Display Properties still compromised after Malware attack

novelweapons · Jun 24, 2008

Hello,

I have just spent the last 48 hours researching and removing some rather nasty Malware from my PC. The Malware in question posed as an antivirus program and sent massive pop-ups onto my desktop, changed my web browser home page and shut it down at random and messed about with my registry, among other things. I have resolved all of these issues myself, however there is one problem that still remains: I am missing several tabs under my Display Properties. The malware program changed my desktop background to a blue screen stating "Warning! Spyware detected on your computer!" and I cannot access the menu to remove it. Likewise, the Malware changed my screensaver to a freeware app that simulates a "blue screen of death", but is easily dimissed as easily as any other screensaver. Again, I cannot access the menu to change this. While neither of these issues are more than annoyances, I would like to resolve them and put this whole episode behind me.
Thanks,
Nate K

novelweapons · Jun 24, 2008

Actually, this seems better suited for the general security issues forum.

tetonbob · Jun 24, 2008

Best to get a look at some logs....to ensure all is gone as well as fix the reg policies.

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

novelweapons · Jun 25, 2008

I attempted to run DSS several times, but it encounters a problem and needs to close every time it cleans my temporary files. What should I attempt next?

tetonbob · Jun 25, 2008

Run dss.exe again, but use these instructions (dss.exe must be on your desktop!):

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

In the dialog box that appears:

View all the categories listed, and uncheck whichever one caused the problem. (Typically Temp Cleanup on the left side of the screen and Event Logs on the right side)

Click Scan!

Post the main.txt and extra.txt it produces.

novelweapons · Jun 25, 2008

Thanks, that worked just fine. Here are the results:

Deckard's System Scanner v20071014.68
Run by Larry on 2008-06-25 17:43:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
40: 2008-06-25 19:17:20 UTC - RP266 - Deckard's System Scanner Restore Point
39: 2008-06-24 23:01:52 UTC - RP265 - System Checkpoint
38: 2008-06-23 22:13:30 UTC - RP264 - System Checkpoint
37: 2008-06-22 04:06:14 UTC - RP263 - System Checkpoint
36: 2008-06-20 22:17:10 UTC - RP262 - Removed Call of Duty(R) 2

-- First Restore Point --
1: 2008-04-08 22:21:58 UTC - RP227 - System Checkpoint

Backed up registry hives.

System Drive C: has 17.41 GiB (less than 15%) free.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-25 17:45:48
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\Documents and Settings\Larry\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBHO.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Go!Zilla IE Helper - {E1FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GoZilla\GozCatch.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: vrmdtneg - {18680ABA-254E-4847-8E2C-494B9E1B9C20} - (no file)
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171550299\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lphcawsj0ena1] C:\WINDOWS\system32\lphcawsj0ena1.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - CmdMapping - (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab Class) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: Privacy Protection -

--
End of file - 11968 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync03 (StarForce Protection Synchronization Driver (version 3.x)) - c:\windows\system32\drivers\sfsync03.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.0.1>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 lirsgt - c:\windows\system32\drivers\lirsgt.sys
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\windows\system32\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>

S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-24 08:23:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-21 01:04:12 564 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Larry.job

