Help Needed Spyware.possible_website_hijack

[IggyPop]

Hi Chemist,

So Far so good here is the Combo log

IggyPop

ComboFix 09-06-26.02 - Shawn 06/27/2009 21:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2433 [GMT -8:00]
Running from: c:\documents and settings\Shawn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Shawn\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shawn\Application Data\Azureus
c:\documents and settings\Shawn\Application Data\Azureus\.certs
c:\documents and settings\Shawn\Application Data\Azureus\.keystore
c:\documents and settings\Shawn\Application Data\Azureus\.lock
c:\documents and settings\Shawn\Application Data\Azureus\active\27AD71CE841E4C8E4BEDB8B68154BE09D08940EC.dat
c:\documents and settings\Shawn\Application Data\Azureus\active\44376000C1FB807E5F073370300CF1FCB7EFB764.dat
c:\documents and settings\Shawn\Application Data\Azureus\active\4483ECFD130A7EC26885660BAE1FB75DA398688B.dat
c:\documents and settings\Shawn\Application Data\Azureus\active\97CDE6478F1B9D1A45D6F5B4E4F135F09B859184.dat
c:\documents and settings\Shawn\Application Data\Azureus\azureus.config
c:\documents and settings\Shawn\Application Data\Azureus\azureus.statistics
c:\documents and settings\Shawn\Application Data\Azureus\banips.config
c:\documents and settings\Shawn\Application Data\Azureus\cache\1191085919.ico
c:\documents and settings\Shawn\Application Data\Azureus\cnetworks.config
c:\documents and settings\Shawn\Application Data\Azureus\devices.config
c:\documents and settings\Shawn\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\Shawn\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\Shawn\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\Shawn\Application Data\Azureus\dht\general.dat
c:\documents and settings\Shawn\Application Data\Azureus\dht\version.dat
c:\documents and settings\Shawn\Application Data\Azureus\downloads.config
c:\documents and settings\Shawn\Application Data\Azureus\filters.config
c:\documents and settings\Shawn\Application Data\Azureus\friends.config
c:\documents and settings\Shawn\Application Data\Azureus\ipfilter.cache
c:\documents and settings\Shawn\Application Data\Azureus\metasearch.config
c:\documents and settings\Shawn\Application Data\Azureus\net\pm_8047.dat
c:\documents and settings\Shawn\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\Shawn\Application Data\Azureus\plugins\azupnpav\cd.dat
c:\documents and settings\Shawn\Application Data\Azureus\sidebarauto.config
c:\documents and settings\Shawn\Application Data\Azureus\subs\03D8F22765B9E59B32A1.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\047969C2F30A401262F9.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\1A6C7A24D03A8681DBE8.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\2DF43E7396E6157D8CE5.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\39554085B8E2EE6D631B.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\41B5BA8E964DADE2D58B.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\447229A3A371779E8871.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\72C5BF989E85043749E9.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\745F6E1D6E3B69A353E3.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\821B4D348AFDD02D8CBF.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\8DE6E5753F5ADF094F49.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\95B34C1A1F40931D0972.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\9B9B6DCAA5CBDE22CB82.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\A1D26F82A30D6241E9B9.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\A944E6E027737E4EEB85.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\AD8051E73A76B5270EC8.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\E67D8443DF3B6D5C02B4.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\ED7A4A68D27A7C72BABE.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\F14DB936646DBBA8A53E.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subs\F8B566BCA64E84B4B29C.vuze
c:\documents and settings\Shawn\Application Data\Azureus\subscriptions.config
c:\documents and settings\Shawn\Application Data\Azureus\tables.config
c:\documents and settings\Shawn\Application Data\Azureus\timingstats.dat
c:\documents and settings\Shawn\Application Data\Azureus\torrents\[isoHunt] download-albums-201615-Muse 5 albums 3710201 TPB.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\[isoHunt] download.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\[isoHunt] Janes Addiction - Nothing's Shocking (mp3).torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\[isoHunt] ParetoLogic RegCure v1.5.2.7 Incl Keygen.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\slackware-12.2-install-dvd.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\Wii-Godzilla.Unleashed.PAL.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\Wii-Major.League.Baseball.2K8.NTSC.USA.WiiScrubbed.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\Wii-Mario.Super.Sluggers.NTSC.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\Wii-Super.Smash.Bros.Brawl.NTSC.USA.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\Wii-Wii.Metroid.Prime.3.Corruption.USA.torrent
c:\documents and settings\Shawn\Application Data\Azureus\torrents\Wii_-_Wad_Installer_v2.4157188.TPB.torrent
c:\documents and settings\Shawn\Application Data\Azureus\tracker.config
c:\documents and settings\Shawn\Application Data\Azureus\unsentdata.config
c:\documents and settings\Shawn\Application Data\Azureus\update.log
c:\documents and settings\Shawn\Application Data\Azureus\update.properties
c:\documents and settings\Shawn\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\Shawn\Application Data\Azureus\VuzeActivities.config
c:\program files\Azureus
c:\program files\Azureus\hs_err_pid3028.log
c:\program files\Azureus\hs_err_pid5980.log
c:\program files\Azureus\plugins\azemp\azemp_2.0.32.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.32.zip
c:\program files\Azureus\plugins\azemp\azemp_2.0.34.jar
c:\program files\Azureus\plugins\azemp\azemp_2.0.34.zip
c:\program files\Azureus\plugins\azemp\azemp_2.1.02.jar
c:\program files\Azureus\plugins\azemp\azemp_2.1.02.zip
c:\program files\Azureus\plugins\azemp\mplayer\config
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.32
c:\program files\Azureus\plugins\azemp\plugin.properties_2.0.34
c:\program files\Azureus\plugins\azemp\plugin.properties_2.1.02
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.17.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.17.zip
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.5.jar
c:\program files\Azureus\plugins\azupnpav\azupnpav_0.2.5.zip
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.17
c:\program files\Azureus\plugins\azupnpav\plugin.properties_0.2.5

