Hi guys, i hope you can help. You come well recommended to me by my brother.

My issue seems to be the vundo trojan but i think there may be other trojans on my pc too. I first got infected last Wednesday when my internet browser started showing popups telling me that i was infected and tried to link me to a fake anti-spyware site. I googled some of the symptoms and it seems to be related to vundo. My initial Spysweeper and Spyware Doctor scans deleted several trojans and then i tried Vundofix which identified the file "c:/windows/system32/cewmdmk.dll" as the source of the vundo but was unable to delete it. I then tried VirtuemondoBegone which i read online that i should try; it identified the same file but could not delete either. I then tried to Killbox the file and failed. Next i ran a KAV scan which deleted more trojans and managed to stop the popups but left the file intact. However after the KAV scan i noticed my CPU usage go to 100% when idling, which it wasn't doing before. I then ran a HJT which showed the same as it still shows (see below). In the next couple of days i then tried other programs including AVG and the Symantec Trojan.Vundo Removal Tool which both found nothing and then Ad-aware which found one more seemingly unrelated trojan, my CPU usage is still 100%.
Any help would be appreciated.

Thanks in advance
Steven

my HijackThis log (i'm guessing the O2 and O20 entries need fixing but i don't know how):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:40:45, on 1/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
O4 - HKLM\..\Run: [WinFastDTV] "C:\Program Files\WinFast\WFDTV\DTVSchdl.exe"
O4 - HKLM\..\Run: [WinFast Schedule] "C:\Program Files\WinFast\WFDTV\WFWIZ.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193131726484
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4650 bytes

Vundo is especially difficult to remove. If you don't get all of it at once, it will just reinfect with different random file names and HijackThis is only showing a small part of it.

Let's use this free tool called ComboFix.

Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If you do not have the Windows recovery console installed already, do follow the page's instructions for doing that before you run it.

When, the tool is finished, it will produce a report for you.
Please post that report located at: C:\ComboFix.txt along with a new HijackThis log.

ok well that seemed to stop the 100% CPU usage.

Here's the reports:

ComboFix:

ComboFix 08-06-01.6 - Steven K 2008-06-03 14:39:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1152 [GMT 10:00]
Running from: C:\Documents and Settings\Steven K\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven K\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\config.ini
C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\Dvbpws.dll
C:\WINDOWS\Temp\1497512336.exe
C:\WINDOWS\Temp\1901658848.exe
C:\WINDOWS\Temp\313512101.exe
C:\WINDOWS\Temp\696956441.exe
C:\WINDOWS\system32\cewmdmk.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XLOTHCJU
-------\Service_xlothcju


((((((((((((((((((((((((( Files Created from 2008-05-03 to 2008-06-03 )))))))))))))))))))))))))))))))
.

2008-06-01 14:38 . 2008-06-01 14:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-01 14:38 . 2008-06-01 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-30 15:07 . 2008-05-30 15:07 3,080 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-30 14:50 . 2008-05-30 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-30 14:49 . 2008-05-30 14:49 <DIR> d-------- C:\Program Files\Uniblue
2008-05-30 14:05 . 2008-05-30 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 13:52 . 2008-05-30 14:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-29 01:24 . 2008-05-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 00:34 . 2008-05-30 16:26 <DIR> d-------- C:\Program Files\Exterminate It!
2008-05-28 23:33 . 2008-05-28 23:33 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-28 21:24 . 2008-05-28 21:24 2,372 --a------ C:\vundofix.reg
2008-05-28 21:22 . 2008-05-28 21:22 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-05-28 21:11 . 2008-05-30 12:52 <DIR> d-------- C:\VundoFix Backups
2008-05-28 21:02 . 2008-05-28 21:02 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-28 20:01 . 2004-08-03 23:56 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-05-28 14:15 . 2005-04-03 14:02 8,944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
2008-05-16 15:14 . 2008-05-16 15:14 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\yicggrcq
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-16 01:44 . 2008-05-16 01:44 <DIR> d-------- C:\Documents and Settings\Steven K\Application Data\yicggrcq
2008-05-13 01:19 . 2008-05-13 01:23 <DIR> d-------- C:\Program Files\Eviews 5
2008-05-13 00:14 . 2008-05-13 00:14 398 --a------ C:\WINDOWS\AudioConverter.INI
2008-05-13 00:13 . 2008-05-13 00:13 <DIR> d-------- C:\Program Files\easetech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 04:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 06:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 06:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 04:49 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Uniblue
2008-05-25 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-16 14:49 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Azureus
2008-05-15 15:44 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-05-06 16:07 --------- d-----w C:\Program Files\Pegasus - Paradox Games' Utilities
2008-05-06 15:39 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-06 15:39 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-29 01:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 01:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 01:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 05:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 10:37 20,608 ----a-w C:\WINDOWS\system32\drivers\tfpoanok.dat
2008-04-21 10:35 196,608 ----a-w C:\WINDOWS\system32\libssl32.dll
2008-04-21 10:35 1,015,808 ----a-w C:\WINDOWS\system32\libeay32.dll
2008-04-20 05:28 --------- d-----w C:\Program Files\Azureus
2008-04-16 11:44 --------- d-----w C:\Program Files\EViews4 SV
2008-04-15 13:35 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Quantitative Micro Software
2008-03-19 08:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-18 08:52 6 ----a-w C:\Documents and Settings\Steven K\Application Data\mmrpzlic.dat
2008-03-17 11:09 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
.

