[beingmused]

Various sources indicate that I have Vundo (plus IE popups all over the place), but my attempts at using HJT to eradicate it on my own haven't been fruitful. Assistance would be much appreciated.


DDS (Version 1.0) - NTFSx86
Run by Brian at 19:49:15.66 on Mon 11/24/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1252 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\lxbucoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Brian\Desktop\gmer.exe
C:\Documents and Settings\Brian\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page =
uSearch Page = hxxp://www.google.com
mStart Page =
mSearch Page = hxxp://www.google.com
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {601ED020-FB6C-11D3-87D8-0050DA59922B} - c:\program files\ipswitch\ws_ftp home\wsbho2k0.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [lxbumon.exe] "c:\program files\lexmark 6200 series\lxbumon.exe"
mRun: [EzPrint] "c:\program files\lexmark 6200 series\ezprint.exe"
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LXBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBUtime.dll,[email protected]
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 hsfbs2s22;hsfbs2s22;c:\windows\system32\drivers\hsfbs2s22.sys [2008-11-21 86272]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-10-17 24652]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"c:\program files\linksys wireless-g usb wireless network monitor\WLService.exe" "WUSB54Gv42.exe" [2007-10-14 53307]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD);c:\windows\system32\drivers\snp2sxp.sys [2008-6-16 12039680]
S3 ALLOW-IO;ALLOW-IO;\??\D:\ALLOW-IO.sys []
S4 Network Monitor;Network Monitor;c:\program files\network monitor\netmon.exe service []

=============== Created Last 30 ================

2008-11-24 18:27 250 a------- c:\windows\gmer.ini
2008-11-24 17:52 <DIR> --d----- C:\lstdlls
2008-11-23 17:15 <DIR> --d----- c:\windows\setup.pss
2008-11-23 17:03 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2008-11-23 17:03 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2008-11-23 17:03 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2008-11-23 17:03 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2008-11-23 17:03 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2008-11-23 17:03 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2008-11-23 17:03 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2008-11-23 17:03 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2008-11-23 17:03 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2008-11-23 17:03 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2008-11-23 17:01 687,999 ac------ c:\windows\system32\dllcache\usrwdxjs.sys
2008-11-23 17:00 166,784 ac------ c:\windows\system32\dllcache\tridxpm.sys
2008-11-23 16:59 32,640 ac------ c:\windows\system32\dllcache\symc8xx.sys
2008-11-23 16:58 20,752 ac------ c:\windows\system32\dllcache\sonync.sys
2008-11-23 16:57 161,568 ac------ c:\windows\system32\dllcache\sgsmusb.sys
2008-11-23 16:56 166,720 ac------ c:\windows\system32\dllcache\s3m.sys
2008-11-23 16:55 128,286 ac------ c:\windows\system32\dllcache\ptserli.sys
2008-11-23 16:54 41,984 ac------ c:\windows\system32\dllcache\ovui2rc.dll
2008-11-23 16:53 39,264 ac------ c:\windows\system32\dllcache\neo20xx.sys
2008-11-23 16:52 17,280 ac------ c:\windows\system32\dllcache\mraid35x.sys
2008-11-23 16:51 253,952 ac------ c:\windows\system32\dllcache\kdsusd.dll
2008-11-23 16:50 372,824 ac------ c:\windows\system32\dllcache\iconf32.dll
2008-11-23 16:49 19,456 ac------ c:\windows\system32\dllcache\hr1w.dll
2008-11-23 16:48 27,165 ac------ c:\windows\system32\dllcache\fetnd5.sys
2008-11-23 16:47 117,760 ac------ c:\windows\system32\dllcache\e100b325.sys
2008-11-23 16:46 6,912 ac------ c:\windows\system32\dllcache\ctlfacem.sys
2008-11-23 16:45 87,552 ac------ c:\windows\system32\dllcache\avmcoxp.dll
2008-11-23 03:42 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-23 03:42 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-23 02:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-11-22 12:18 <DIR> --d----- c:\program files\Trend Micro
2008-11-22 09:43 9,662 a------- c:\windows\system32\pinkip.ico
2008-11-22 00:50 862 a------- c:\windows\system32\winpfz33.sys
2008-11-22 00:45 200,725 a------- c:\windows\system32\rswnw64m.exe
2008-11-21 23:37 38,537 a------- c:\windows\system32\prunnet.exe
2008-11-21 23:31 <DIR> --d----- c:\windows\system32\dPI19
2008-11-21 23:31 <DIR> --d----- c:\docume~1\brian\applic~1\NI.GSCNS
2008-11-21 23:31 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-21 23:21 <DIR> --d----- c:\temp\tn3
2008-11-21 23:21 <DIR> --d----- c:\temp\FT62
2008-11-21 23:21 <DIR> --d----- c:\temp\1cb
2008-11-21 23:20 <DIR> --d----- c:\windows\system32\appmgmt
2008-11-02 17:54 921,624 a------- C:\snp2sxp-001.raw

==================== Find3M ====================

2008-11-24 18:29 <DIR> --d----- c:\program files\PeerGuardian2
2008-11-24 17:40 <DIR> --d----- c:\program files\Steam
2008-11-23 04:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-11-23 04:04 <DIR> --d----- c:\docume~1\brian\applic~1\Azureus
2008-11-23 04:04 <DIR> --d----- c:\program files\AIM6
2008-11-23 03:40 170,842 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-11-22 01:21 <DIR> --d----- c:\program files\Azureus
2008-11-21 23:31 <DIR> --d----- c:\program files\Lavasoft
2008-11-21 23:21 64,859 a------- c:\windows\system32\gxjxgzfsyn.exe
2008-11-21 23:21 153,425 a------- c:\windows\system32\g64.exe
2008-11-21 23:21 200,715 a------- c:\windows\system32\dwwnw64r.exe
2008-11-21 23:20 <DIR> --d----- c:\program files\Yahoo!
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-05 16:01 <DIR> --d----- c:\docume~1\brian\applic~1\mIRC
2008-10-03 21:02 <DIR> --d----- c:\program files\mIRC
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-28 14:52 <DIR> --d----- c:\program files\Microsoft
2008-09-17 17:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 12:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-06-15 17:06 <DIR> --d----- c:\docume~1\brian\applic~1\vlc
2008-05-17 17:59 <DIR> --d----- c:\docume~1\brian\applic~1\MSNInstaller
2008-02-16 03:09 <DIR> --d----- c:\docume~1\brian\applic~1\Move Networks
2008-01-19 13:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak
2008-01-18 15:22 <DIR> --d----- c:\docume~1\brian\applic~1\AccurateRip
2007-10-29 20:24 <DIR> --d----- c:\docume~1\brian\applic~1\Viewpoint
2007-10-26 13:15 <DIR> --d----- c:\docume~1\brian\applic~1\GetRightToGo
2007-10-26 13:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2007-10-26 12:57 <DIR> --d----- c:\docume~1\brian\applic~1\SystemRequirementsLab
2007-10-19 23:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ATI
2008-08-21 00:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 19:49:31.02 ===============

