[misnole]

Hi, I'm having a major issue with my computer continously issuing a pop-up stating the following:
"Warning! Potential Spyware Operation~
Your computer is making unauthorized copies of your system and Internet files. Run full scan now to prevent any unauthorized access to your files! Check YES to download spyware remover..."

I also don't have administrator privileges on my PC anymore so I cannot open things like "Control Panel".

Here is the log of Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 6:27:42 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\Program Files\BullGuard\vsserv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\msiexec.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\System32\msanton.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX01.625\HijackThis.exe
C:\Program Files\Sunbelt Software\CounterSpy\CounterSpy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\MsiExec.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qw2003.quicken.com/cgi-bin/qd.cgi/w/2003/install_unlock/?pc=5010259&sn=53424
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24038BE3-4EF2-41E2-A603-4CE3BDD9E874} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - (no file)
O2 - BHO: (no name) - {9F2EA14C-CC8D-4EC6-B8F9-90760A3DAF9E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CB3E6B8D-53C7-4AC2-94BE-E2FE4E955984} - (no file)
O2 - BHO: (no name) - {CF368FC4-3241-409B-B1D6-0EA4FE33A555} - (no file)
O2 - BHO: (no name) - {E6E59F48-7BF8-4BEE-B906-273526C25DA4} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: (no name) - {AC9BBDB2-8FCD-49C8-96F7-CC3CF7B453CD} - (no file)
O3 - Toolbar: (no name) - {521A5897-9EA7-43B4-A51D-B4C11D67BEEF} - (no file)
O3 - Toolbar: (no name) - {3B28B033-8C1B-47DE-803D-3CF3AAE2CD20} - (no file)
O3 - Toolbar: (no name) - {210F79EC-C4B8-4AD5-B5B7-2B228F4376E9} - (no file)
O3 - Toolbar: (no name) - {6BBD76F0-FDBB-4D2D-AD36-5C922F510AF5} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {9BA420D2-40A3-431D-A863-531B0FBA0569} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\System32\spools.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe
O23 - Service: BullGuard Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe

I am attaching the "extra.txt" file I saved from the dss executable.

Thanks,

 

[Pancake]

You do have a few nasties to remove...


Download Download SDFix from here and save it to your desktop.


Please then reboot your computer in Safe Mode by doing the following :
Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum.


=========================================

This will help to identify any malware on your system.
Please download Combofix from any of these locations:

Download ComboFix from
Here
or
Here




Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run ComboFix without being supervised by a security analyst.

 

[misnole]

Thanks for your time and sorry for the delayed response. I did what you asked and ran SDFix in Safe Mode. Here is the report from that:

SDFix: Version 1.118

Run by Owner on Thu 12/13/2007 at 05:44 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Trey\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Owner\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Owner\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Owner\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 17:49:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"="C:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe:*:Enabled:iMesh"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\Trey\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 7 Sep 2003 196 A.SHR --- "C:\BOOT.BAK"
Mon 8 Sep 2003 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 10 Feb 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv10.bak"
Sun 13 Mar 2005 29,696 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL0183.tmp"
Sun 13 Mar 2005 26,112 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL1974.tmp"
Sun 13 Mar 2005 23,552 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2014.tmp"
Sun 13 Mar 2005 27,136 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2326.tmp"
Tue 19 Apr 2005 30,720 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3202.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BIT12.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da652794a86c37dbd177bef9d\BIT14.tmp"
Wed 12 Dec 2007 151,852 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\526e15b6e1b5300357490c8089b5f84e\BIT15.tmp"
Tue 11 Dec 2007 8,646,776 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\67c8fc01100a7555e3d40c5e21ad4a52\BIT79.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ac396c0c2d53942a12157d0ad3c4135a\BIT15.tmp"
Thu 13 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3c3c6d9de8be474641d4bbceb22a36f\BIT11.tmp"
Tue 19 Apr 2005 30,720 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0108.tmp"

Finished!