------- Sigcheck -------

2001-08-24 02:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-03-17 21:09 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe

2002-08-29 17:41 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\system32\user32.dll

2001-08-24 02:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2002-08-29 17:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\system32\wininet.dll

2002-08-29 15:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\drivers\tcpip.sys

2002-08-29 17:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2002-08-29 16:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2002-08-29 17:50 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\ntkrnlpa.exe

2002-08-29 16:03 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\ntoskrnl.exe

2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\explorer.exe
2002-08-29 17:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2001-08-24 02:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2002-08-29 17:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2002-08-29 17:41 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B2AD9D5-67E0-449F-879F-C0F6A674B25A}]
2001-08-24 02:00 81920 --a------ c:\windows\system32\cewmdmk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFastDTV"="C:\Program Files\WinFast\WFDTV\DTVSchdl.exe" [2006-07-11 16:10 69632]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2006-07-07 17:15 348160]
"nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 33280 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-11 22:11 286720]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55 4865600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr48.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe]
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\######.exe]
C:\WINDOWS\system32\######.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-11 22:11 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rfagent]
C:\Program Files\RFA\rfagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R0 drmioreh;drmioreh;C:\WINDOWS\system32\drivers\drmioreh.sys [2001-08-24 02:00]
R1 wfcxacap;WinFast TV PCI Audio Capture Driver;C:\WINDOWS\system32\DRIVERS\wfcxacap.sys [2006-03-24 09:20]
R2 wfcxatun;WinFast TV Analog Tuner Driver;C:\WINDOWS\system32\drivers\wfcxatun.sys [2006-03-24 09:24]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-03-24 09:25]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-03-24 09:23]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-03-24 09:21]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-03-24 09:22]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 16:55]
S2 diperto5bcb-2e62;diperto5bcb-2e62;C:\WINDOWS\system32\diperto5bcb-2e62.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-03-18 15:26]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 05:02:07 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-05-30 05:02:07 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 14:45:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\SSTE.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2008-06-03 14:50:11 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-03 04:50:06

Pre-Run: 26,712,559,616 bytes free
Post-Run: 27,427,319,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

223


HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:56:47, on 3/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
O4 - HKLM\..\Run: [WinFastDTV] "C:\Program Files\WinFast\WFDTV\DTVSchdl.exe"
O4 - HKLM\..\Run: [WinFast Schedule] "C:\Program Files\WinFast\WFDTV\WFWIZ.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193131726484
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4819 bytes

Ok, we have hit a small snag here.

A file that you have disabled from startups using MSCONFIG has hit my "badwords filter" and replaced the file name with ######.exe. (It's a forum safety thing).

I need to know what that file name is (this is because some malware uses profanity, but our forum filter is blocking it from being displayed).

Go to Start > Run and type in the box: msconfig

Look under the startup tabs. Do you see a possible "badword".exe (badword could be anything). If so, I need to know what that is. Send me a private message via My Controls and for the file name insert spaces between each letter. Like this:

b a d w o r d.exe

Here is how to send me a private message:

Go to any of my replies in this topic. On the left click on my username as shown below:

Click to view attachment

In the drop down menu choices, click on *send message* as shown below

Click to view attachment

Send me the requested information (with spaces between the letters) and it will be in a private message to me that only I can see.

Thanks, I got it

It could be just a leftover in the registry from a prior infection, but to make sure, Please do this step next

* Go here: http://www.eset.eu/online-scanner to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems

...................
Go into Start > Run and type in the box: msconfig

Under the General tab, put a tick mark in the box next to: Normal Startup - load all device drivers and services . But when it asks to reboot choose *exit without restart*. Then run the ComboFix tool and post a fresh log from it and a a fresh HijackThis log. We may need to fix some of those items you had disabled and I need to see them on the logs.

After we get the bad items cleared out you can then disable any legitimate items you don't want to have starting up with windows.

Ok done that.