 

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Deewoo Network Manager removal<<Please read this

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Viewpoint Media Player<<This is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Please read here and here

If you decide to uninstall it, also delete the following Folders if they still exist:

C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

------------------------------------------------------

I see you have P2P software ( Azureus Vuze ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

If you decide to uninstall Azureus, also delete these Folders if they still exist:

C:\Documents and Settings\Brian\Application Data\Azureus
C:\Program Files\Azureus

------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
  
• Double-click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'.

Save the logfile and post it here. Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log

If you have any questions along the way...STOP and ask them before proceeding.

 

[beingmused]

Thank you! ComboFix scan:

ComboFix 08-11-26.05 - Brian 2008-11-27 1:48:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1125 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\windows\system32\dwwnw64r.exe
c:\windows\system32\ewogomul.ini
c:\windows\system32\lumogowe.dll
c:\windows\system32\msnav32.ax
c:\windows\system32\pac.txt
c:\windows\system32\pasozohe.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\renibupu.dll
c:\windows\system32\rswnw64m.exe
c:\windows\system32\wekiridi.dll
c:\windows\system32\winpfz33.sys
c:\windows\system32\x4
c:\windows\system32\yewuwazi.dll
c:\windows\system32\zxdnt3d.cfg
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
.

2008-11-27 01:51 . 2008-11-27 01:51 <DIR> d-------- c:\temp\tn3
2008-11-26 20:01 . 2008-11-26 20:01 <DIR> d-------- C:\VundoFix Backups
2008-11-24 18:27 . 2008-11-24 18:27 250 --a------ c:\windows\gmer.ini
2008-11-24 17:52 . 2008-11-24 17:55 <DIR> d-------- C:\lstdlls
2008-11-23 17:03 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2008-11-23 17:03 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2008-11-23 17:03 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2008-11-23 17:03 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2008-11-23 17:03 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2008-11-23 17:03 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2008-11-23 17:03 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2008-11-23 17:03 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2008-11-23 17:03 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-11-23 17:03 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2008-11-23 17:01 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2008-11-23 17:00 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2008-11-23 16:59 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2008-11-23 16:58 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2008-11-23 16:57 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2008-11-23 16:56 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2008-11-23 16:55 . 2008-04-13 20:10 259,328 --a--c--- c:\windows\system32\dllcache\perm3dd.dll
2008-11-23 16:54 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2008-11-23 16:53 . 2001-08-17 12:11 128,000 --a--c--- c:\windows\system32\dllcache\n100325.sys
2008-11-23 16:52 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2008-11-23 16:51 . 2008-04-13 20:11 253,952 --a--c--- c:\windows\system32\dllcache\kdsusd.dll
2008-11-23 16:50 . 2008-04-13 20:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll
2008-11-23 16:49 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2008-11-23 16:48 . 2001-08-17 13:28 634,134 --a--c--- c:\windows\system32\dllcache\el656ct5.sys
2008-11-23 16:47 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2008-11-23 16:46 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys
2008-11-23 16:45 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2008-11-23 03:42 . 2008-11-23 03:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-23 03:42 . 2008-11-23 03:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 03:41 . 2008-11-23 03:41 <DIR> d-------- c:\program files\Java
2008-11-23 02:34 . 2008-11-23 02:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-22 12:18 . 2008-11-22 12:18 <DIR> d-------- c:\program files\Trend Micro
2008-11-22 09:43 . 2008-11-22 09:43 9,662 --a------ c:\windows\system32\pinkip.ico
2008-11-21 23:31 . 2008-11-24 00:18 <DIR> d-------- c:\windows\system32\dPI19
2008-11-21 23:31 . 2008-11-21 23:31 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-21 23:31 . 2008-11-21 23:37 <DIR> d-------- c:\documents and settings\Brian\Application Data\NI.GSCNS
2008-11-21 23:21 . 2008-11-21 23:21 <DIR> d-------- c:\windows\system32\mp
2008-11-21 23:21 . 2008-11-23 04:04 <DIR> d-------- c:\windows\system32\ID2
2008-11-21 23:21 . 2008-11-22 00:38 <DIR> d-------- c:\windows\system32\gp2
2008-11-21 23:21 . 2008-11-22 00:38 <DIR> d-------- c:\windows\system32\dim
2008-11-21 23:21 . 2008-11-22 00:45 <DIR> d--hs---- c:\windows\QnJpYW4
2008-11-21 23:21 . 2008-11-21 23:21 <DIR> d-------- c:\temp\FT62
2008-11-21 23:21 . 2008-11-25 23:57 <DIR> d-------- C:\Quarantine
2008-11-21 23:21 . 2008-11-21 23:21 153,425 --a------ c:\windows\system32\g64.exe
2008-11-21 23:21 . 2008-11-21 23:21 86,272 --a------ c:\windows\system32\drivers\hsfbs2s22.sys
2008-11-21 23:21 . 2008-11-21 23:21 64,859 --a------ c:\windows\system32\gxjxgzfsyn.exe
2008-11-21 23:21 . 2008-11-27 01:51 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-11-02 17:54 . 2008-11-02 17:54 921,624 --a------ C:\snp2sxp-001.raw

