkcmsvc.exe (INCA Internet Co., Ltd. / nProtect KeyCrypt Manager Service)
C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation / NVIDIA Driver Helper Service, Version 178.24)
C:\WINDOWS\system32\roytctm.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe (PC Tools / PC Tools Auxiliary Service)
C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools / PC Tools Security Service)
C:\WINDOWS\system32\soxpeca.exe -> ezTrust
C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools / PC Tools Tray Application)
C:\WINDOWS\system32\svchost.exe (Microsoft Corporation / Generic Host Process for Win32 Services)
C:\WINDOWS\system32\svchost.exe (Microsoft Corporation / Generic Host Process for Win32 Services)
C:\WINDOWS\explorer.exe (Microsoft Corporation / Windows Explorer)
C:\WINDOWS\system32\tdydowkc.exe
C:\Program Files\UPHClean\uphclean.exe (Microsoft Corporation / User Profile Hive Cleanup Service)
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation / MCRD Device Service)
C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o. / AVG Tray Monitor)
C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation / CTF Loader)
C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation / Windows Messenger)
C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation / Windows Defender User Interface)
C:\WINDOWS\system32\igfxsrvc.exe (Intel Corporation / igfxsrvc Module)
C:\WINDOWS\system32\taskmgr.exe (Microsoft Corporation / Windows TaskManager)
C:\Program Files\AVG\AVG8\avgui.exe (AVG Technologies CZ, s.r.o. / AVG User Interface)
C:\WINDOWS\system32\msiexec.exe (Microsoft Corporation / Windows® installer)
C:\WINDOWS\System32\alg.exe (Microsoft Corporation / Application Layer Gateway Service)
C:\WINDOWS\System32\svchost.exe (Microsoft Corporation / Generic Host Process for Win32 Services)
C:\Program Files\Spyware Doctor\pctsGui.exe (PC Tools / PC Tools GUI Application)
C:\WINDOWS\system32\MsiExec.exe (Microsoft Corporation / Windows® installer)
C:\WINDOWS\system32\MsiExec.exe (Microsoft Corporation / Windows® installer)
C:\Program Files\AVG\AVG8\avgscanx.exe (AVG Technologies CZ, s.r.o. / AVG Command-line Scanning Utility)
C:\Program Files\AVG\AVG8\avgcsrvx.exe (AVG Technologies CZ, s.r.o. / AVG Scanning Core Module - Server Part)
C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation / Firefox)
C:\Documents and Settings\Emin\Desktop\EnumProcess.exe (Me, myself and I / EnumProcess)


Thanks for help~ Emin

[Angelfire777]

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[Emin_ence]

It says McAfee Virus scanner is running, I've never used or had McAfee, it's not in my add/remove programs, and not in my system tray so I can't disable it, I deleted the folder in C:\Program Files though, what should I do to disable/uninstall, I wont run combofix until it's disabled.

I don't have MSCONFIG, but i do have regedit so i removed it from that and it still detects, I will go over and see if I still have it.

[Emin_ence]

Ok I've managed to completely uninstall McAfee from their removal tool, but now I get this message when trying to run combofix.exe that it only works on Windows ME/XP and I am on XP Media Center Ed. 2005 so I'm guessing that's XP. Here's what it says: Incompatable OS ComboFix only works for Windows 2000 or XP.

[Emin_ence]

Now it says Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. So now I have two problems, it won't let me open ComboFix and it says its incompatable, and I am a computer administrator.

cmd.exe, svchost.exe's are being manipulating 2-3 iexplore.exe's open and use my internet connection and system sound is off.

[Angelfire777]

Before we continue, I would like to check something first:

I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

c:\windows\system32\taskmgr.exe

Then click submit.

Please post the results to your next reply.

[Emin_ence]

Quote:

Originally Posted by Angelfire777

Before we continue, I would like to check something first:

I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

c:\windows\system32\taskmgr.exe

Then click submit.

Please post the results to your next reply.

I cannot do this, because my internet is on "Acquiring Network Address" on my XP computer on my vista computer the internet works fine, I unplugged it from the router and used the modem only, same problem, the ip is 0.0.0.0 and I cannot use the 'cmd' command to renew it. I think the virus disabled it, but if it's the processes you want, I can name them. I know which ones are viruses as well.

[Angelfire777]

Hi,

http://www.bleepingcomputer.com/foru...p/t205534.html

I do my best to reply at least once each day. This is because I also have that thing we call "real life". This is not my job and I don't get paid for this. If you think I have forgotten you, please shoot me a pm. But if you are really in a hurry to fix this, it'll be best to pay a technician to fix the computer.

If you will still continue this thread, please proceed with the instructions below.

Please zip the file, transfer it to your other machine and upload it here please:

http://www.bleepingcomputer.com/subm...php?channel=55

On the "Browse to the file you want to submit:" box, click "browse" then find the zip file and click open.

After that, please click the "send file" button.

Post back when you're done.