Since that first combofix my computer seems to be running faultlessly although i'm still concerned, especially about that 'cewmdmk.dll' that appeared when i got infected and won't go away.

I think i disabled many of those startup items in a futile attempt to make my computer run faster before i realised it was still infected.

Here's the logs:

ESET Scanner:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3157 (20080604)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=073166644e7c33439daab99c82e3a4c3
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-06-04 03:27:52
# local_time=2008-06-05 01:27:52 (+1000, AUS Eastern Standard Time)
# country="Australia"
# osver=5.1.2600 NT Service Pack 2
# scanned=326893
# found=6
# scan_time=5163
C:\Documents and Settings\Steven K\Application Data\Sun\Java\Deployment\cache\6.0\45\4e06e6d-6839247f Java/Exploit.Bytverify trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Steven K\Application Data\Sun\Java\Deployment\cache\6.0\45\4e06e6d-6839247f »ZIP »Dnnny.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Steven K\Application Data\Sun\Java\Deployment\cache\6.0\45\4e06e6d-6839247f »ZIP »Den.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Steven K\Application Data\Sun\Java\Deployment\cache\6.0\45\4e06e6d-6839247f »ZIP »Din.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Documents and Settings\Steven K\Application Data\Sun\Java\Deployment\cache\6.0\45\4e06e6d-6839247f »ZIP »Dun.class Java/Exploit.Bytverify trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\dllcache\beep.sys.vir a variant of Win32/Adware.UltimateDefender application (unable to clean - deleted) 00000000000000000000000000000000


ComboFix:

ComboFix 08-06-01.6 - Steven K 2008-06-05 1:36:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.999 [GMT 10:00]
Running from: C:\Documents and Settings\Steven K\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cewmdmk.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XLOTHCJU
-------\Service_xlothcju


((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-04 23:58 . 2008-06-05 01:27 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-06-01 14:38 . 2008-06-01 14:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-01 14:38 . 2008-06-01 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-30 15:07 . 2008-05-30 15:07 3,080 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-30 14:50 . 2008-05-30 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-30 14:49 . 2008-05-30 14:49 <DIR> d-------- C:\Program Files\Uniblue
2008-05-30 14:05 . 2008-05-30 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 13:52 . 2008-05-30 14:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-29 01:24 . 2008-05-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 00:34 . 2008-05-30 16:26 <DIR> d-------- C:\Program Files\Exterminate It!
2008-05-28 23:33 . 2008-05-28 23:33 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-28 21:24 . 2008-05-28 21:24 2,372 --a------ C:\vundofix.reg
2008-05-28 21:22 . 2008-05-28 21:22 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-05-28 21:11 . 2008-05-30 12:52 <DIR> d-------- C:\VundoFix Backups
2008-05-28 21:02 . 2008-05-28 21:02 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-28 20:01 . 2004-08-03 23:56 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-05-28 14:15 . 2005-04-03 14:02 8,944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
2008-05-16 15:14 . 2008-05-16 15:14 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\yicggrcq
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-16 01:44 . 2008-05-16 01:44 <DIR> d-------- C:\Documents and Settings\Steven K\Application Data\yicggrcq
2008-05-13 11:53 . 2008-05-13 11:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-13 11:53 . 2008-05-13 11:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-13 11:53 . 2008-05-13 11:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-13 11:51 . 2008-05-13 11:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-13 11:51 . 2008-05-13 11:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-13 11:49 . 2008-05-13 11:49 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-13 11:49 . 2008-05-13 11:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-13 11:49 . 2008-05-13 11:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-13 01:19 . 2008-05-13 01:23 <DIR> d-------- C:\Program Files\Eviews 5
2008-05-13 00:14 . 2008-05-13 00:14 398 --a------ C:\WINDOWS\AudioConverter.INI
2008-05-13 00:13 . 2008-05-13 00:13 <DIR> d-------- C:\Program Files\easetech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 02:56 --------- d-----w C:\Program Files\DivX
2008-06-01 04:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 06:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 06:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 04:49 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Uniblue
2008-05-25 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-16 14:49 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Azureus
2008-05-15 15:44 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-05-06 16:07 --------- d-----w C:\Program Files\Pegasus - Paradox Games' Utilities
2008-05-06 15:39 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-06 15:39 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-29 01:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 01:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 01:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 05:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 10:37 20,608 ----a-w C:\WINDOWS\system32\drivers\tfpoanok.dat
2008-04-21 10:35 196,608 ----a-w C:\WINDOWS\system32\libssl32.dll
2008-04-20 05:28 --------- d-----w C:\Program Files\Azureus
2008-04-16 11:44 --------- d-----w C:\Program Files\EViews4 SV
2008-04-15 13:35 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Quantitative Micro Software
2008-03-19 08:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-18 08:52 6 ----a-w C:\Documents and Settings\Steven K\Application Data\mmrpzlic.dat
2008-03-17 11:09 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
.