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-27 06:51 --------- d-----w c:\program files\Steam
2008-11-27 06:48 --------- d-----w c:\program files\PeerGuardian2
2008-11-23 09:04 --------- d-----w c:\program files\AIM6
2008-11-23 09:04 --------- d-----w c:\documents and settings\Brian\Application Data\Azureus
2008-11-23 07:33 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-22 06:21 --------- d-----w c:\program files\Azureus
2008-11-22 04:31 --------- d-----w c:\program files\Lavasoft
2008-11-22 04:20 --------- d-----w c:\program files\Yahoo!
2008-11-12 08:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:06 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 18:57 --------- d-----w c:\documents and settings\Brian\Application Data\Yahoo!
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-11 06:15 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-05 21:01 --------- d-----w c:\documents and settings\Brian\Application Data\mIRC
2008-10-04 02:02 --------- d-----w c:\program files\mIRC
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 19:52 --------- d-----w c:\program files\Microsoft
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-21 05:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-11-23 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-24 1957888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-22 1126400]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"lxbumon.exe"="c:\program files\Lexmark 6200 Series\lxbumon.exe" [2005-01-18 196608]
"EzPrint"="c:\program files\Lexmark 6200 Series\ezprint.exe" [2004-09-17 61440]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 69632]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-23 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\Program Files\\Common Files\\Logitech\\G-series Software\\LGDCore.exe"=

R1 hsfbs2s22;hsfbs2s22;c:\windows\system32\drivers\hsfbs2s22.sys [2008-11-21 86272]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" [2007-10-14 53307]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 SNP2STD;USB2.0 PC Camera (SNP2STD);c:\windows\system32\DRIVERS\snp2sxp.sys [2008-06-16 12039680]
S3 ALLOW-IO;ALLOW-IO;\??\D:\ALLOW-IO.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e20e3318-506a-11dd-a044-000c41694a7d}]
\Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{66d20ae1-776c-4893-bbc3-6acfe7019b01} - c:\windows\system32\pasozohe.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-Launch LCDMon - c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe
HKLM-Run-tsnp2std - c:\windows\tsnp2std.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\xyn7yy05.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Microsoft\Office Live\npOLW.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-27 01:51:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1132)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\windows\ALCFDRTM.EXE
c:\windows\system32\lxbucoms.exe
.
**************************************************************************
.
Completion time: 2008-11-27 1:55:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-27 06:54:56

Pre-Run: 215,364,243,456 bytes free
Post-Run: 216,154,206,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

237 --- E O F --- 2008-11-12 08:04:05

And the new HJT scan:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:04 AM, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\lxbucoms.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,[email protected]
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192340832859
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7176 bytes

 

[chemist]

Hello again, beingmused.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

http://www.techsupportforum.com/security-center/hijackthis-log-help/316517-help-getting-rid-vundo.html#post1824534

Collect::
c:\windows\system32\g64.exe
c:\windows\system32\drivers\hsfbs2s22.sys
c:\windows\system32\gxjxgzfsyn.exe

File::
c:\windows\system32\pinkip.ico
c:\windows\system32\drivers\core.cache.dsk

Folder::
c:\temp\tn3
C:\VundoFix Backups
c:\windows\system32\dPI19
c:\documents and settings\Brian\Application Data\NI.GSCNS
c:\windows\system32\mp
c:\windows\system32\ID2
c:\windows\system32\gp2
c:\windows\system32\dim
c:\windows\QnJpYW4
c:\temp\FT62

Driver::
hsfbs2s22
ALLOW-IO

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

DirLook::
C:\Quarantine

KillAll::

Save this Notepad file as CFScript.txt to your Desktop and then close the file.

Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please click Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed.

With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Please let your helper know you successfully submitted the file.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'.

Save the logfile and post it here. Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log

 

[chemist]

Still with us, beingmused? Any trouble with those last instructions?

 

[beingmused]

Chemist - thanks for your persistence. I had to be out of town for a few days.

When I tried to follow these instructions, I found that my computer was *much* worse than before. The desktop has been changed (covered over, really) with some malicious "anti-spyware" link...no web browser will let me connect to this or related sites (I had to get the text file above onto a work laptop and then transfer it over to the computer). The task manager claims it has been "disabled by your administrator", but checking the registry keys for this, that is not the case.

Most distressing was that Combofix would not run. I turned McAfee off, tried it both on and offline, and it would not run either when I dragged the script file over to it, nor trying to open it normally. Same thing in Safe Mode.

I noticed a TON of new, obviously malicious things in my HJT logfile...I'm hoping fixing some of those might enable me to take that Combofix step. But I thought I would post that log here before trying anything:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:31 AM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\lxbucoms.exe
C:\Documents and Settings\Brian\Desktop\ComboFix.exe
C:\Documents and Settings\Brian\Desktop\ComboFix.exe
C:\Documents and Settings\Brian\Desktop\ComboFix.exe
C:\Documents and Settings\Brian\Desktop\ComboFix.exe
C:\Documents and Settings\Brian\Desktop\ComboFix.exe
C:\Documents and Settings\Brian\Desktop\ComboFix.exe
C:\Documents and Settings\Brian\Desktop\ComboFix.exe
C:\Documents and Settings\Brian\Desktop\ComboFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {66d20ae1-776c-4893-bbc3-6acfe7019b01} - C:\WINDOWS\system32\pasozohe.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: getwn32.msieof - {DEB3A92B-D7C9-40A7-BB0F-7A408C271C1D} - C:\WINDOWS\system32\getwn32.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,[email protected]
O4 - HKLM\..\Run: [gadifadelu] Rundll32.exe "C:\WINDOWS\system32\temihozo.dll",s
O4 - HKLM\..\Run: [CPM4b1b31d1] Rundll32.exe "c:\windows\system32\hawuzado.dll",a
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192340832859
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\yewuwazi.dll c:\windows\system32\hawuzado.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hawuzado.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hawuzado.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 8491 bytes

 

[chemist]

Hello again, beingmused. It is important that you follow my instructions in a timely manner or we are both wasting our time. We will essentially have to start over.