-- Files created between 2008-05-25 and 2008-06-25 -----------------------------

2008-06-25 05:17:18 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-06-24 16:09:26 0 d-------- C:\Program Files\rhcewsj0ena1
2008-06-24 12:55:34 0 d-------- C:\Program Files\ThreatFire
2008-06-24 12:55:34 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-24 12:49:15 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-24 12:49:14 10752 --a------ C:\WINDOWS\system32\md5.dll <Not Verified; ; MD5 Maker>
2008-06-24 12:49:12 0 d-------- C:\Program Files\MalwareSweeper.com
2008-06-23 21:35:38 94208 --a------ C:\WINDOWS\system32\pphcawsj0ena1.exe
2008-06-23 21:35:38 0 d-------- C:\Documents and Settings\Larry\Application Data\rhcewsj0ena1
2008-06-23 21:34:41 94208 --a------ C:\WINDOWS\exks.exe
2008-06-23 19:07:35 0 d-------- C:\STRIFE
2008-06-23 19:07:17 724193 --a------ C:\zombiepox_install.exe
2008-06-23 19:03:32 0 d-------- C:\SANITY
2008-06-23 17:08:59 0 d-------- C:\Program Files\Crimsonland
2008-06-23 17:08:48 0 d-------- C:\Program Files\ReflexiveArcade
2008-06-23 16:36:21 0 d-------- C:\Program Files\TLawnmower
2008-06-23 16:27:13 0 d-------- C:\Program Files\HCNSB
2008-06-23 16:26:08 0 d-------- C:\Program Files\HC
2008-06-23 15:59:08 0 d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-23 13:55:36 0 d-------- C:\Documents and Settings\Larry\Application Data\TmpRecentIcons
2008-06-23 02:31:55 0 d-------- C:\Documents and Settings\Larry\Application Data\Malwarebytes
2008-06-23 02:30:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 02:29:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 02:27:02 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-22 22:18:38 94208 --a------ C:\WINDOWS\exre.exe
2008-06-21 16:05:52 0 d-------- C:\Program Files\Tropico 2 Pirate Cove
2008-06-21 03:11:11 0 d-------- C:\games
2008-06-21 01:05:32 0 d-------- C:\Program Files\Tropico
2008-06-20 18:56:36 0 d-------- C:\Program Files\Hothead Games
2008-06-20 03:09:48 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-20 03:09:44 0 d-------- C:\Documents and Settings\Larry\Application Data\skypePM
2008-06-20 03:08:30 0 d-------- C:\Documents and Settings\Larry\Application Data\Skype
2008-06-20 03:07:18 0 d-------- C:\Program Files\Skype
2008-06-20 03:07:17 0 d-------- C:\Program Files\Common Files\Skype
2008-06-20 03:07:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-13 02:44:08 0 d-------- C:\Program Files\Bos Wars
2008-06-13 02:23:46 0 d-------- C:\Program Files\Glest_3.1.2
2008-06-13 02:23:35 0 d-------- C:\Program Files\Wesnoth.1.4.3
2008-06-12 21:14:42 0 d-------- C:\Program Files\Medieval Knights v1.61
2008-06-12 13:12:11 47 --a------ C:\WINDOWS\2099
2008-06-12 05:27:23 0 d-------- C:\DarksunGames
2008-06-11 03:35:24 0 d-------- C:\Program Files\Fishie Fishie
2008-06-11 01:57:17 0 d-------- C:\Program Files\Steam
2008-06-09 21:19:48 0 d-------- C:\Program Files\Black Isle
2008-06-09 20:35:43 96896 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
2008-06-09 20:35:43 0 d-------- C:\Program Files\MagicDisc
2008-06-09 18:07:57 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-06-09 18:07:51 0 d-------- C:\WINDOWS\Logs
2008-06-09 17:16:21 0 d-------- C:\Program Files\Common Files\BioWare
2008-06-09 16:59:25 0 d-------- C:\Program Files\Mass Effect
2008-06-09 16:28:35 0 d-------- C:\WINDOWS\nvidia icons
2008-06-09 16:27:50 0 d-------- C:\NVIDIA
2008-06-09 16:20:18 0 d-------- C:\Program Files\SystemRequirementsLab
2008-06-04 02:12:59 0 d-------- C:\Program Files\The Spirit Engine
2008-06-04 01:58:54 0 d-------- C:\Program Files\Dark Oberon
2008-05-31 11:11:36 0 d-------- C:\Program Files\MSXML 6.0
2008-05-31 10:45:50 0 d-------- C:\Documents and Settings\Larry\Application Data\Corel
2008-05-31 10:45:48 3402 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-05-31 10:45:48 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\B9FCA7A350.sys
2008-05-31 10:45:33 10368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
2008-05-31 10:44:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-31 10:44:19 0 d-------- C:\Program Files\InterVideo
2008-05-31 10:44:18 0 d-------- C:\Program Files\Common Files\Protexis
2008-05-31 10:44:18 0 d-------- C:\Program Files\Common Files\InterVideo
2008-05-31 10:43:49 0 d-------- C:\Program Files\Corel
2008-05-31 10:35:57 0 d-------- C:\Program Files\MagicISO
2008-05-31 01:05:43 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-05-31 01:05:43 25244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-05-31 01:05:43 4672 --a------ C:\WINDOWS\system\WOWPOST.EXE <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-05-31 01:05:43 5600 --a------ C:\WINDOWS\system\WINASPI.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-05-31 01:05:41 0 d-------- C:\Program Files\DVDZip 3.1
2008-05-30 22:27:11 0 d-------- C:\Program Files\koei
2008-05-30 15:41:22 0 d-------- C:\Program Files\Lighthouse Interactive
2008-05-29 23:22:47 0 d-------- C:\Documents and Settings\Larry\Application Data\Go!Zilla
2008-05-29 23:22:24 0 d-------- C:\Program Files\GoZilla
2008-05-25 12:59:51 0 d-------- C:\Program Files\AOL 9.0a