------- Sigcheck -------

2001-08-24 02:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-03-17 21:09 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe

2002-08-29 17:41 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\system32\user32.dll

2001-08-24 02:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2002-08-29 17:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\system32\wininet.dll

2002-08-29 15:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\drivers\tcpip.sys

2002-08-29 17:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2002-08-29 16:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2002-08-29 17:50 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\ntkrnlpa.exe

2002-08-29 16:03 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\ntoskrnl.exe

2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\explorer.exe
2002-08-29 17:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2001-08-24 02:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2002-08-29 17:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2002-08-29 17:41 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-03_14.49.52.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 04:44:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-04 15:39:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-10-20 00:54:10 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
+ 2008-05-13 01:50:06 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
- 2007-10-20 00:54:12 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
+ 2008-05-13 01:50:08 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
+ 2008-05-13 01:50:08 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
- 2007-10-20 00:54:12 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
+ 2008-05-13 01:50:08 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
- 2007-10-20 00:54:12 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
+ 2008-05-13 01:50:08 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
- 2007-10-20 00:54:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
+ 2008-05-13 01:50:16 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
- 2007-10-18 09:03:08 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
+ 2008-05-13 01:50:10 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
- 2007-10-18 09:03:08 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
+ 2008-05-13 01:50:10 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
- 2007-10-18 09:03:08 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
+ 2008-05-13 01:50:12 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
- 2007-10-18 09:03:08 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
+ 2008-05-13 01:50:12 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
- 2007-10-18 09:03:08 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
+ 2008-05-13 01:50:12 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
- 2007-10-18 09:03:08 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
+ 2008-05-13 01:50:12 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
- 2007-10-20 00:54:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
+ 2008-05-13 01:50:16 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
- 2008-04-21 10:35:16 1,015,808 ----a-w C:\WINDOWS\system32\libeay32.dll
+ 2001-08-23 16:00:00 1,015,808 ----a-w C:\WINDOWS\system32\libeay32.dll
+ 2007-07-27 05:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 05:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 10:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 03:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 08:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 08:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-06 03:17:40 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 01:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2008-05-28 10:39:11 63,130 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-03 05:09:12 63,130 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-28 10:39:11 403,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-03 05:09:12 403,528 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-12-07 01:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B2AD9D5-67E0-449F-879F-C0F6A674B25A}]
2001-08-24 02:00 81920 --a------ c:\windows\system32\cewmdmk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFastDTV"="C:\Program Files\WinFast\WFDTV\DTVSchdl.exe" [2006-07-11 16:10 69632]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2006-07-07 17:15 348160]
"nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 33280 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-11 22:11 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"rfagent"="C:\Program Files\RFA\rfagent.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55 4865600]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-22 21:59:15 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe]
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\PENIS.exe]
C:\WINDOWS\system32\PENIS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 drmioreh;drmioreh;C:\WINDOWS\system32\drivers\drmioreh.sys [2001-08-24 02:00]
R1 wfcxacap;WinFast TV PCI Audio Capture Driver;C:\WINDOWS\system32\DRIVERS\wfcxacap.sys [2006-03-24 09:20]
R2 wfcxatun;WinFast TV Analog Tuner Driver;C:\WINDOWS\system32\drivers\wfcxatun.sys [2006-03-24 09:24]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-03-24 09:25]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-03-24 09:23]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-03-24 09:21]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-03-24 09:22]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 16:55]
S2 diperto5bcb-2e62;diperto5bcb-2e62;C:\WINDOWS\system32\diperto5bcb-2e62.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-03-18 15:26]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 05:02:07 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-05-30 05:02:07 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 01:40:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-05 1:44:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 15:44:49
ComboFix2.txt 2008-06-03 04:50:12

Pre-Run: 26,865,573,888 bytes free
Post-Run: 27,348,041,728 bytes free

257


HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:45:44, on 5/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
O4 - HKLM\..\Run: [WinFastDTV] "C:\Program Files\WinFast\WFDTV\DTVSchdl.exe"
O4 - HKLM\..\Run: [WinFast Schedule] "C:\Program Files\WinFast\WFDTV\WFWIZ.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193131726484
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5765 bytes

Don't worry, I'm still collecting info so I can go after this all at once (and that BHO is already on the list)

I need a bit more from you and some files to examine and then I can write up a fix.