Please delete all instances of ComboFix.exe from your desktop.

Download Combo-Fix from here on another computer to a USB drive and transfer it to the desktop of the infected computer.

Double-click Combo-Fix.exe to run it and post the log here for review.

 

[beingmused]

Thanks -

But deleting and downloading a new version does not fix the problem - it still won't run. I tried running it in both safe mode and under a regular boot, and then tried to "run as" the administrator account, but nothing caused it to appear. And since task manager won't work, I can't even see if the process is running or not.

 

[chemist]

Hello again, beingmused. See if this works:

Go to Start > Run and copy/paste the following into the Run box and click OK:

"%userprofile%\desktop\combo-fix.exe"

------------------------------------------------------

If that didn't work, try renaming it to a random name and double-click it.

If that doesn't work, try renaming it with a .com extension, instead of a .exe extension.

------------------------------------------------------

If that doesn't work, see if MBAM will run. You may have to rename it to get it to run.

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware
• Then click Finish.
• Once the program has loaded, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy/Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

------------------------------------------------------

 

[beingmused]

Renaming did the trick, thanks. Here's the log:

ComboFix 08-12-02.02 - Brian 2008-12-05 18:53:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1606 [GMT -5:00]
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Brian\Application Data\NI.GSCNS
c:\documents and settings\Brian\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Brian\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\temp\tn3
c:\windows\default.htm
c:\windows\system32\~.exe
c:\windows\system32\dPI19
c:\windows\system32\drivers\TDSSmyvo.sys
c:\windows\system32\epegepov.ini
c:\windows\system32\hawuzado.dll
c:\windows\system32\kumosege.dll
c:\windows\system32\lasopile.dll
c:\windows\system32\TDSSacsn.dll
c:\windows\system32\TDSShchc.dll
c:\windows\system32\TDSSijjb.dat
c:\windows\system32\TDSSjokw.dll
c:\windows\system32\TDSSmhtv.log
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoigq.log
c:\windows\system32\TDSSqxub.dll
c:\windows\system32\TDSStken.dll
c:\windows\system32\TDSSurtm.dll
c:\windows\system32\temihozo.dll
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twain_32\user.ds.cla
c:\windows\system32\twext.exe
c:\windows\system32\uesiuqcr.exe
c:\windows\system32\vopegepe.dll
c:\windows\system32\wertyu.dll
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 18:57 . 2008-12-05 18:57 <DIR> d-------- c:\temp\tn3
2008-12-04 00:32 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2\Application Data\Sonic
2008-12-04 00:32 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2\Application Data\Logitech
2008-12-04 00:32 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2\Application Data\Ipswitch
2008-12-04 00:32 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2\Application Data\ATI
2008-12-04 00:31 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2
2008-11-29 15:14 . 2008-11-29 15:14 2,713 ---hs---- c:\windows\system32\sebizawu.exe
2008-11-29 00:56 . 2008-11-29 01:01 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-28 18:52 . 2008-12-05 18:52 14,848 --a------ c:\windows\system32\getwn32.dll
2008-11-26 20:01 . 2008-11-26 20:01 <DIR> d-------- C:\VundoFix Backups
2008-11-24 18:27 . 2008-11-24 18:27 250 --a------ c:\windows\gmer.ini
2008-11-24 17:52 . 2008-11-24 17:55 <DIR> d-------- C:\lstdlls
2008-11-23 17:03 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2008-11-23 17:03 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2008-11-23 17:03 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2008-11-23 17:03 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2008-11-23 17:03 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2008-11-23 17:03 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2008-11-23 17:03 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2008-11-23 17:03 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2008-11-23 17:03 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-11-23 17:03 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2008-11-23 17:01 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2008-11-23 17:00 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2008-11-23 16:59 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2008-11-23 16:58 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2008-11-23 16:57 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2008-11-23 16:56 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2008-11-23 16:55 . 2008-04-13 20:10 259,328 --a--c--- c:\windows\system32\dllcache\perm3dd.dll
2008-11-23 16:54 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2008-11-23 16:53 . 2001-08-17 12:11 128,000 --a--c--- c:\windows\system32\dllcache\n100325.sys
2008-11-23 16:52 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2008-11-23 16:51 . 2008-04-13 20:11 253,952 --a--c--- c:\windows\system32\dllcache\kdsusd.dll
2008-11-23 16:50 . 2008-04-13 20:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll
2008-11-23 16:49 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2008-11-23 16:48 . 2001-08-17 13:28 634,134 --a--c--- c:\windows\system32\dllcache\el656ct5.sys
2008-11-23 16:47 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2008-11-23 16:46 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys
2008-11-23 16:45 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2008-11-23 03:42 . 2008-11-23 03:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-23 03:42 . 2008-11-23 03:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 03:41 . 2008-11-23 03:41 <DIR> d-------- c:\program files\Java
2008-11-23 02:34 . 2008-11-23 02:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-22 12:18 . 2008-11-22 12:18 <DIR> d-------- c:\program files\Trend Micro
2008-11-22 09:43 . 2008-11-22 09:43 9,662 --a------ c:\windows\system32\pinkip.ico
2008-11-21 23:31 . 2008-11-21 23:31 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-21 23:21 . 2008-11-21 23:21 <DIR> d-------- c:\windows\system32\mp
2008-11-21 23:21 . 2008-11-23 04:04 <DIR> d-------- c:\windows\system32\ID2
2008-11-21 23:21 . 2008-11-22 00:38 <DIR> d-------- c:\windows\system32\gp2
2008-11-21 23:21 . 2008-11-22 00:38 <DIR> d-------- c:\windows\system32\dim
2008-11-21 23:21 . 2008-11-22 00:45 <DIR> d--hs---- c:\windows\QnJpYW4
2008-11-21 23:21 . 2008-11-21 23:21 <DIR> d-------- c:\temp\FT62
2008-11-21 23:21 . 2008-12-05 18:54 <DIR> d-------- C:\Quarantine
2008-11-21 23:21 . 2008-11-21 23:21 153,425 --a------ c:\windows\system32\g64.exe
2008-11-21 23:21 . 2008-11-21 23:21 86,272 --a------ c:\windows\system32\drivers\hsfbs2s22.sys
2008-11-21 23:21 . 2008-12-05 18:56 932 --------- c:\windows\system32\drivers\core.cache.dsk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 23:58 --------- d-----w c:\program files\Steam
2008-12-05 23:43 --------- d-----w c:\program files\PeerGuardian2
2008-11-29 05:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 09:04 --------- d-----w c:\program files\AIM6
2008-11-23 09:04 --------- d-----w c:\documents and settings\Brian\Application Data\Azureus
2008-11-23 07:33 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-22 06:21 --------- d-----w c:\program files\Azureus
2008-11-22 04:31 --------- d-----w c:\program files\Lavasoft
2008-11-22 04:20 --------- d-----w c:\program files\Yahoo!
2008-11-12 08:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:06 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 18:57 --------- d-----w c:\documents and settings\Brian\Application Data\Yahoo!
2008-10-11 06:15 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-05 21:01 --------- d-----w c:\documents and settings\Brian\Application Data\mIRC
2008-08-21 05:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat
.