-- Find3M Report ---------------------------------------------------------------

2008-06-25 17:46:39 0 d-------- C:\Documents and Settings\Larry\Application Data\Azureus
2008-06-25 17:45:28 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-25 16:07:03 0 d-------- C:\Program Files\Symantec
2008-06-25 16:06:27 0 d-------- C:\Program Files\Norton Internet Security
2008-06-24 15:52:14 0 d-------- C:\Program Files\QuickTime
2008-06-23 02:27:02 0 d-------- C:\Program Files\Common Files
2008-06-23 01:55:21 0 d-------- C:\Program Files\Soulseek
2008-06-21 01:05:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-19 22:36:07 0 d-------- C:\Program Files\Azureus
2008-06-11 01:53:33 0 d-------- C:\Documents and Settings\Larry\Application Data\Adobe
2008-05-29 16:37:00 0 d-------- C:\Program Files\Google
2008-05-25 13:01:42 0 d-------- C:\Documents and Settings\Larry\Application Data\AOL
2008-05-25 13:00:45 0 d-------- C:\Program Files\Common Files\AOL
2008-05-25 13:00:03 0 d-------- C:\Program Files\Common Files\aolshare
2008-05-25 12:21:47 37190 --a------ C:\Documents and Settings\Larry\Application Data\Microsoft Excel.ADR
2008-05-23 15:04:56 0 d-------- C:\Program Files\AOL 9.1
2008-05-23 00:36:21 0 d-------- C:\Program Files\Polychromatic Funk Monkey
2008-05-23 00:04:05 0 d-------- C:\Program Files\ROM CHECK FAIL
2008-05-05 02:33:17 0 d-------- C:\Program Files\DOSBox-0.65
2008-05-04 21:15:50 0 d-------- C:\Program Files\Rockstar Games
2008-05-02 22:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1FF080D-12A3-439A-A2EF-4BA95A3148E8}]
01/22/2008 01:46 PM 345152 --a------ C:\Program Files\GoZilla\GozCatch.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [10/23/2006 08:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [02/15/2007 08:26 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1171550299\ee\AOLSoftware.exe" [05/25/2007 01:16 PM]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 06:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [07/25/2005 12:47 PM C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [07/25/2005 12:47 PM C:\WINDOWS\ALCMTR.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/09/2007 10:59 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [09/05/2006 09:22 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/02/2008 10:46 PM]
"nwiz"="nwiz.exe" [05/02/2008 10:46 PM C:\WINDOWS\system32\nwiz.exe]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [04/06/2007 05:49 PM]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [04/05/2004 05:33 PM]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [10/15/2005 09:15 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 10:36 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/28/2007 08:51 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/02/2008 10:46 PM]
"lphcawsj0ena1"="C:\WINDOWS\system32\lphcawsj0ena1.exe" []
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [04/24/2008 04:52 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/23/2007 05:18 PM]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [10/08/2003 05:00 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04/22/2003 06:43 PM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [04/03/2007 06:29 PM]
"Steam"="c:\program files\steam\steam.exe" [06/11/2008 01:57 AM]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe" [11/11/2007 04:20 PM]

C:\Documents and Settings\Larry\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [6/9/2008 8:35:43 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [4/24/2002 2:28:32 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 4:15:54 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMorePrograms"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a38bdf41-bcfb-11db-8c2c-806d6172696f}\Name]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a38bdf41-bcfb-11db-8c2c-806d6172696f}\Name- Sub Command]

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-06-25 17:48:02 ------------

tetonbob · Jun 26, 2008

Still some nasties present there.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download ComboFix from Here:

* IMPORTANT !!! Place combofix.exe on your Desktop

We will first use ComboFix to install the Microsoft Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Next, download the Microsoft file from this link:

http://www.microsoft.com/downloads/...8D-5E10-49B5-B80C-0A0205368124&displaylang=en

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

It does not appear as though DSS was allowed to download and install HijackThis. To produce a HijackThis log for your next reply, please do this:

Please download HijackThis to your desktop

Alternate link

Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

---------------------------------------------------------------------------------------------

If you have any questions along the way, STOP and ask them before proceeding.

novelweapons · Jun 26, 2008

Wow, thank you so much. I noticed the results of the fix almost immediately: not only did I get my display property tabs back immediately, but it restored several desktop icons that I didn't even realize were missing and my computer's speed is back up to normal. The fact that a site as professionally run as this (with a volunteer expert staff to handle problems that they wouldn't trust the general public to sucessfully manage) is free is an absolute wonder.