1. Please open Notepad - don't use any other texteditor than notepad or the script will fail.

2. Now copy/paste the entire content of the bold RED text below into the Notepad window


Collect::
c:\windows\system32\cewmdmk.dll
C:\WINDOWS\system32\penis.exe
C:\Documents and Settings\Steven K\Application Data\mmrpzlic.dat
C:\WINDOWS\system32\drivers\tfpoanok.dat
C:\WINDOWS\system32\drivers\drmioreh.sys

DirLook::
C:\Documents and Settings\NetworkService\Application Data\yicggrcq
C:\Documents and Settings\Steven K\Application Data\yicggrcq



3. Save that notepad file as: CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Click to view attachment

5. Please post the following reports/logs into your next reply:

* Combofix.txt

6. Also, a file named: submit[date].zip will be created on your desktop. I need to examine that file.

Please do the following to get that file to me:

Please go here to upload the file for analysis.
http://www.uploadmalware.com/

* In the email field: (email not needed) Instead, please enter your username from this forum as: The Swert at LS

* in the Topic where file was requested field: Copy and paste the link to this thread:
http://www.lavasoftsupport.com/index.php?showtopic=18736

* Click "Browse" on the 1. field.
Browse to the Desktop and locate the following file and click the file with your mouse, press "Open"
Submit [date].zip

* In the comments field, please mention that I asked you to upload this file

* Click on Send File

Apologies. In the interest of privacy i had been editing the combofix reports to omit my surname using 'Steven K' instead. However when you gave me that script i forgot to edit back in the surname realising only afterwards, so i don't think it would have worked properly. Nonetheless i did complete the scan and uploaded the malware as requested. Would you like me to run another script for those other 2 entries with the correct directory?

Here's the combofix log:

ComboFix 08-06-01.6 - Steven K 2008-06-05 10:29:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1175 [GMT 10:00]
Running from: C:\Documents and Settings\Steven K\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven K\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cewmdmk.dll
C:\WINDOWS\system32\drivers\drmioreh.sys
C:\WINDOWS\system32\drivers\tfpoanok.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XLOTHCJU
-------\Service_xlothcju
-------\Legacy_drmioreh
-------\Service_drmioreh


((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 23:58 . 2008-06-05 01:27 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-06-01 14:38 . 2008-06-01 14:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-01 14:38 . 2008-06-01 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-30 15:07 . 2008-05-30 15:07 3,080 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-30 14:50 . 2008-05-30 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-30 14:49 . 2008-05-30 14:49 <DIR> d-------- C:\Program Files\Uniblue
2008-05-30 14:05 . 2008-05-30 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 13:52 . 2008-05-30 14:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-29 01:24 . 2008-05-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 00:34 . 2008-05-30 16:26 <DIR> d-------- C:\Program Files\Exterminate It!
2008-05-28 23:33 . 2008-05-28 23:33 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-28 21:24 . 2008-05-28 21:24 2,372 --a------ C:\vundofix.reg
2008-05-28 21:22 . 2008-05-28 21:22 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-05-28 21:11 . 2008-05-30 12:52 <DIR> d-------- C:\VundoFix Backups
2008-05-28 21:02 . 2008-05-28 21:02 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-28 20:01 . 2004-08-03 23:56 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-05-28 14:15 . 2005-04-03 14:02 8,944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
2008-05-16 15:14 . 2008-05-16 15:14 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\yicggrcq
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-16 01:44 . 2008-05-16 01:44 <DIR> d-------- C:\Documents and Settings\Steven K\Application Data\yicggrcq
2008-05-13 11:53 . 2008-05-13 11:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-13 11:53 . 2008-05-13 11:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-13 11:53 . 2008-05-13 11:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-13 11:51 . 2008-05-13 11:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-13 11:51 . 2008-05-13 11:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-13 11:49 . 2008-05-13 11:49 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-13 11:49 . 2008-05-13 11:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-13 11:49 . 2008-05-13 11:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-13 01:19 . 2008-05-13 01:23 <DIR> d-------- C:\Program Files\Eviews 5
2008-05-13 00:14 . 2008-05-13 00:14 398 --a------ C:\WINDOWS\AudioConverter.INI
2008-05-13 00:13 . 2008-05-13 00:13 <DIR> d-------- C:\Program Files\easetech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 02:56 --------- d-----w C:\Program Files\DivX
2008-06-01 04:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 06:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 06:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 04:49 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Uniblue
2008-05-25 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-16 14:49 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Azureus
2008-05-15 15:44 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-05-06 16:07 --------- d-----w C:\Program Files\Pegasus - Paradox Games' Utilities
2008-05-06 15:39 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-06 15:39 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-29 01:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 01:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 01:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 05:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 10:35 196,608 ----a-w C:\WINDOWS\system32\libssl32.dll
2008-04-20 05:28 --------- d-----w C:\Program Files\Azureus
2008-04-16 11:44 --------- d-----w C:\Program Files\EViews4 SV
2008-04-15 13:35 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Quantitative Micro Software
2008-03-19 08:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-18 08:52 6 ----a-w C:\Documents and Settings\Steven K\Application Data\mmrpzlic.dat
2008-03-17 11:09 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\NetworkService\Application Data\yicggrcq ----