And here is the report log from the ComboFix scan:
ComboFix 07-12-12.3 - Administrator 2007-12-13 18:43:12.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.284 [GMT -5:00]
Running from: C:\Trey\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\iMeshBar
C:\Program Files\iMeshBar\bar\Cache\034C116B.bin
C:\Program Files\iMeshBar\bar\Cache\034C13CD.bmp
C:\Program Files\iMeshBar\bar\Cache\034C1553.bmp
C:\Program Files\iMeshBar\bar\Cache\files.ini
C:\Program Files\iMeshBar\bar\History\search
C:\Program Files\iMeshBar\bar\Settings\prevcfg.htm
C:\WINDOWS\Downloaded Program Files\Temp
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\uninstall.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\xlavba8




((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-13 18:38 . 2007-12-13 18:38 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-13 18:18 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-13 18:18 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-13 18:18 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-13 17:38 . 2007-12-13 18:37 <DIR> d-------- C:\Trey
2007-12-13 17:19 . 2007-12-13 17:19 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-13 17:16 . 2003-04-10 02:00 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-13 17:16 . 2003-04-10 06:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-13 17:16 . 2003-04-10 01:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-13 17:16 . 2003-04-10 01:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-13 17:16 . 2003-04-10 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-13 17:16 . 2003-04-10 01:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-13 17:16 . 2003-04-10 06:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-10 01:18 . 2007-12-10 01:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-09 21:47 . 2007-12-13 18:38 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-04 23:51 . 2007-12-04 23:51 <DIR> d-------- C:\Deckard
2007-12-04 18:38 . 2007-12-04 19:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-04 18:38 . 2007-12-04 18:38 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-04 18:38 . 2007-12-04 18:38 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-04 18:38 . 2007-12-04 18:38 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-04 18:18 . 2007-12-04 18:21 4,696 --a------ C:\WINDOWS\imsins.BAK
2007-12-04 18:15 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-04 18:12 . 2007-12-04 18:12 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-12-04 18:09 . 2004-08-04 00:56 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2007-12-04 18:07 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002258_.tmp
2007-12-04 18:07 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-04 18:04 . 2007-12-04 18:04 <DIR> d-------- C:\WINDOWS\EHome
2007-11-22 14:18 . 2007-11-22 14:18 6,144 --a------ C:\WINDOWS\system32\timoty.exe
2007-11-22 14:18 . 2007-11-22 14:18 6,144 --a------ C:\WINDOWS\system32\msanton.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 23:00 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-08 02:39 --------- d-----w C:\Program Files\XoftSpySE
2007-12-05 00:12 --------- d-----w C:\Program Files\HDeskStopPlus
2007-12-05 00:11 --------- d-----w C:\Program Files\Google
2007-12-05 00:10 --------- d-----w C:\Program Files\ComcastToolbar
2007-12-05 00:09 --------- d-----w C:\Program Files\BullGuard
2007-12-05 00:08 --------- d-----w C:\Program Files\AdwareRemover2007
2007-11-26 03:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-11-23 04:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\iMesh
2007-11-22 19:18 289,280 ----a-w C:\WINDOWS\system32\libcurl.dll
2007-11-10 16:49 --------- d-----w C:\Program Files\Global DiVX Player
2007-11-08 14:29 --------- d-----w C:\Program Files\Common Files\Java
2007-11-02 15:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sunbelt Software
2007-11-01 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-01 20:37 --------- d-----w C:\Program Files\Sunbelt Software
2007-11-01 20:08 --------- d-----w C:\Program Files\support.com
2007-11-01 19:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 19:56 --------- d-----w C:\Program Files\CCleaner
2007-11-01 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-01 15:47 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-01 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-01 15:16 --------- d-----w C:\Program Files\Lavasoft
2007-10-29 12:54 111,727 ----a-w C:\viwx.exe
2007-05-17 05:11 197,816 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( [email protected]_18.27.34.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-13 23:19:37 5,250 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{817FB820-C011-4634-A5D1-8C95AC4C3B85}.bin
+ 2007-12-13 23:19:37 6,014 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{817FB820-C011-4634-A5D1-8C95AC4C3B85}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 13:44 C:\WINDOWS\system32\nview.dll]
"froody"="C:\WINDOWS\system32\timoty.exe" [2007-11-22 14:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 19:11]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 09:27]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-03-03 13:44 C:\WINDOWS\system32\nwiz.exe]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 19:56]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 13:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 13:45]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 06:46]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 11:18]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-01 10:46]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"version"="C:\WINDOWS\system32\timoty.exe" [2007-11-22 14:18]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 10:46]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
setings.exe [2007-11-22 14:18:02]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
setings.exe [2007-11-22 14:18:02]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
startup.exe [2007-11-22 14:18:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus USB.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus USB.lnk
backup=C:\WINDOWS\pss\D-Link AirPlus USB.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

S2 FILESpy;FILESpy;\??\C:\Program Files\BullGuard\filespy.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 BWU713_A02;Blitzz Wireless G USB Controller;C:\WINDOWS\system32\DRIVERS\BWU713.sys
S3 TIAcxubt;D-Link WLAN USB Boot Device;C:\WINDOWS\system32\Drivers\tiacxubt.sys
S3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;C:\WINDOWS\system32\Drivers\tiacxusb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 01:38:01 C:\WINDOWS\Tasks\Ad-aware 6.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
"2007-12-13 23:27:39 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2003-09-09 01:52:36 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 18:45:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 18:46:32
.
2007-12-13 23:22:17 --- E O F ---


I still cannot access functions like "Add Remove Programs" or "User Accounts" from the Control Panel.