((((((((((((((((((((((((((((( [email protected]_ 1.54.31.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 08:30:27 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-05 23:52:33 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-23 08:30:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-05 23:52:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-23 08:30:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 23:52:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 23:57:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_764.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66d20ae1-776c-4893-bbc3-6acfe7019b01}]
c:\windows\system32\pasozohe.dll [BU]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEB3A92B-D7C9-40A7-BB0F-7A408C271C1D}]
2008-12-05 18:52 14848 --a------ c:\windows\system32\getwn32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-11-23 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-24 1957888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-22 1126400]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"lxbumon.exe"="c:\program files\Lexmark 6200 Series\lxbumon.exe" [2005-01-18 196608]
"EzPrint"="c:\program files\Lexmark 6200 Series\ezprint.exe" [2004-09-17 61440]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 69632]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-23 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\Program Files\\Common Files\\Logitech\\G-series Software\\LGDCore.exe"=

R1 hsfbs2s22;hsfbs2s22;c:\windows\system32\drivers\hsfbs2s22.sys [2008-11-21 86272]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;"c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe" [2007-10-14 53307]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S3 ALLOW-IO;ALLOW-IO;\??\D:\ALLOW-IO.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e20e3318-506a-11dd-a044-000c41694a7d}]
\Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\xyn7yy05.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Microsoft\Office Live\npOLW.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 18:57:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\ALCFDRTM.EXE
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\windows\system32\lxbucoms.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-12-05 19:01:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 00:01:33

Pre-Run: 216,265,207,808 bytes free
Post-Run: 216,399,491,072 bytes free

247 --- E O F --- 2008-11-12 08:04:05

 

[chemist]

Hello again, beingmused.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

http://www.microsoft.com/downloads/...8D-5E10-49B5-B80C-0A0205368124&displaylang=en

Do not be concerned that this file is for SP2 and you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here

Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:

Please choose No!

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

http://www.techsupportforum.com/security-center/hijackthis-log-help/316517-help-getting-rid-vundo.html#post1841960

Collect::
c:\windows\system32\sebizawu.exe
c:\windows\system32\getwn32.dll
c:\windows\system32\g64.exe
c:\windows\system32\drivers\hsfbs2s22.sys

File::
c:\windows\system32\pinkip.ico
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\gxjxgzfsyn.exe

Folder::
c:\temp\tn3
C:\VundoFix Backups
c:\windows\system32\mp
c:\windows\system32\ID2
c:\windows\system32\gp2
c:\windows\system32\dim
c:\windows\QnJpYW4
c:\temp\FT62

Driver::
hsfbs2s22
ALLOW-IO

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66d20ae1-776c-4893-bbc3-6acfe7019b01}]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

DirLook::
C:\Quarantine

KillAll::

Save this Notepad file as CFScript.txt to your Desktop and then close the file.

Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix, please click Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed.

With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Please let your helper know you successfully submitted the file.

------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and Save a Logfile'.

Save the logfile and post it here. Please close HijackThis now.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
new HijackThis log

 

[beingmused]

Thanks again - I was unable to submit a file online for analysis - when the ComboFix log appeared, no message box showed up with the offer to submit the file for analysis. While I disabled McAfee when it rebooted, it, ah, restarted itself, which may have blocked this.

ComboFix 08-12-06.06 - Brian 2008-12-08 0:26:11.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1428 [GMT -5:00]
Running from: c:\documents and settings\Brian\Desktop\ninjafix.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\gxjxgzfsyn.exe
c:\windows\system32\pinkip.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\FT62
c:\temp\FT62\teTU.log
c:\temp\tn3
C:\VundoFix Backups
c:\windows\QnJpYW4
c:\windows\system32\dim
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\drivers\hsfbs2s22.sys
c:\windows\system32\g64.exe
c:\windows\system32\getwn32.dll
c:\windows\system32\gp2
c:\windows\system32\ID2
c:\windows\system32\mp
c:\windows\system32\mp\kstamv3.exe
c:\windows\system32\pinkip.ico
c:\windows\system32\sebizawu.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALLOW-IO
-------\Legacy_HSFBS2S22
-------\Service_ALLOW-IO
-------\Service_hsfbs2s22