2008-06-03 20:01 64512 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\formhistory.sqlite
2008-06-03 19:54 4558 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\pluginreg.dat
2008-06-03 19:54 126976 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\places.sqlite
2008-06-03 19:54 0 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\places.sqlite-journal
2008-06-03 19:53 95669 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\xpti.dat
2008-06-03 19:53 367 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\prefs.js
2008-06-03 19:53 207 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\compatibility.ini
2008-06-03 19:53 126626 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\compreg.dat
2008-06-02 15:27 569 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\localstore.rdf
2008-05-16 15:14 65536 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\cert8.db
2008-05-16 15:14 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\permissions.sqlite
2008-05-16 15:14 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\cookies.sqlite
2008-05-16 15:14 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\secmod.db
2008-05-16 15:14 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\key3.db
2008-05-16 15:14 111 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\profiles.ini

---- Directory of C:\Documents and Settings\Steven K\Application Data\yicggrcq ----

C:\Documents and Settings\Steven K\Application Data\yicggrcq\


------- Sigcheck -------

2001-08-24 02:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-03-17 21:09 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe

2002-08-29 17:41 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\system32\user32.dll

2001-08-24 02:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2002-08-29 17:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\system32\wininet.dll

2002-08-29 15:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\drivers\tcpip.sys

2002-08-29 17:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2002-08-29 16:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2002-08-29 17:50 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\ntkrnlpa.exe

2002-08-29 16:03 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\ntoskrnl.exe

2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\explorer.exe
2002-08-29 17:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2001-08-24 02:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2002-08-29 17:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2002-08-29 17:41 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot_2008-06-05_ 1.44.35.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 15:39:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 00:34:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFastDTV"="C:\Program Files\WinFast\WFDTV\DTVSchdl.exe" [2006-07-11 16:10 69632]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2006-07-07 17:15 348160]
"nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 33280 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-11 22:11 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"rfagent"="C:\Program Files\RFA\rfagent.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55 4865600]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-22 21:59:15 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe]
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\PENIS.exe]
C:\WINDOWS\system32\PENIS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 wfcxacap;WinFast TV PCI Audio Capture Driver;C:\WINDOWS\system32\DRIVERS\wfcxacap.sys [2006-03-24 09:20]
R2 wfcxatun;WinFast TV Analog Tuner Driver;C:\WINDOWS\system32\drivers\wfcxatun.sys [2006-03-24 09:24]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-03-24 09:25]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-03-24 09:23]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-03-24 09:21]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-03-24 09:22]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 16:55]
S2 diperto5bcb-2e62;diperto5bcb-2e62;C:\WINDOWS\system32\diperto5bcb-2e62.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-03-18 15:26]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

*Newly Created Service* - DRMIOREH
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 05:02:07 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-05-30 05:02:07 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 10:34:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-05 10:39:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 00:38:56
ComboFix2.txt 2008-06-04 15:44:56
ComboFix3.txt 2008-06-03 04:50:12

Pre-Run: 27,371,417,600 bytes free
Post-Run: 27,369,373,696 bytes free

239

Well darn, of course that won't work if you altered the logs.

Look at the fix I posted. Insert the proper directory name where you see the one you altered. Then save that file as CFScript and run it as instructed.

Don't worry about the files already deletec, it will just skip them and go to the next one.

Ok. New scan has been done and malware has been uploaded.

here's the combofix log:

ComboFix 08-06-01.6 - Steven K 2008-06-06 2:13:08.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1196 [GMT 10:00]
Running from: C:\Documents and Settings\Steven K\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven K\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Steven K\Application Data\mmrpzlic.dat