Here is my ComboFix log:
ComboFix 08-06-25.2 - Larry 2008-06-25 22:03:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.623 [GMT -4:00]
Running from: C:\Documents and Settings\Larry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Larry\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\exks.exe
C:\WINDOWS\exre.exe
C:\WINDOWS\system32\phcawsj0ena1.bmp
C:\WINDOWS\system32\pphcawsj0ena1.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-25 15:17 . 2008-06-25 15:17 <DIR> d-------- C:\Deckard
2008-06-24 16:09 . 2008-06-24 16:09 <DIR> d-------- C:\Program Files\rhcewsj0ena1
2008-06-24 12:55 . 2008-06-24 12:55 <DIR> d-------- C:\Program Files\ThreatFire
2008-06-24 12:55 . 2008-06-24 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-24 12:55 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-06-24 12:55 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-06-24 12:55 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-06-24 12:55 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-06-24 12:49 . 2008-06-24 12:49 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2008-06-23 21:35 . 2008-06-23 21:35 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\rhcewsj0ena1
2008-06-23 19:07 . 2008-06-23 19:48 <DIR> d-------- C:\STRIFE
2008-06-23 19:07 . 2005-08-07 11:08 724,193 --a------ C:\zombiepox_install.exe
2008-06-23 19:03 . 2008-06-23 23:45 <DIR> d-------- C:\SANITY
2008-06-23 17:08 . 2008-06-23 17:08 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-06-23 17:08 . 2008-06-23 17:10 <DIR> d-------- C:\Program Files\Crimsonland
2008-06-23 16:36 . 2008-06-23 16:38 <DIR> d-------- C:\Program Files\TLawnmower
2008-06-23 16:32 . 2008-06-23 16:35 686 --a------ C:\WINDOWS\syshcin1.ini
2008-06-23 16:27 . 2008-06-23 16:27 <DIR> d-------- C:\Program Files\HCNSB
2008-06-23 16:26 . 2008-06-23 16:26 <DIR> d-------- C:\Program Files\HC
2008-06-23 15:59 . 2008-06-23 16:04 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-23 02:31 . 2008-06-23 02:31 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\Malwarebytes
2008-06-23 02:30 . 2008-06-23 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 02:29 . 2008-06-23 02:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 02:29 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-23 02:29 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-23 02:27 . 2008-06-23 02:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 16:05 . 2008-06-21 16:13 <DIR> d-------- C:\Program Files\Tropico 2 Pirate Cove
2008-06-21 03:11 . 2008-06-23 19:32 <DIR> d-------- C:\games
2008-06-21 01:05 . 2008-06-21 01:09 <DIR> d-------- C:\Program Files\Tropico
2008-06-20 18:56 . 2008-06-20 18:56 <DIR> d-------- C:\Program Files\Hothead Games
2008-06-20 03:09 . 2008-06-20 03:09 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\skypePM
2008-06-20 03:09 . 2008-06-20 03:09 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-20 03:08 . 2008-06-21 13:22 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\Skype
2008-06-20 03:07 . 2008-06-20 03:07 <DIR> d-------- C:\Program Files\Skype
2008-06-20 03:07 . 2008-06-20 03:07 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-20 03:07 . 2008-06-20 03:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-13 02:44 . 2008-06-13 04:22 <DIR> d-------- C:\Program Files\Bos Wars
2008-06-13 02:23 . 2008-06-24 04:12 <DIR> d-------- C:\Program Files\Wesnoth.1.4.3
2008-06-13 02:23 . 2008-06-13 04:27 <DIR> d-------- C:\Program Files\Glest_3.1.2
2008-06-12 21:14 . 2008-06-12 21:15 <DIR> d-------- C:\Program Files\Medieval Knights v1.61
2008-06-12 13:12 . 2008-06-12 13:12 47 --a------ C:\WINDOWS\2099
2008-06-12 05:27 . 2008-06-12 05:27 <DIR> d-------- C:\DarksunGames
2008-06-11 03:35 . 2008-06-11 03:36 <DIR> d-------- C:\Program Files\Fishie Fishie
2008-06-11 01:57 . 2008-06-25 15:14 <DIR> d-------- C:\Program Files\Steam
2008-06-10 14:33 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 14:33 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 21:19 . 2008-06-09 21:19 <DIR> d-------- C:\Program Files\Black Isle
2008-06-09 20:35 . 2008-06-09 20:35 <DIR> d-------- C:\Program Files\MagicDisc
2008-06-09 20:35 . 2008-05-27 12:11 96,896 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-06-09 18:07 . 2008-06-09 18:15 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-09 18:07 . 2008-06-09 18:07 <DIR> d-------- C:\WINDOWS\Logs
2008-06-09 17:16 . 2008-06-09 17:16 <DIR> d-------- C:\Program Files\Common Files\BioWare
2008-06-09 16:59 . 2008-06-09 17:19 <DIR> d-------- C:\Program Files\Mass Effect
2008-06-09 16:28 . 2008-06-09 16:28 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-09 16:28 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-09 16:28 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-06-09 16:28 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-06-09 16:28 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-06-09 16:28 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-06-09 16:27 . 2008-06-09 16:27 <DIR> d-------- C:\NVIDIA
2008-06-09 16:20 . 2008-06-09 16:20 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-06-04 02:15 . 2008-06-04 02:31 2,060 --a------ C:\WINDOWS\w9xabc.INI
2008-06-04 02:13 . 2008-06-04 02:31 2,220 --a------ C:\WINDOWS\savename.INI
2008-06-04 02:13 . 2008-06-04 02:27 203 --a------ C:\WINDOWS\savegame.INI
2008-06-04 02:12 . 2008-06-04 02:13 <DIR> d-------- C:\Program Files\The Spirit Engine
2008-06-04 01:58 . 2008-06-05 16:51 <DIR> d-------- C:\Program Files\Dark Oberon
2008-05-31 11:19 . 2008-05-31 11:19 40 --ah----- C:\WINDOWS\system32\ivireg.ivr
2008-05-31 11:11 . 2008-05-31 11:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-31 10:45 . 2008-05-31 10:46 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\Corel
2008-05-31 10:45 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2008-05-31 10:45 . 2008-05-31 11:28 3,402 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-05-31 10:45 . 2008-05-31 10:45 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\B9FCA7A350.sys
2008-05-31 10:44 . 2008-05-31 10:44 <DIR> d-------- C:\Program Files\InterVideo
2008-05-31 10:44 . 2008-05-31 10:44 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-05-31 10:44 . 2008-05-31 10:44 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-05-31 10:44 . 2008-05-31 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-31 10:43 . 2008-05-31 10:43 <DIR> d-------- C:\Program Files\Corel
2008-05-31 10:35 . 2008-05-31 10:36 <DIR> d-------- C:\Program Files\MagicISO
2008-05-31 01:05 . 2008-05-31 01:09 <DIR> d-------- C:\Program Files\DVDZip 3.1
2008-05-31 01:05 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-05-31 01:05 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-05-31 01:05 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-05-31 01:05 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-05-30 22:27 . 2008-05-30 22:27 <DIR> d-------- C:\Program Files\koei
2008-05-30 19:05 . 2004-08-04 15:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-30 19:04 . 2004-08-04 15:00 716,856 --a--c--- C:\WINDOWS\system32\dllcache\imjpcus.dll
2008-05-30 15:41 . 2008-06-05 11:37 <DIR> d-------- C:\Program Files\Lighthouse Interactive
2008-05-29 23:22 . 2008-05-29 23:22 <DIR> d-------- C:\Program Files\GoZilla
2008-05-29 23:22 . 2008-05-29 23:22 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\Go!Zilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 02:08 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-26 02:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-26 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-26 01:57 --------- d-----w C:\Documents and Settings\Larry\Application Data\Azureus
2008-06-25 20:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-25 20:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-25 20:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-25 20:07 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-25 20:07 --------- d-----w C:\Program Files\Symantec
2008-06-25 20:06 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-24 19:52 --------- d-----w C:\Program Files\QuickTime
2008-06-23 05:55 --------- d-----w C:\Program Files\Soulseek
2008-06-21 05:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 02:36 --------- d-----w C:\Program Files\Azureus
2008-05-30 18:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-29 20:37 --------- d-----w C:\Program Files\Google
2008-05-26 16:20 --------- d-----w C:\Program Files\AOL 9.0a
2008-05-25 17:01 --------- d-----w C:\Documents and Settings\Larry\Application Data\AOL
2008-05-25 17:00 --------- d-----w C:\Program Files\Common Files\aolshare
2008-05-25 17:00 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-25 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-25 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-23 19:04 --------- d-----w C:\Program Files\AOL 9.1
2008-05-23 04:36 --------- d-----w C:\Program Files\Polychromatic Funk Monkey
2008-05-23 04:04 --------- d-----w C:\Program Files\ROM CHECK FAIL
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 06:33 --------- d-----w C:\Program Files\DOSBox-0.65
2008-05-05 01:15 --------- d-----w C:\Program Files\Rockstar Games
2008-04-30 21:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2004-08-04 19:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 19:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 19:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 19:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 19:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 19:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 19:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 19:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,736 2006-11-07 15:29:02 C:\Program Files\AIM6\bak\aim6.exe
----a-w 50,736 2007-03-23 21:18:22 C:\Program Files\AIM6\aim6.exe