((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-04 00:32 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2\Application Data\Sonic
2008-12-04 00:32 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2\Application Data\Logitech
2008-12-04 00:32 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2\Application Data\Ipswitch
2008-12-04 00:32 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2\Application Data\ATI
2008-12-04 00:31 . 2008-12-04 00:32 <DIR> d-------- c:\documents and settings\brian2
2008-11-29 00:56 . 2008-11-29 01:01 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-11-24 18:27 . 2008-11-24 18:27 250 --a------ c:\windows\gmer.ini
2008-11-24 17:52 . 2008-11-24 17:55 <DIR> d-------- C:\lstdlls
2008-11-23 17:03 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2008-11-23 17:03 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2008-11-23 17:03 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2008-11-23 17:03 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2008-11-23 17:03 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2008-11-23 17:03 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2008-11-23 17:03 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2008-11-23 17:03 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2008-11-23 17:03 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2008-11-23 17:03 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2008-11-23 17:01 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2008-11-23 17:00 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2008-11-23 16:59 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2008-11-23 16:58 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll
2008-11-23 16:57 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2008-11-23 16:56 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2008-11-23 16:55 . 2008-04-13 20:10 259,328 --a--c--- c:\windows\system32\dllcache\perm3dd.dll
2008-11-23 16:54 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2008-11-23 16:53 . 2001-08-17 12:11 128,000 --a--c--- c:\windows\system32\dllcache\n100325.sys
2008-11-23 16:52 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2008-11-23 16:51 . 2008-04-13 20:11 253,952 --a--c--- c:\windows\system32\dllcache\kdsusd.dll
2008-11-23 16:50 . 2008-04-13 20:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll
2008-11-23 16:49 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2008-11-23 16:48 . 2001-08-17 13:28 634,134 --a--c--- c:\windows\system32\dllcache\el656ct5.sys
2008-11-23 16:47 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2008-11-23 16:46 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys
2008-11-23 16:45 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2008-11-23 03:42 . 2008-11-23 03:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-23 03:42 . 2008-11-23 03:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-23 03:41 . 2008-11-23 03:41 <DIR> d-------- c:\program files\Java
2008-11-23 02:34 . 2008-11-23 02:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-22 12:18 . 2008-11-22 12:18 <DIR> d-------- c:\program files\Trend Micro
2008-11-21 23:31 . 2008-11-21 23:31 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-21 23:21 . 2008-12-08 00:19 <DIR> d-------- C:\Quarantine

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 05:29 --------- d-----w c:\program files\Steam
2008-12-08 05:25 --------- d-----w c:\program files\PeerGuardian2
2008-11-29 05:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 09:04 --------- d-----w c:\program files\AIM6
2008-11-23 09:04 --------- d-----w c:\documents and settings\Brian\Application Data\Azureus
2008-11-23 07:33 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-22 06:21 --------- d-----w c:\program files\Azureus
2008-11-22 04:31 --------- d-----w c:\program files\Lavasoft
2008-11-22 04:20 --------- d-----w c:\program files\Yahoo!
2008-11-12 08:04 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:06 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 18:57 --------- d-----w c:\documents and settings\Brian\Application Data\Yahoo!
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-11 06:15 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-08-21 05:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Quarantine ----

2008-12-08 00:19 134656 --a------ c:\quarantine\7d8c8013283a90.bup
2008-12-05 18:55 134656 --a------ c:\quarantine\7d8c512371a30d0.bup
2008-12-05 18:54 89600 --a------ c:\quarantine\7d8c51236322de0.bup
2008-12-05 18:53 3072 --a------ c:\quarantine\7d8c512352236b0.bup
2008-11-29 15:42 3079168 --a------ c:\quarantine\7d8b1d222372ce0.bup
2008-11-27 01:55 134656 --a------ c:\quarantine\7d8b1b137191380.bup
2008-11-27 01:55 134656 --a------ c:\quarantine\7d8b1b137191190.bup
2008-11-25 23:57 27648 --a------ c:\quarantine\7d8b191739734b0.bup
2008-11-25 23:57 27648 --a------ c:\quarantine\7d8b19173971960.bup
2008-11-25 23:57 27648 --a------ c:\quarantine\7d8b19173971670.bup
2008-11-25 02:41 792576 --a------ c:\quarantine\7d8b19229b1350.bup
2008-11-25 02:05 27648 --a------ c:\quarantine\7d8b1925f5a0.bup
2008-11-25 02:05 27648 --a------ c:\quarantine\7d8b19251b3c50.bup
2008-11-25 02:05 27648 --a------ c:\quarantine\7d8b1925183580.bup
2008-11-24 00:18 58880 --a------ c:\quarantine\7d8b180122c1e40.bup
2008-11-24 00:18 37888 --a------ c:\quarantine\7d8b18012282510.bup
2008-11-24 00:18 35328 --a------ c:\quarantine\7d8b180122bab0.bup
2008-11-24 00:18 14336 --a------ c:\quarantine\7d8b18012291570.bup
2008-11-22 21:47 65024 --a------ c:\quarantine\7d8b16152f3431c0.bup
2008-11-22 21:47 65024 --a------ c:\quarantine\7d8b16152f328c0.bup
2008-11-22 20:11 65024 --a------ c:\quarantine\7d8b1614b136b0.bup
2008-11-22 20:10 65024 --a------ c:\quarantine\7d8b1614a3b2220.bup
2008-11-22 18:56 65024 --a------ c:\quarantine\7d8b1612381d1860.bup
2008-11-22 18:56 65024 --a------ c:\quarantine\7d8b1612381a36b0.bup
2008-11-22 12:45 43520 --a------ c:\quarantine\7d8b16c2d303c80.bup
2008-11-22 12:45 40960 --a------ c:\quarantine\7d8b16c2d302030.bup
2008-11-22 12:45 37888 --a------ c:\quarantine\7d8b16c2d314e0.bup
2008-11-22 12:45 35328 --a------ c:\quarantine\7d8b16c2d33fa0.bup
2008-11-22 12:45 14336 --a------ c:\quarantine\7d8b16c2d311480.bup
2008-11-21 23:37 55808 --a------ c:\quarantine\7d8b15172531570.bup
2008-11-21 23:37 43520 --a------ c:\quarantine\7d8b151725a2ce0.bup
2008-11-21 23:37 409600 --a------ c:\quarantine\7d8b1517251534b0.bup
2008-11-21 23:37 409600 --a------ c:\quarantine\7d8b1517251532c0.bup
2008-11-21 23:37 37888 --a------ c:\quarantine\7d8b15172510da0.bup
2008-11-21 23:31 409600 --a------ c:\quarantine\7d8b15171f241380.bup
2008-11-21 23:31 409600 --a------ c:\quarantine\7d8b15171f141b50.bup
2008-11-21 23:31 35328 --a------ c:\quarantine\7d8b15171f1038a0.bup
2008-11-21 23:29 43520 --a------ c:\quarantine\7d8b15171d10ea0.bup
2008-11-21 23:29 43520 --a------ c:\quarantine\7d8b15171d10cb0.bup
2008-11-21 23:29 40960 --a------ c:\quarantine\7d8b15171df3d80.bup
2008-11-21 23:29 37888 --a------ c:\quarantine\7d8b15171d101480.bup
2008-11-21 23:21 576000 --a------ c:\quarantine\7d8b151715b1f40.bup
2008-11-21 23:21 43520 --a------ c:\quarantine\7d8b15171533990.bup
2008-11-21 23:21 40960 --a------ c:\quarantine\7d8b151715933c0.bup
2008-11-21 23:21 40960 --a------ c:\quarantine\7d8b15171532bf0.bup
2008-11-21 23:21 37888 --a------ c:\quarantine\7d8b1517154f0.bup
2008-11-21 23:21 37888 --a------ c:\quarantine\7d8b1517154ea0.bup
2008-11-21 23:21 164352 --a------ c:\quarantine\7d8b1517152435b0.bup
2008-11-21 23:21 163328 --a------ c:\quarantine\7d8b1517152435b1.bup
2008-11-21 23:21 14336 --a------ c:\quarantine\7d8b15171541b50.bup