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll --> c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-27 18:31 . 2009-06-27 18:31 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-17 05:56 . 2008-05-14 20:33 121376 ----a-w- c:\windows\system32\bfLLR.dll
2009-06-17 05:56 . 2008-05-14 20:33 114720 ----a-w- c:\windows\system32\instLLR.exe
2009-06-17 04:17 . 2009-06-17 04:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-17 03:59 . 2009-06-17 03:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-06-17 02:57 . 2009-06-17 03:03 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-17 02:57 . 2009-06-17 03:02 5504 ----a-w- c:\windows\system32\drivers\intelide.sys
2009-06-17 02:57 . 2009-06-17 03:02 35328 ----a-w- c:\windows\system32\drivers\pcntpci5.sys
2009-06-17 02:57 . 2009-06-17 03:02 20608 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2009-06-17 02:57 . 2009-06-17 03:02 14208 ----a-w- c:\windows\system32\drivers\battc.sys
2009-06-17 02:57 . 2009-06-17 03:02 13952 ----a-w- c:\windows\system32\drivers\cmbatt.sys
2009-06-17 02:57 . 2009-06-17 03:02 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2009-06-17 02:36 . 2009-06-17 02:36 9728 ----a-w- c:\windows\system32\Native.exe
2009-06-17 02:36 . 2009-06-17 02:58 -------- d-----w- C:\ReimageUndo
2009-06-16 09:22 . 2009-06-17 05:18 -------- d-----w- C:\rei
2009-06-16 09:22 . 2009-06-16 09:22 -------- d-----w- c:\program files\Reimage
2009-06-15 03:38 . 2009-06-15 03:38 152576 ----a-w- c:\documents and settings\Shawn\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-14 23:38 . 2009-06-14 23:39 -------- d-----w- c:\documents and settings\Shawn\Application Data\Blackberry Desktop
2009-06-13 03:50 . 2009-06-13 03:50 256 ----a-w- c:\documents and settings\Shawn\pool.bin
2009-06-11 20:33 . 2009-06-11 20:33 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-06-07 05:51 . 2009-06-07 05:52 -------- d-----w- c:\program files\Roxio
2009-06-07 05:51 . 2009-06-07 05:51 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-06-07 04:37 . 2009-06-14 23:56 256 ----a-w- c:\windows\system32\pool.bin
2009-06-07 04:36 . 2009-06-07 04:36 -------- d-----w- c:\documents and settings\Shawn\Application Data\Research In Motion
2009-06-07 04:13 . 2009-06-07 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-06-07 04:10 . 2009-06-07 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-06-07 04:10 . 2009-06-07 05:53 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-06-07 04:05 . 2007-01-18 18:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-06-07 04:03 . 2009-06-07 07:01 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-06-07 04:03 . 2009-06-07 04:03 -------- d-----w- c:\program files\Research In Motion
2009-06-07 03:37 . 2009-06-07 03:37 -------- d-sh--w- c:\windows\ftpcache
2009-05-31 09:06 . 2009-05-31 09:14 -------- d-----w- c:\documents and settings\Shawn\Application Data\vlc
2009-05-31 07:36 . 2009-06-02 02:24 -------- d-----w- c:\documents and settings\Shawn\dwhelper
2009-05-30 20:33 . 2009-05-30 20:33 -------- d-----w- c:\program files\Datel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 18:11 . 2009-05-23 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-27 18:10 . 2008-11-16 04:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-27 18:10 . 2008-11-16 04:03 -------- d-----w- c:\program files\Symantec
2009-06-27 18:10 . 2009-05-23 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-27 08:46 . 2008-11-15 00:03 -------- d-----w- c:\documents and settings\Shawn\Application Data\MSN6
2009-06-27 02:45 . 2008-11-15 22:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-27 02:45 . 2009-05-18 20:59 -------- d-----w- c:\program files\Spyware Doctor
2009-06-23 21:43 . 2008-11-19 07:17 39360 ----a-w- c:\windows\system32\drivers\maplom.sys
2009-06-23 21:42 . 2008-11-19 07:17 41920 ----a-w- c:\windows\system32\drivers\maploml.sys
2009-06-20 03:56 . 2009-02-02 06:02 -------- d-----w- c:\program files\Acronis
2009-06-20 03:45 . 2009-02-02 06:02 971552 ----a-w- c:\windows\system32\drivers\tdrpm174.sys
2009-06-20 03:30 . 2009-05-24 06:54 -------- d-----w- c:\program files\Norton Save and Restore
2009-06-20 03:30 . 2008-11-16 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-19 06:49 . 2008-11-18 09:38 -------- d-----w- c:\program files\StarWarsGalaxies