[Emin_ence]

Quote:

Originally Posted by Angelfire777

Hi,

http://www.bleepingcomputer.com/foru...p/t205534.html

I do my best to reply at least once each day. This is because I also have that thing we call "real life". This is not my job and I don't get paid for this. If you think I have forgotten you, please shoot me a pm. But if you are really in a hurry to fix this, it'll be best to pay a technician to fix the computer.

If you will still continue this thread, please proceed with the instructions below.

Please zip the file, transfer it to your other machine and upload it here please:

http://www.bleepingcomputer.com/subm...php?channel=55

On the "Browse to the file you want to submit:" box, click "browse" then find the zip file and click open.

After that, please click the "send file" button.

Post back when you're done.

Sorry about that, I thought it might've gotten things done faster, I want to continue this thread, by the way I'm posting the link you sent me, it looks broken to me. I don't know which file you'd want me to zip, but the instructions were probably in the link you sent me.

[Angelfire777]

Sorry, this is the link: http://www.bleepingcomputer.com/subm...php?channel=55

I want you to zip c:\windows\system32\taskmgr.exe

[Emin_ence]

Ok this is from my Infected computer, but uploaded from my clean computer, I also found some of the programs named after the viruses in the system32 folder, but I left them alone, spyware s&d and threatfire got rid of most the crap on taskmanager though, but I remember also seeing some 2009 thing (dont think it was norton) and a fake c++.exe anyways, basically my comp wont go online, and is alot slower and stuff, and windows installer keeps showing up.

Here's the file that you asked for.

I also uploaded it to bleeping computer.

[Angelfire777]

Hi,

It seems that what I suspected was true.

Sorry to be the bearer of bad news but your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Please backup all your important data, EXCEPT for executables (.exe), screensavers (.scr), and compressed files (zip/rar/cab). It is also best that you don't backup any htm/html/php files.

[Emin_ence]

Quote:

Originally Posted by Angelfire777

Hi,

It seems that what I suspected was true.

Sorry to be the bearer of bad news but your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Please backup all your important data, EXCEPT for executables (.exe), screensavers (.scr), and compressed files (zip/rar/cab). It is also best that you don't backup any htm/html/php files.

Wow that really sucks...is there no other way???

[Angelfire777]

I'm afraid there is no other way. Even if we go through this for days, in the end, all our efforts will be futile. As of now, there's no tool that can fix this infection, not even one. There are some tools that claim that they can disinfect it but they end up corrupting the system files just like what the virus did.

Hopefully, this experience will serve as a lesson. Downloading 'cracks' 'keygens' and other similar software will never result to anything good.

Please check out miekiemoes' "How to Prevent Malware"

Let me know if you need help with anything else.

[Emin_ence]

Quote:

Originally Posted by Angelfire777

I'm afraid there is no other way. Even if we go through this for days, in the end, all our efforts will be futile. As of now, there's no tool that can fix this infection, not even one. There are some tools that claim that they can disinfect it but they end up corrupting the system files just like what the virus did.

Hopefully, this experience will serve as a lesson. Downloading 'cracks' 'keygens' and other similar software will never result to anything good.

Please check out miekiemoes' "How to Prevent Malware"

Let me know if you need help with anything else.

Yes, I backed up my data onto my external HDD im sure the viruses moved on, will it infect the external HDD if i plug it in or can i just use search to look for the .exe and .rar files and remove them (can i extract the .rars or not?) im pretty sure there are no .scr files since i never use screensavers, and my XP came pre-installed on this system, so if a friend has a retail CD copy will i be able to install it on this?

Thanks for the help, I enjoy this forum and will continue to look through the different topics it has.

[Angelfire777]

No, it won't infect your external HD. The main reason why rars/zips should be avoided is because exes in them can also be infected so if you're sure that a zip/rar file doesn't contains any executables, you can keep them. Again, avoid any htm/html/php files too.

Quote:

so if a friend has a retail CD copy will i be able to install it on this?

Unfortunately no. one license = one computer.

You may need to purchase a CD if the computer doesn't have any recovery CDs that came with it.

I'm glad that you're enjoying the forums

[Emin_ence]

Quote:

Originally Posted by Angelfire777

No, it won't infect your external HD. The main reason why rars/zips should be avoided is because exes in them can also be infected so if you're sure that a zip/rar file doesn't contains any executables, you can keep them. Again, avoid any htm/html/php files too.



Unfortunately no. one license = one computer.

You may need to purchase a CD if the computer doesn't have any recovery CDs that came with it.

I'm glad that you're enjoying the forums

eh I'll look for a recovery CD, and if I can't find it I'll just have to buy one, I also read some of the malware guide, and I didn't read it all, but I will, I really appreciated the help though, thanks.

[Angelfire777]

You're welcome :)

If you don't need anything anymore, I will close this thread.

[Emin_ence]

Quote:

Originally Posted by Angelfire777

You're welcome :)

If you don't need anything anymore, I will close this thread.

Ok go ahead and close, again ty.