((((((((((((((((((((((((((((( [email protected]_ 1.54.31.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-23 08:30:27 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-05 23:52:33 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-23 08:30:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-05 23:52:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-23 08:30:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-05 23:52:33 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-08 05:29:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_4d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-11-23 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-24 1957888]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-22 1126400]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"lxbumon.exe"="c:\program files\Lexmark 6200 Series\lxbumon.exe" [2005-01-18 196608]
"EzPrint"="c:\program files\Lexmark 6200 Series\ezprint.exe" [2004-09-17 61440]
"snp2std"="c:\windows\vsnp2std.exe" [2006-09-15 675840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-23 136600]
"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 69632]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-23 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\cscript.exe"=
"c:\\Program Files\\Common Files\\Logitech\\G-series Software\\LGDCore.exe"=

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e20e3318-506a-11dd-a044-000c41694a7d}]
\Shell\AutoRun\command - e:\wd_windows_tools\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{DEB3A92B-D7C9-40A7-BB0F-7A408C271C1D} - c:\windows\system32\getwn32.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\xyn7yy05.default\
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Microsoft\Office Live\npOLW.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 00:29:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\ALCFDRTM.EXE
c:\windows\system32\lxbucoms.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-08 0:33:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-08 05:32:59
ComboFix2.txt 2008-12-08 05:19:40
ComboFix3.txt 2008-12-06 00:01:53

Pre-Run: 216,388,104,192 bytes free
Post-Run: 216,326,471,680 bytes free

278 --- E O F --- 2008-11-12 08:04:05

HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:44 AM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\lxbucoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,[email protected]
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1192340832859
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7231 bytes

 

[chemist]

Hello again, beingmused. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I was unable to submit a file online for analysis

That's OK. We can do it another way:

There should be a file named [4][email protected] located here:

C:\QooBox\Quarantine\[4][email protected]

Please submit it to this site ==> http://www.bleepingcomputer.com/submit-malware.php?channel=4 and include this link in the message->>http://www.techsupportforum.com/security-center/hijackthis-log-help/316517-help-getting-rid-vundo.html#post1841960

Use the Browse button to navigate to the file. Please let me know if you submitted the file successfully.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000

Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

 

[beingmused]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 12, 2008 23:26:44
Records in database: 1456259
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 190216
Threat name: 17
Infected objects: 19
Suspicious objects: 0
Duration of the scan: 02:05:07


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSmyvo.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dwwnw64r.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hawuzado.dll.vir Infected: Trojan-Spy.Win32.Agent.fdp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lumogowe.dll.vir Infected: Trojan.Win32.Monder.aard 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mp\kstamv3.exe.vir Infected: Trojan.Win32.Agent.asjz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.VB.hew 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\renibupu.dll.vir Infected: Trojan-GameThief.Win32.Magania.amis 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rswnw64m.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSacsn.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSjokw.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSStken.dll.vir Infected: Trojan.Win32.Agent.arvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSurtm.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uesiuqcr.exe.vir Infected: not-a-virus:AdWare.Win32.BHO.efr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uesiuqcr.exe.vir Infected: not-a-virus:AdWare.Win32.BHO.ekw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vopegepe.dll.vir Infected: Trojan.Win32.Monder.aamw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wertyu.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.efr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_twext_.exe.zip Infected: Worm.Win32.Pinit.gen 1
C:\Qoobox\Quarantine\[4][email protected] Infected: Trojan-Clicker.Win32.Agent.btf 1
C:\Qoobox\Quarantine\[4][email protected] Infected: not-a-virus:AdWare.Win32.BHO.efk 1

The selected area was scanned.

 

[chemist]

Hello again, beingmused. Thanks for submitting the file.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the Kaspersky report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• PC Safety and Security--What Do I Need?

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  
• Spybot - Search & Destroyhttp://www.safer-networking.org/en/download/index.html is an excellent spyware remover and also offers real-time protection against critical registry changes. Don't use the Immunize feature in Spybot if you use SpywareBlaster. See tutorial here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

 

[beingmused]

After leaving the computer on for a day, I'm getting Firefox popups (something I never saw before). Also, McAfee has been finding and deleting various files - most were within the quarantined area, so removing combofix should stop that - but a few were not.

 

[beingmused]

(if there's an edit button I don't see it)

Yeah, McAfee and Spybot are both continually turning up Vundo, Virtumonde, and other fun stuff...

 

[chemist]

Sorry beingmused. I failed to receive notice of your reply.