2009-06-19 02:15 . 2009-04-29 19:26 117760 ----a-w- c:\documents and settings\Shawn\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-18 15:46 . 2008-11-24 08:04 -------- d-----w- c:\program files\SpeedFan
2009-06-17 04:50 . 2008-11-15 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-17 04:27 . 2009-02-22 21:40 905768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-17 04:03 . 2008-11-14 21:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-17 03:02 . 2004-08-04 10:00 285184 ----a-w- c:\windows\system32\gdi32.dll
2009-06-17 03:02 . 2004-08-04 10:00 246272 ----a-w- c:\windows\system32\es.dll
2009-06-17 03:02 . 2008-11-14 20:16 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-17 03:02 . 2004-08-04 10:00 92504 ----a-w- c:\windows\system32\cdm.dll
2009-06-17 03:02 . 2004-08-04 10:00 71680 ----a-w- c:\windows\system32\admparse.dll
2009-06-17 03:02 . 2004-08-04 10:00 35328 ----a-w- c:\windows\system32\corpol.dll
2009-06-17 03:02 . 2004-08-04 10:00 139264 ----a-w- c:\windows\system32\cscript.exe
2009-06-17 02:37 . 2005-03-30 01:21 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-06-17 02:37 . 2005-03-30 01:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-06-15 05:00 . 2009-06-15 05:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-06-15 04:59 . 2009-06-15 04:59 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-06-15 04:58 . 2009-06-15 04:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-06-15 04:58 . 2009-06-15 04:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-06-15 04:58 . 2009-06-15 04:58 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-15 03:51 . 2008-11-15 22:44 -------- d-----w- c:\program files\SpywareBlaster
2009-06-15 03:37 . 2009-02-07 19:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-13 07:35 . 2008-11-15 05:54 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-13 04:02 . 2008-11-15 19:46 -------- d-----w- c:\program files\Microsoft Works
2009-06-07 06:10 . 2008-11-14 21:32 96536 ----a-w- c:\documents and settings\Shawn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 04:10 . 2008-11-14 21:25 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-29 08:17 . 2008-11-19 06:56 -------- d-----w- c:\program files\Elaborate Bytes
2009-05-26 05:44 . 2009-04-09 03:36 -------- d-----w- c:\program files\iPod
2009-05-25 23:33 . 2009-05-25 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-25 23:32 . 2009-05-23 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-05-25 12:01 . 2009-05-25 12:01 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2009-05-25 08:24 . 2008-05-27 07:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-24 22:26 . 2008-11-15 19:46 -------- d-----w- c:\program files\MSBuild
2009-05-24 07:11 . 2008-11-16 06:36 -------- d-----w- c:\documents and settings\Shawn\Application Data\Symantec
2009-05-24 06:46 . 2009-05-24 06:46 -------- d-----w- c:\program files\inKline Global
2009-05-23 22:35 . 2009-01-01 10:17 -------- d-----w- c:\program files\Bigfoot Networks
2009-05-19 13:05 . 2009-05-19 13:05 1380403 ----a-w- c:\windows\system32\avgsdk.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-27_18.30.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-27 22:02 . 2009-06-27 22:02 16384 c:\windows\Temp\Perflib_Perfdata_9b8.dat
+ 2009-06-27 22:00 . 2009-06-27 22:00 16384 c:\windows\Temp\Perflib_Perfdata_858.dat
+ 2009-06-27 18:31 . 2009-06-17 03:03 53080 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-27 18:31 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-27 18:31 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-27 18:31 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-27 18:31 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-27 18:31 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-27 18:31 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-27 18:31 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-27 18:31 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-27 18:31 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2006-03-04 03:33 . 2008-08-26 07:24 826368 c:\windows\system32\dllcache\wininet.dll