----a-w 50,736 2006-09-26 00:52:48 C:\Program Files\Common Files\AOL\1171550299\ee\bak\AOLSoftware.exe
----a-w 42,032 2007-05-25 17:16:08 C:\Program Files\Common Files\AOL\1171550299\ee\AOLSoftware.exe

----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

----a-w 171,448 2007-03-14 18:58:03 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

----a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 49,263 2006-11-09 19:07:30 C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe

----a-w 413,775 2003-04-22 22:43:44 C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE
----a-w 413,775 2003-04-22 22:43:44 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

----a-w 99,480 2004-05-07 21:54:22 C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe
----a-w 99,480 2004-04-05 21:33:54 C:\Program Files\Pure Networks\Port Magic\PortAOL.exe

----a-w 98,304 2007-02-15 12:26:43 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 26,112 2007-02-15 12:26:05 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe
----a-w 26,112 2007-04-06 21:49:19 C:\Program Files\Real\RealPlayer\realplay.exe

----a-w 114,688 2005-04-25 15:32:52 C:\WINDOWS\system32\bak\igfxpers.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1FF080D-12A3-439A-A2EF-4BA95A3148E8}]
2008-01-22 13:46 345152 --a------ C:\Program Files\GoZilla\GozCatch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-03-23 17:18 50736]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2003-10-08 05:00 198144]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 18:43 413775]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29 165784]
"Steam"="c:\program files\steam\steam.exe" [2008-06-11 01:57 1271032]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe" [2007-11-11 16:20 696320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-02-15 08:26 98304]
"HostManager"="C:\Program Files\Common Files\AOL\1171550299\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-04-06 17:49 26112]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 17:33 99480]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [2005-10-15 21:15 167936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-07-25 12:47 14679552 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Larry\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-06-09 20:35:43 547840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-24 02:28:32 487484]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1171550299\\ee\\aolsoftware.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\HM3\\hm3.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 11:11]
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R2 PSI_SVC_2;Protexis Licensing V2;"C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 11:15]
R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 20:09]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe" []
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 12:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-21 05:04:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Larry.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{18680ABA-254E-4847-8E2C-494B9E1B9C20} - (no file)
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKLM-Run-lphcawsj0ena1 - C:\WINDOWS\system32\lphcawsj0ena1.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 22:08:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-25 22:10:12
ComboFix-quarantined-files.txt 2008-06-26 02:10:06

Pre-Run: 18,439,942,144 bytes free
Post-Run: 18,553,888,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

286 --- E O F --- 2008-06-21 07:02:54

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:25 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Go!Zilla IE Helper - {E1FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GoZilla\GozCatch.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171550299\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe
O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 11150 bytes

Attached is my HijackThis log.

Again, thank you!

tetonbob · Jun 26, 2008

Thanks for the kind words, I'm glad the machine is running better.

We'll have a few more steps to do before all is complete.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Program Files\rhcewsj0ena1
C:\Documents and Settings\Larry\Application Data\rhcewsj0ena1
C:\Program Files\AIM6\bak
C:\Program Files\Common Files\AOL\1171550299\ee\bak
C:\Program Files\Common Files\AOL\ACS\bak
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak
C:\Program Files\iTunes\bak
C:\Program Files\Java\jre1.5.0_10\bin\bak
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\Pure Networks\Port Magic\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Real\RealPlayer\bak
C:\WINDOWS\system32\bak

Click to expand...

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
Re-establish an internet connection.
Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here along with the log from ComboFix.