And I still receive messages like:
"Warning! Potential Spyware Operation~
Your computer is making unauthorized copies of your system and Internet files. Run full scan now to prevent any unauthorized access to your files! Check YES to download spyware remover..."

 

[Pancake]

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: (no name) - {24038BE3-4EF2-41E2-A603-4CE3BDD9E874} - (no file)
O2 - BHO: (no name) - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - (no file)
O2 - BHO: (no name) - {9F2EA14C-CC8D-4EC6-B8F9-90760A3DAF9E} - (no file)
O2 - BHO: (no name) - {CB3E6B8D-53C7-4AC2-94BE-E2FE4E955984} - (no file)
O2 - BHO: (no name) - {CF368FC4-3241-409B-B1D6-0EA4FE33A555} - (no file)
O2 - BHO: (no name) - {E6E59F48-7BF8-4BEE-B906-273526C25DA4} - (no file)
O3 - Toolbar: (no name) - {AC9BBDB2-8FCD-49C8-96F7-CC3CF7B453CD} - (no file)
O3 - Toolbar: (no name) - {521A5897-9EA7-43B4-A51D-B4C11D67BEEF} - (no file)
O3 - Toolbar: (no name) - {3B28B033-8C1B-47DE-803D-3CF3AAE2CD20} - (no file)
O3 - Toolbar: (no name) - {210F79EC-C4B8-4AD5-B5B7-2B228F4376E9} - (no file)
O3 - Toolbar: (no name) - {6BBD76F0-FDBB-4D2D-AD36-5C922F510AF5} - (no file)
O3 - Toolbar: (no name) - {9BA420D2-40A3-431D-A863-531B0FBA0569} - (no file)
O4 - HKLM\..\Run: [clkhost] C:\WINDOWS\xlaherx.exe
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\System32\spools.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

===========================================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

KillAll::
File::
C:\WINDOWS\002258_.tmp
C:\WINDOWS\system32\timoty.exe
C:\WINDOWS\system32\msanton.exe
C:\WINDOWS\xlaherx.exe
C:\WINDOWS\System32\spools.exe
Folder::
C:\WINDOWS\System32\P2P Networking
C:\Program Files\AdwareRemover2007
Registry:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"froody"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"version"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Restart your computer.

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

 

[misnole]

Ok, I went into Hijackthis and tried to end the processes involving timoty.exe but they reappear everytime I restart the computer.
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKLM\..\Run: [froody] C:\WINDOWS\system32\timoty.exe

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

also reappears when I restart the PC.

Here is the ComboFix log:
ComboFix 07-12-12.3 - Administrator 2007-12-13 18:43:12.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.284 [GMT -5:00]
Running from: C:\Trey\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\iMeshBar
C:\Program Files\iMeshBar\bar\Cache\034C116B.bin
C:\Program Files\iMeshBar\bar\Cache\034C13CD.bmp
C:\Program Files\iMeshBar\bar\Cache\034C1553.bmp
C:\Program Files\iMeshBar\bar\Cache\files.ini
C:\Program Files\iMeshBar\bar\History\search
C:\Program Files\iMeshBar\bar\Settings\prevcfg.htm
C:\WINDOWS\Downloaded Program Files\Temp
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\uninstall.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\xlavba8