Kaspersky's only finds were in ComboFix's quarantine folder.

ComboFix should have been uninstalled prior to doing anything else.

------------------------------------------------------

Delete dds.scr from your desktop if you haven't already.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

-----------------------------------------------------

Please post the DDS.txt here. I only need to see DDS.txt.

------------------------------------------------------

 

[chemist]

Still with us, beingmused?

 

[beingmused]

Yes indeed - sorry for the delay again, it was freezing upon booting, and my keyboard is too fancy or something to be able to operate before windows started to get into safe mode, so I had to get hold of another USB keyboard.

DDS -


DDS (Version 1.1.0) - NTFSx86
Run by Brian at 8:20:14.61 on Tue 12/23/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1406 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\lxbucoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Documents and Settings\Brian\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: c:\windows\system32\hqthdo.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: c:\windows\system32\iifcArpn.dll
BHO: c:\windows\system32\tuvSljjK.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [lxbumon.exe] "c:\program files\lexmark 6200 series\lxbumon.exe"
mRun: [EzPrint] "c:\program files\lexmark 6200 series\ezprint.exe"
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LXBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBUtime.dll,[email protected]
mRun: [4828024d] rundll32.exe "c:\windows\system32\rgvvspsi.dll",b
mRun: [CTEMON.EXE] "" /h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: iifcArpn - iifcArpn.dll
AppInit_DLLs: hqthdo.dll
SEH: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
c:\windows\system32\iifcArpn.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvSljjK

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brian\applic~1\mozilla\firefox\profiles\xyn7yy05.default\
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-1-24 31816]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-10-18 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-10-18 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-10-18 171400]

=============== Created Last 30 ================

2008-12-15 18:29 28,165 a------- c:\docume~1\alluse~1\applic~1\svhost.exe
2008-12-15 18:28 31,744 a------- c:\windows\system32\mdwpnpfd.exe
2008-12-15 18:22 129,024 a------- c:\windows\system32\hqthdo.dll
2008-12-15 18:22 129,024 a------- c:\windows\system32\dwwgchvg.dll
2008-12-15 18:20 1,663,458 ---sh--- c:\windows\system32\ispsvvgr.ini
2008-12-15 18:20 72,704 a------- c:\windows\system32\rgvvspsi.dll
2008-12-14 20:36 886,718 a--sh--- c:\windows\system32\KjjlSvut.ini2
2008-12-14 19:16 129,024 a------- c:\windows\system32\lbczbd.dll
2008-12-14 19:16 129,024 a------- c:\windows\system32\aqklebfl.dll
2008-12-14 19:16 1,647,120 ---sh--- c:\windows\system32\quubnvyh.ini
2008-12-14 07:17 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-14 07:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-13 19:13 129,024 a------- c:\windows\system32\wdvgrj.dll
2008-12-13 19:13 129,024 a------- c:\windows\system32\rychjnkr.dll
2008-12-13 19:12 875,285 a--sh--- c:\windows\system32\KjjlSvut.ini
2008-12-13 19:12 302,592 a------- c:\windows\system32\tuvSljjK.dll
2008-12-13 19:07 <DIR> --d----- c:\program files\GetModule
2008-12-13 19:07 34,816 a------- c:\windows\system32\iifcArpn.dll
2008-12-13 19:07 198,716 a------- c:\windows\system32\wpv931229210867.cpx
2008-12-13 18:17 <DIR> --d----- C:\ninjafix
2008-12-04 00:33 <DIR> --d----- c:\windows\pss
2008-11-29 00:56 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2008-11-27 01:46 <DIR> a-dshr-- C:\cmdcons
2008-11-24 18:27 250 a------- c:\windows\gmer.ini
2008-11-24 17:52 <DIR> --d----- C:\lstdlls
2008-11-23 17:15 <DIR> --d----- c:\windows\setup.pss
2008-11-23 17:03 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2008-11-23 17:03 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2008-11-23 17:03 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2008-11-23 17:03 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2008-11-23 17:03 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2008-11-23 17:03 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2008-11-23 17:03 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2008-11-23 17:03 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2008-11-23 17:03 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2008-11-23 17:03 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2008-11-23 17:01 687,999 ac------ c:\windows\system32\dllcache\usrwdxjs.sys
2008-11-23 17:00 166,784 ac------ c:\windows\system32\dllcache\tridxpm.sys
2008-11-23 16:59 32,640 ac------ c:\windows\system32\dllcache\symc8xx.sys
2008-11-23 16:58 20,752 ac------ c:\windows\system32\dllcache\sonync.sys
2008-11-23 16:57 161,568 ac------ c:\windows\system32\dllcache\sgsmusb.sys
2008-11-23 16:56 166,720 ac------ c:\windows\system32\dllcache\s3m.sys
2008-11-23 16:55 128,286 ac------ c:\windows\system32\dllcache\ptserli.sys
2008-11-23 16:54 41,984 ac------ c:\windows\system32\dllcache\ovui2rc.dll
2008-11-23 16:53 39,264 ac------ c:\windows\system32\dllcache\neo20xx.sys
2008-11-23 16:52 17,280 ac------ c:\windows\system32\dllcache\mraid35x.sys
2008-11-23 16:51 253,952 ac------ c:\windows\system32\dllcache\kdsusd.dll
2008-11-23 16:50 372,824 ac------ c:\windows\system32\dllcache\iconf32.dll
2008-11-23 16:49 19,456 ac------ c:\windows\system32\dllcache\hr1w.dll
2008-11-23 16:48 27,165 ac------ c:\windows\system32\dllcache\fetnd5.sys
2008-11-23 16:47 117,760 ac------ c:\windows\system32\dllcache\e100b325.sys
2008-11-23 16:46 6,912 ac------ c:\windows\system32\dllcache\ctlfacem.sys
2008-11-23 16:45 87,552 ac------ c:\windows\system32\dllcache\avmcoxp.dll

==================== Find3M ====================

2008-11-23 03:41 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-08-21 00:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 8:22:43.93 ===============