---------------------------------------------------------------------------------------------

novelweapons · Jun 26, 2008

All done. Here's the log:

ComboFix 08-06-25.3 - Larry 2008-06-26 0:34:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.575 [GMT -4:00]
Running from: C:\Documents and Settings\Larry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Larry\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Larry\Application Data\rhcewsj0ena1
C:\Program Files\AIM6\bak
C:\Program Files\AIM6\bak\aim6.exe
C:\Program Files\Common Files\AOL\1171550299\ee\bak
C:\Program Files\Common Files\AOL\1171550299\ee\bak\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\bak
C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
C:\Program Files\iTunes\bak
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_10\bin\bak
C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE
C:\Program Files\Pure Networks\Port Magic\bak
C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Real\RealPlayer\bak
C:\Program Files\Real\RealPlayer\bak\RealPlay.exe
C:\Program Files\rhcewsj0ena1
C:\Program Files\rhcewsj0ena1\MFC71.dll
C:\Program Files\rhcewsj0ena1\MFC71ENU.DLL
C:\Program Files\rhcewsj0ena1\msvcp71.dll
C:\Program Files\rhcewsj0ena1\msvcr71.dll
C:\Program Files\rhcewsj0ena1\rhcewsj0ena1Skin.dll
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak\igfxpers.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-25 22:14 . 2008-06-25 22:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 15:17 . 2008-06-25 15:17 <DIR> d-------- C:\Deckard
2008-06-24 12:55 . 2008-06-24 12:55 <DIR> d-------- C:\Program Files\ThreatFire
2008-06-24 12:55 . 2008-06-24 12:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-06-24 12:55 . 2008-04-24 16:52 51,520 --a------ C:\WINDOWS\system32\drivers\TfFsMon.sys
2008-06-24 12:55 . 2008-04-24 16:52 38,208 --a------ C:\WINDOWS\system32\drivers\TfSysMon.sys
2008-06-24 12:55 . 2008-04-24 16:52 33,088 --a------ C:\WINDOWS\system32\drivers\TfNetMon.sys
2008-06-24 12:55 . 2008-04-24 16:52 12,608 --a------ C:\WINDOWS\system32\drivers\TfKbMon.sys
2008-06-24 12:49 . 2008-06-24 12:49 <DIR> d-------- C:\Program Files\MalwareSweeper.com
2008-06-23 19:07 . 2008-06-23 19:48 <DIR> d-------- C:\STRIFE
2008-06-23 19:03 . 2008-06-23 23:45 <DIR> d-------- C:\SANITY
2008-06-23 17:08 . 2008-06-23 17:08 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-06-23 17:08 . 2008-06-23 17:10 <DIR> d-------- C:\Program Files\Crimsonland
2008-06-23 16:36 . 2008-06-23 16:38 <DIR> d-------- C:\Program Files\TLawnmower
2008-06-23 16:32 . 2008-06-23 16:35 686 --a------ C:\WINDOWS\syshcin1.ini
2008-06-23 16:27 . 2008-06-23 16:27 <DIR> d-------- C:\Program Files\HCNSB
2008-06-23 16:26 . 2008-06-23 16:26 <DIR> d-------- C:\Program Files\HC
2008-06-23 15:59 . 2008-06-23 16:04 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-06-23 02:31 . 2008-06-23 02:31 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\Malwarebytes
2008-06-23 02:30 . 2008-06-23 02:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-23 02:29 . 2008-06-23 02:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-23 02:29 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-23 02:29 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-23 02:27 . 2008-06-23 02:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-21 16:05 . 2008-06-21 16:13 <DIR> d-------- C:\Program Files\Tropico 2 Pirate Cove
2008-06-21 03:11 . 2008-06-23 19:32 <DIR> d-------- C:\games
2008-06-21 01:05 . 2008-06-21 01:09 <DIR> d-------- C:\Program Files\Tropico
2008-06-20 18:56 . 2008-06-20 18:56 <DIR> d-------- C:\Program Files\Hothead Games
2008-06-20 03:09 . 2008-06-20 03:09 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\skypePM
2008-06-20 03:09 . 2008-06-20 03:09 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-20 03:08 . 2008-06-21 13:22 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\Skype
2008-06-20 03:07 . 2008-06-20 03:07 <DIR> d-------- C:\Program Files\Skype
2008-06-20 03:07 . 2008-06-20 03:07 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-20 03:07 . 2008-06-20 03:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-13 02:44 . 2008-06-13 04:22 <DIR> d-------- C:\Program Files\Bos Wars
2008-06-13 02:23 . 2008-06-24 04:12 <DIR> d-------- C:\Program Files\Wesnoth.1.4.3
2008-06-13 02:23 . 2008-06-13 04:27 <DIR> d-------- C:\Program Files\Glest_3.1.2
2008-06-12 21:14 . 2008-06-12 21:15 <DIR> d-------- C:\Program Files\Medieval Knights v1.61
2008-06-12 13:12 . 2008-06-12 13:12 47 --a------ C:\WINDOWS\2099
2008-06-12 05:27 . 2008-06-12 05:27 <DIR> d-------- C:\DarksunGames
2008-06-11 03:35 . 2008-06-11 03:36 <DIR> d-------- C:\Program Files\Fishie Fishie
2008-06-11 01:57 . 2008-06-25 15:14 <DIR> d-------- C:\Program Files\Steam
2008-06-10 14:33 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 14:33 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 21:19 . 2008-06-09 21:19 <DIR> d-------- C:\Program Files\Black Isle
2008-06-09 20:35 . 2008-06-09 20:35 <DIR> d-------- C:\Program Files\MagicDisc
2008-06-09 20:35 . 2008-05-27 12:11 96,896 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-06-09 18:07 . 2008-06-09 18:15 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-09 18:07 . 2008-06-09 18:07 <DIR> d-------- C:\WINDOWS\Logs
2008-06-09 17:16 . 2008-06-09 17:16 <DIR> d-------- C:\Program Files\Common Files\BioWare
2008-06-09 16:59 . 2008-06-09 17:19 <DIR> d-------- C:\Program Files\Mass Effect
2008-06-09 16:28 . 2008-06-09 16:28 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-09 16:28 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-09 16:28 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-06-09 16:28 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-06-09 16:28 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-06-09 16:28 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-06-09 16:27 . 2008-06-09 16:27 <DIR> d-------- C:\NVIDIA
2008-06-09 16:20 . 2008-06-09 16:20 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-06-04 02:15 . 2008-06-04 02:31 2,060 --a------ C:\WINDOWS\w9xabc.INI
2008-06-04 02:13 . 2008-06-04 02:31 2,220 --a------ C:\WINDOWS\savename.INI
2008-06-04 02:13 . 2008-06-04 02:27 203 --a------ C:\WINDOWS\savegame.INI
2008-06-04 02:12 . 2008-06-04 02:13 <DIR> d-------- C:\Program Files\The Spirit Engine
2008-06-04 01:58 . 2008-06-05 16:51 <DIR> d-------- C:\Program Files\Dark Oberon
2008-05-31 11:19 . 2008-05-31 11:19 40 --ah----- C:\WINDOWS\system32\ivireg.ivr
2008-05-31 11:11 . 2008-05-31 11:11 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-31 10:45 . 2008-05-31 10:46 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\Corel
2008-05-31 10:45 . 2005-09-20 17:27 10,368 --a------ C:\WINDOWS\system32\drivers\iviaspi.sys
2008-05-31 10:45 . 2008-05-31 11:28 3,402 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-05-31 10:45 . 2008-05-31 10:45 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\B9FCA7A350.sys