+ 2009-06-27 18:31 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-27 18:31 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-27 18:31 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-27 18:31 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-27 18:31 . 2009-06-17 03:03 108544 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-27 18:31 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-27 18:31 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-27 18:31 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-27 18:31 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-27 18:31 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-27 18:31 . 2009-06-17 02:37 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-27 18:31 . 2009-06-17 02:37 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-27 18:31 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-06-12 2952128]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-09-29 106496]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]
"PC Booster"="c:\program files\inKline Global\PC Booster\PCBooster.exe" [2008-03-24 14479360]
"Maplom"="c:\program files\SlySoft\Game Jackal\GameJackal.exe" [2009-06-23 6501824]
"Reimage PC Booster"="c:\program files\Reimage\Reimage PC Booster\Postrebootexecuter.exe" [2009-06-23 83240]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-11-22 4352832]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-11-22 960528]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-11-22 165144]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-28 1657376]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Killer Tray Menu.lnk - c:\program files\Bigfoot Networks\Killer Driver\KillerTray.exe [2009-6-16 604672]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-17 528384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 20:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-25 07:58 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Registration Tool.lnk]
backup=c:\windows\pss\Run Registration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shawn^Start Menu^Programs^Startup^Neverwinter Nights Registration.lnk]
backup=c:\windows\pss\Neverwinter Nights Registration.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\StarWarsGalaxies\\SwgClient_r.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Republic Commando\\GameData\\System\\SWRepublicCommando.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/18/2009 1:00 PM 130936]
R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [2/1/2009 10:02 PM 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [2/1/2009 10:02 PM 971552]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [5/18/2009 1:04 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [5/18/2009 1:04 PM 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [5/18/2009 1:02 PM 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]
R2 Killer Port Manager;Killer Port Manager;c:\program files\Bigfoot Networks\Killer Driver\PortManager.exe [6/16/2009 9:56 PM 236544]
R3 MaplomL;MaplomL;c:\windows\system32\drivers\maploml.sys [11/18/2008 11:17 PM 41920]
R3 NetB834x;Killer NIC Gaming Adapter Service;c:\windows\system32\drivers\NetB834x.sys [1/1/2009 2:18 AM 103072]
R3 NetbEdge;Killer NIC NDIS-Edge Service;c:\windows\system32\drivers\NetBEdge.sys [1/1/2009 2:18 AM 22048]
R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [4/4/2008 3:49 PM 136832]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; [x]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [11/14/2008 1:36 PM 26488]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/22/2009 12:56 AM 38496]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/17/2006 10:09 AM 35072]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [5/18/2009 12:59 PM 64392]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/18/2009 12:59 PM 348752]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [5/18/2009 1:04 PM 33056]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
LSP: %SYSTEMROOT%\system32\BfLLR.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Shawn\Application Data\Mozilla\Firefox\Profiles\x29ut26f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?rls=ig
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B42C9E5A-A4DC-1B20-3BF4-7995B2A877E2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abajgkehfnccennnoppcjoigjhgimhphdj"=hex:6b,61,65,6c,61,64,66,6e,6c,6b,6b,6f,
64,66,6f,6c,61,64,68,6a,61,64,00,00
"pakfdanklgfmddfmcpopmomicbpacppn"=hex:6a,61,61,6b,6c,65,64,70,6d,65,63,68,66,
66,6e,64,6d,6f,67,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(732)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\system32\BfLLR.dll
.
Completion time: 2009-06-28 21:54
ComboFix-quarantined-files.txt 2009-06-28 05:54
ComboFix2.txt 2009-06-28 02:42
ComboFix3.txt 2009-06-27 18:32