((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-13 18:38 . 2007-12-13 18:38 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-13 18:18 . 2006-08-21 04:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-13 18:18 . 2006-08-21 04:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-13 18:18 . 2006-08-21 07:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-13 17:38 . 2007-12-13 18:37 <DIR> d-------- C:\Trey
2007-12-13 17:19 . 2007-12-13 17:19 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-13 17:16 . 2003-04-10 02:00 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-13 17:16 . 2003-04-10 06:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-13 17:16 . 2003-04-10 01:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-13 17:16 . 2003-04-10 01:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Share-to-Web Upload Folder
2007-12-13 17:16 . 2003-04-10 02:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2007-12-13 17:16 . 2003-04-10 01:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-13 17:16 . 2003-04-10 06:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2007-12-10 01:18 . 2007-12-10 01:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-09 21:47 . 2007-12-13 18:38 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-04 23:51 . 2007-12-04 23:51 <DIR> d-------- C:\Deckard
2007-12-04 18:38 . 2007-12-04 19:30 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-04 18:38 . 2007-12-04 18:38 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-04 18:38 . 2007-12-04 18:38 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-04 18:38 . 2007-12-04 18:38 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-04 18:18 . 2007-12-04 18:21 4,696 --a------ C:\WINDOWS\imsins.BAK
2007-12-04 18:15 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-12-04 18:12 . 2007-12-04 18:12 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-12-04 18:09 . 2004-08-04 00:56 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2007-12-04 18:07 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002258_.tmp
2007-12-04 18:07 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-12-04 18:04 . 2007-12-04 18:04 <DIR> d-------- C:\WINDOWS\EHome
2007-11-22 14:18 . 2007-11-22 14:18 6,144 --a------ C:\WINDOWS\system32\timoty.exe
2007-11-22 14:18 . 2007-11-22 14:18 6,144 --a------ C:\WINDOWS\system32\msanton.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-13 23:00 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-08 02:39 --------- d-----w C:\Program Files\XoftSpySE
2007-12-05 00:12 --------- d-----w C:\Program Files\HDeskStopPlus
2007-12-05 00:11 --------- d-----w C:\Program Files\Google
2007-12-05 00:10 --------- d-----w C:\Program Files\ComcastToolbar
2007-12-05 00:09 --------- d-----w C:\Program Files\BullGuard
2007-12-05 00:08 --------- d-----w C:\Program Files\AdwareRemover2007
2007-11-26 03:03 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2007-11-23 04:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\iMesh
2007-11-22 19:18 289,280 ----a-w C:\WINDOWS\system32\libcurl.dll
2007-11-10 16:49 --------- d-----w C:\Program Files\Global DiVX Player
2007-11-08 14:29 --------- d-----w C:\Program Files\Common Files\Java
2007-11-02 15:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sunbelt Software
2007-11-01 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-01 20:37 --------- d-----w C:\Program Files\Sunbelt Software
2007-11-01 20:08 --------- d-----w C:\Program Files\support.com
2007-11-01 19:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-01 19:56 --------- d-----w C:\Program Files\CCleaner
2007-11-01 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-01 15:47 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-01 15:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-01 15:16 --------- d-----w C:\Program Files\Lavasoft
2007-10-29 12:54 111,727 ----a-w C:\viwx.exe
2007-05-17 05:11 197,816 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( [email protected]_18.27.34.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-13 23:19:37 5,250 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{817FB820-C011-4634-A5D1-8C95AC4C3B85}.bin
+ 2007-12-13 23:19:37 6,014 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{817FB820-C011-4634-A5D1-8C95AC4C3B85}.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-03 13:44 C:\WINDOWS\system32\nview.dll]
"froody"="C:\WINDOWS\system32\timoty.exe" [2007-11-22 14:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 19:11]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 09:27]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-03-03 13:44 C:\WINDOWS\system32\nwiz.exe]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 19:56]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 13:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 13:45]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 06:46]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 11:18]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-01 10:46]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"version"="C:\WINDOWS\system32\timoty.exe" [2007-11-22 14:18]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-01 10:46]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
setings.exe [2007-11-22 14:18:02]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
setings.exe [2007-11-22 14:18:02]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
startup.exe [2007-11-22 14:18:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus USB.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus USB.lnk
backup=C:\WINDOWS\pss\D-Link AirPlus USB.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

S2 FILESpy;FILESpy;\??\C:\Program Files\BullGuard\filespy.sys
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S3 BWU713_A02;Blitzz Wireless G USB Controller;C:\WINDOWS\system32\DRIVERS\BWU713.sys
S3 TIAcxubt;D-Link WLAN USB Boot Device;C:\WINDOWS\system32\Drivers\tiacxubt.sys
S3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;C:\WINDOWS\system32\Drivers\tiacxusb.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-09 01:38:01 C:\WINDOWS\Tasks\Ad-aware 6.job"
- C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
"2007-12-13 23:27:39 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2003-09-09 01:52:36 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 18:45:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-13 18:46:32
.
2007-12-13 23:22:17 --- E O F ---


And here is the new Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:37 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msanton.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\Program Files\BullGuard\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\msanton.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\timoty.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [froody] C:\WINDOWS\system32\timoty.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Startup: setings.exe
O4 - Global Startup: startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe
O23 - Service: BullGuard Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe

--
End of file - 7100 bytes

 

[Pancake]

I think you have posted an old Combofix log 2007-12-13 18:46:32 from post #3