2008-05-31 10:44 . 2008-05-31 10:44 <DIR> d-------- C:\Program Files\InterVideo
2008-05-31 10:44 . 2008-05-31 10:44 <DIR> d-------- C:\Program Files\Common Files\Protexis
2008-05-31 10:44 . 2008-05-31 10:44 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2008-05-31 10:44 . 2008-05-31 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2008-05-31 10:43 . 2008-05-31 10:43 <DIR> d-------- C:\Program Files\Corel
2008-05-31 10:35 . 2008-05-31 10:36 <DIR> d-------- C:\Program Files\MagicISO
2008-05-31 01:05 . 2008-05-31 01:09 <DIR> d-------- C:\Program Files\DVDZip 3.1
2008-05-31 01:05 . 1999-09-10 12:06 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-05-31 01:05 . 1999-09-10 12:06 25,244 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-05-31 01:05 . 1999-09-10 12:06 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL
2008-05-31 01:05 . 1999-09-10 12:06 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE
2008-05-30 22:27 . 2008-05-30 22:27 <DIR> d-------- C:\Program Files\koei
2008-05-30 19:05 . 2004-08-04 15:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-30 19:04 . 2004-08-04 15:00 716,856 --a--c--- C:\WINDOWS\system32\dllcache\imjpcus.dll
2008-05-30 15:41 . 2008-06-05 11:37 <DIR> d-------- C:\Program Files\Lighthouse Interactive
2008-05-29 23:22 . 2008-05-29 23:22 <DIR> d-------- C:\Program Files\GoZilla
2008-05-29 23:22 . 2008-05-29 23:22 <DIR> d-------- C:\Documents and Settings\Larry\Application Data\Go!Zilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 04:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-26 04:35 --------- d-----w C:\Program Files\QuickTime
2008-06-26 04:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-26 04:35 --------- d-----w C:\Program Files\iTunes
2008-06-26 04:35 --------- d-----w C:\Program Files\AIM6
2008-06-26 04:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-26 04:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-26 01:57 --------- d-----w C:\Documents and Settings\Larry\Application Data\Azureus
2008-06-25 20:07 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-25 20:07 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-25 20:07 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-25 20:07 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-25 20:07 --------- d-----w C:\Program Files\Symantec
2008-06-25 20:06 --------- d-----w C:\Program Files\Norton Internet Security
2008-06-23 05:55 --------- d-----w C:\Program Files\Soulseek
2008-06-21 05:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-20 02:36 --------- d-----w C:\Program Files\Azureus
2008-05-30 18:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-29 20:37 --------- d-----w C:\Program Files\Google
2008-05-26 16:20 --------- d-----w C:\Program Files\AOL 9.0a
2008-05-25 17:01 --------- d-----w C:\Documents and Settings\Larry\Application Data\AOL
2008-05-25 17:00 --------- d-----w C:\Program Files\Common Files\aolshare
2008-05-25 17:00 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-25 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-05-25 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-05-23 19:04 --------- d-----w C:\Program Files\AOL 9.1
2008-05-23 04:36 --------- d-----w C:\Program Files\Polychromatic Funk Monkey
2008-05-23 04:04 --------- d-----w C:\Program Files\ROM CHECK FAIL
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 06:33 --------- d-----w C:\Program Files\DOSBox-0.65
2008-05-05 01:15 --------- d-----w C:\Program Files\Rockstar Games
2008-04-30 21:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2004-08-04 19:00 94,784 --sh--w C:\WINDOWS\twain.dll
2004-08-04 19:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 19:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 19:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 19:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 19:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-12-04 18:38 550,912 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 19:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 19:00 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1FF080D-12A3-439A-A2EF-4BA95A3148E8}]
2008-01-22 13:46 345152 --a------ C:\Program Files\GoZilla\GozCatch.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-03-23 17:18 50736]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2003-10-08 05:00 198144]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 18:43 413775]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-03 18:29 165784]
"Steam"="c:\program files\steam\steam.exe" [2008-06-11 01:57 1271032]
"Malware Sweeper"="C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe" [2007-11-11 16:20 696320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"HostManager"="C:\Program Files\Common Files\AOL\1171550299\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-05 21:22 26248]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-04-06 17:49 26112]
"Pure Networks Port Magic"="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" [2004-04-05 17:33 99480]
"SCDEmuApp.exe"="C:\Program Files\PowerISO\SCDEmuApp.exe" [2005-10-15 21:15 167936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36 256576]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2008-04-24 16:52 259392]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 18:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-07-25 12:47 14679552 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Larry\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-06-09 20:35:43 547840]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 700 series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-24 02:28:32 487484]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\1171550299\\ee\\aolsoftware.exe"=
"C:\\Program Files\\America Online 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\HM3\\hm3.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys [2005-12-06 11:11]
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [2008-04-24 16:52]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [2008-04-24 16:52]
R2 PSI_SVC_2;Protexis Licensing V2;"C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [2007-07-24 11:15]
R2 regi;regi;C:\WINDOWS\system32\drivers\regi.sys [2007-04-17 20:09]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service []
R2 WUSB54Gv4SVC;WUSB54Gv4SVC;"C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe" []
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [2008-04-24 16:52]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-24 12:23:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-21 05:04:12 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Larry.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-QuickTime Task - C:\Program Files\QuickTime\bak\qttask.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 00:39:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-26 0:40:45
ComboFix-quarantined-files.txt 2008-06-26 04:40:39
ComboFix2.txt 2008-06-26 02:10:14