Pre-Run: 58,833,715,200 bytes free
Post-Run: 58,811,248,640 bytes free

363

[chemist]

Hello again, IggyPop.

Looking for keygens and cracks via torrents is quite often how people get their machines infected. Are there anymore on this machine? I suggest you delete them.

Quote:

c:\documents and settings\Shawn\Application Data\Azureus\torrents\[isoHunt] ParetoLogic RegCure v1.5.2.7 Incl Keygen.torrent

All keygens and cracks should be avoided. They are tantamount to stealing, as well as offering you a great way to get infected.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected.
• It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[IggyPop]

Hello Chemist,

Here is the Kaspersky Report.

IggyPop


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, June 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, June 28, 2009 23:38:44
Records in database: 2400010
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 230124
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 04:45:54


File name / Threat name / Threats count
C:\System Volume Information\_restore{7A68FB66-1291-4DC2-8C38-58883204592F}\RP8\A0005241.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 2

The selected area was scanned.

[chemist]

Hello again, IggyPop. System Volume Information is where Windows keeps old system restore points. Those will get deleted when we uninstall ComboFix.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the Kaspersky report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable SpywareDoctor before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• How to Prevent Malware by miekiemoes

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  WOT has an add-on available for both Firefox and IE.
  
• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

[IggyPop]

Hello Chemist,

Ok all is well and I do Thank You very much for your Help it is much appreciated!! I have everything back up and running as normal and I took your advise on removing the Reg cleaning tools but one question still remains before we rap this up, do you recommend I keep Spyware Doc or uninstall it? reason why I ask is that I had seen a thread from a post that was from these forums with the same exact issue I had with SD and the Techsupport team recommended He Uninstall it, Just an observation I thought I would get your opinion.

Once again I Thank You Very much
Sincerely
IggyPop

[chemist]

You're very welcome, IggyPop! Glad to have helped.

Read here for a detailed explanation of the conflict > http://forums.spybot.info/showthread.php?t=49476

In a nutshell, spywareinfo.com was sold and is now a rogue site. The new site is now spywareinfoforum.com. Spybot detects spywareinfo.com as a rogue and adds an entry to your Hosts file to prevent access. SpywareDoctor still sees the site as legit and removes the entry from your Hosts file, hence the conflict. Personally, I wouldn't have SpywareDoctor on my machine.

A good, free one is Avira's AntiVir > http://www.free-av.com/

An excellent purchased one is ESET's NOD32 > http://www.eset.com/download/