Pre-Run: 18,547,507,200 bytes free
Post-Run: 18,540,806,144 bytes free

284 --- E O F --- 2008-06-21 07:02:54

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:14 AM, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\PowerISO\SCDEmuApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Go!Zilla IE Helper - {E1FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GoZilla\GozCatch.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1171550299\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SCDEmuApp.exe] C:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe
O4 - S-1-5-18 Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WUSB54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 11012 bytes

tetonbob · Jun 26, 2008

Good job, things are looking better from here.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist:

AntivirXP08

You may receive notification that it's already been uninstalled, or is otherwise corrupt, would you like to remove it from the list. Click OK.

---------------------------------------------------------------------------------------------

Go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Privacy Protection" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

========================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

How is the system behaving?

novelweapons · Jun 28, 2008

The system was much more stable until tonight - I loaded up windows to find (to my dismay) that WUSB54Gv4.exe and rhcewsj0ena1.exe had resurfaced. Not only that, but shortly after I attempted to shut down those processes via Task Manager, my desktop and taskbar became entirely unresponsive. I tried several times to close and open explorer to little effect - it (at some points) remained unresponsive, other times allowing me into Control Panel where it would then freeze after I double-clicked Display. Just when I thought that the problem had almost been solved! I am about to reboot the system and will let you know if this affords me any progress.

tetonbob · Jun 28, 2008

There should be nothing wrong with WUSB54Gv4.exe

It belongs to Linksys wireless

C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe

Have you visited some of the same sites as before? Perhaps one of them has some malicious code parked on it.

Post a new DSS log.

novelweapons · Jun 28, 2008

Nevermind about that last message, I posted in haste -- it seems that all of the errors that I encountered on startup were from (ironically enough) ThreatFire, an Anti-Malware application that I downloaded when my system first started acting up. I uninstalled the software and it has entirely rectified the problem. The unresponsive desktop was caused by my CPU usage running at 100% as a result of ThreatFire initializing for an indefinate amount of time, a glitch that I have enountered with the program before. Not only that, but the rhcewsj0ena1 hasn't reared it's head since I ended the process tree last and a full system search including hidden folders for that exe turned up nothing. I can't really offer any explanation for why I saw it in task manager again, unless it had something to do with ThreatFire's attempted quarantine of it previously (and then malfunction). At any rate, I removed the bogus AntiVir program and, just as you said, it came up as already having been removed. I then updated my Java and things are looking a-ok.

tetonbob · Jun 28, 2008

OK....if there's no immediate concern from your end...go ahead and run the online scan at Kaspersky, and then post it's log. This will help ensure there's no stragglers.

Also post a new HijackThis log along with it.

Display Properties still compromised after Malware attack

Attachments

Attachments

Attachments

Top Contributors this Month