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 23:58 . 2008-06-05 01:27 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-06-01 14:38 . 2008-06-01 14:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-01 14:38 . 2008-06-01 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-30 15:07 . 2008-05-30 15:07 3,080 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-30 14:50 . 2008-05-30 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-30 14:49 . 2008-05-30 14:49 <DIR> d-------- C:\Program Files\Uniblue
2008-05-30 14:05 . 2008-05-30 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 13:52 . 2008-05-30 14:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-29 01:24 . 2008-05-29 01:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-29 00:34 . 2008-05-30 16:26 <DIR> d-------- C:\Program Files\Exterminate It!
2008-05-28 23:33 . 2008-05-28 23:33 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-28 21:24 . 2008-05-28 21:24 2,372 --a------ C:\vundofix.reg
2008-05-28 21:22 . 2008-05-28 21:22 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-05-28 21:11 . 2008-05-30 12:52 <DIR> d-------- C:\VundoFix Backups
2008-05-28 21:02 . 2008-05-28 21:02 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-28 20:01 . 2004-08-03 23:56 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2008-05-28 14:15 . 2005-04-03 14:02 8,944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
2008-05-16 15:14 . 2008-05-16 15:14 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\yicggrcq
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-16 01:44 . 2008-05-16 01:44 <DIR> d-------- C:\Documents and Settings\Steven K\Application Data\yicggrcq
2008-05-13 11:53 . 2008-05-13 11:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-13 11:53 . 2008-05-13 11:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-13 11:53 . 2008-05-13 11:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-13 11:51 . 2008-05-13 11:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-13 11:51 . 2008-05-13 11:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-13 11:49 . 2008-05-13 11:49 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-13 11:49 . 2008-05-13 11:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-13 11:49 . 2008-05-13 11:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-13 01:19 . 2008-05-13 01:23 <DIR> d-------- C:\Program Files\Eviews 5
2008-05-13 00:14 . 2008-05-13 00:14 398 --a------ C:\WINDOWS\AudioConverter.INI
2008-05-13 00:13 . 2008-05-13 00:13 <DIR> d-------- C:\Program Files\easetech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 02:56 --------- d-----w C:\Program Files\DivX
2008-06-01 04:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 06:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 06:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 04:49 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Uniblue
2008-05-25 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-16 14:49 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Azureus
2008-05-15 15:44 --------- d-----w C:\Program Files\Common Files\Mozilla Shared
2008-05-06 16:07 --------- d-----w C:\Program Files\Pegasus - Paradox Games' Utilities
2008-05-06 15:39 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-05-06 15:39 249,856 ------w C:\WINDOWS\Setup1.exe
2008-04-29 01:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 01:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 01:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-28 05:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 10:35 196,608 ----a-w C:\WINDOWS\system32\libssl32.dll
2008-04-20 05:28 --------- d-----w C:\Program Files\Azureus
2008-04-16 11:44 --------- d-----w C:\Program Files\EViews4 SV
2008-04-15 13:35 --------- d-----w C:\Documents and Settings\Steven K\Application Data\Quantitative Micro Software
2008-03-19 08:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-17 11:09 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\NetworkService\Application Data\yicggrcq ----

2008-06-03 20:01 64512 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\formhistory.sqlite
2008-06-03 19:54 4558 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\pluginreg.dat
2008-06-03 19:54 126976 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\places.sqlite
2008-06-03 19:54 0 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\places.sqlite-journal
2008-06-03 19:53 95669 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\xpti.dat
2008-06-03 19:53 367 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\prefs.js
2008-06-03 19:53 207 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\compatibility.ini
2008-06-03 19:53 126626 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\compreg.dat
2008-06-02 15:27 569 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\localstore.rdf
2008-05-16 15:14 65536 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\cert8.db
2008-05-16 15:14 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\permissions.sqlite
2008-05-16 15:14 2048 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\cookies.sqlite
2008-05-16 15:14 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\secmod.db
2008-05-16 15:14 16384 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\Profiles\2s5lgemr.default\key3.db
2008-05-16 15:14 111 --a------ C:\Documents and Settings\NetworkService\Application Data\yicggrcq\profiles.ini

---- Directory of C:\Documents and Settings\Steven K\Application Data\yicggrcq ----

2008-06-04 21:51 145408 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\formhistory.sqlite
2008-06-04 21:23 126976 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\places.sqlite
2008-06-04 21:23 0 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\places.sqlite-journal
2008-06-04 21:14 95669 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\xpti.dat
2008-06-04 21:14 4558 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\pluginreg.dat
2008-06-04 21:14 367 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\prefs.js
2008-06-04 21:14 207 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\compatibility.ini
2008-06-04 21:14 126626 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\compreg.dat
2008-06-01 17:34 569 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\localstore.rdf
2008-05-16 01:45 65536 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\cert8.db
2008-05-16 01:45 2048 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\permissions.sqlite
2008-05-16 01:45 2048 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\cookies.sqlite
2008-05-16 01:45 16384 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\secmod.db
2008-05-16 01:45 16384 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\Profiles\vldgo6bd.default\key3.db
2008-05-16 01:44 111 --a------ C:\Documents and Settings\Steven K\Application Data\yicggrcq\profiles.ini


------- Sigcheck -------

2001-08-24 02:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 00:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-03-17 21:09 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe

2002-08-29 17:41 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2004-08-04 00:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\system32\user32.dll

2001-08-24 02:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
2004-08-04 00:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll

2002-08-29 17:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2004-08-04 00:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\system32\wininet.dll

2002-08-29 15:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\system32\drivers\tcpip.sys

2002-08-29 17:41 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 00:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe

2002-08-29 16:09 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\ServicePackFiles\i386\ndis.sys
2004-08-03 23:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys

2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys
2004-08-03 23:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys

2002-08-29 17:50 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2004-08-03 22:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\ntkrnlpa.exe

2002-08-29 16:03 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2004-08-03 23:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\ntoskrnl.exe

2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\explorer.exe
2002-08-29 17:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 00:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2001-08-24 02:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 00:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe

2002-08-29 17:41 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 00:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe

2002-08-29 17:41 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-04 00:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot_2008-06-05_ 1.44.35.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 15:39:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-05 16:10:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFastDTV"="C:\Program Files\WinFast\WFDTV\DTVSchdl.exe" [2006-07-11 16:10 69632]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [2006-07-07 17:15 348160]
"nwiz"="nwiz.exe" [2007-12-05 00:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 33280 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-11 22:11 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"rfagent"="C:\Program Files\RFA\rfagent.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-03-01 19:55 4865600]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-22 21:59:15 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe]
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\PENIS.exe]
C:\WINDOWS\system32\PENIS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 wfcxacap;WinFast TV PCI Audio Capture Driver;C:\WINDOWS\system32\DRIVERS\wfcxacap.sys [2006-03-24 09:20]
R2 wfcxatun;WinFast TV Analog Tuner Driver;C:\WINDOWS\system32\drivers\wfcxatun.sys [2006-03-24 09:24]
R2 WFCXVCAP;WinFast TV Video Capture Driver;C:\WINDOWS\system32\drivers\wfcxvcap.sys [2006-03-24 09:25]
R3 wfcxdtun;WinFast DTV BDA Tuner/Demod Driver;C:\WINDOWS\system32\drivers\wfcxdtun.sys [2006-03-24 09:23]
R3 wfcxtcap;WinFast DTV BDA Transport Stream Capture Driver;C:\WINDOWS\system32\drivers\wfcxtcap.sys [2006-03-24 09:21]
R3 wfcxxbar;WinFast TV Crossbar Driver;C:\WINDOWS\system32\drivers\wfcxxbar.sys [2006-03-24 09:22]
R3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS [2005-01-06 16:55]
S2 diperto5bcb-2e62;diperto5bcb-2e62;C:\WINDOWS\system32\diperto5bcb-2e62.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-03-18 15:26]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 05:02:07 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2008-05-30 05:02:07 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 02:14:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-06 2:18:04
ComboFix-quarantined-files.txt 2008-06-05 16:18:02
ComboFix2.txt 2008-06-05 16:07:56
ComboFix3.txt 2008-06-05 00:39:01
ComboFix4.txt 2008-06-04 15:44:56
ComboFix5.txt 2008-06-03 04:50:12

Pre-Run: 27,337,043,968 bytes free
Post-Run: 27,327,168,512 bytes free

231

Ok, thanks - got it

The files to delete were not found (so confirmed they have already been deleted).

But I find it strange, the *Look* section of the ComboFix log, which is a listing of the file names inside of these two suspicious directories:

The files listed all appear to be part of some profiles of your firefox browser - just in the wrong location (normally those are in a Mozilla Folder). So I'm not sure what that is about but I don't think it's malware, so I would just leave it.

How is your computer acting at this point?

I don't have Firefox I did notice the other day a process called firefox.exe running in my task manager and was surprised

The computer's running fine now and that cewmdmk.dll is gone from my system32 folder but has been replaced with a cewmdmk.dll.bak. Is that an issue? There was a file with the same name there before my first KAV scan too but got deleted.

Edit: well that's strange, i do actually have a mozilla folder in my common files with firefox but it doesn't work. I can't remember installing it.

Ok, let me take a look at the log that this other free tool will produce.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

Ok here's the logs:

main.txt:

Deckard's System Scanner v20071014.68
Run by Steven K on 2008-06-07 15:00:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-06-07 05:00:35 UTC - RP75 - Deckard's System Scanner Restore Point
4: 2008-06-05 16:12:48 UTC - RP74 - ComboFix created restore point
3: 2008-06-05 16:00:00 UTC - RP73 - ComboFix created restore point
2: 2008-06-05 00:29:25 UTC - RP72 - ComboFix created restore point
1: 2008-06-05 00:17:14 UTC - RP71 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Steven K.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:01:22, on 7/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Steven K\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Steven K.exe

O4 - HKLM\..\Run: [WinFastDTV] "C:\Program Files\WinFast\WFDTV\DTVSchdl.exe"
O4 - HKLM\..\Run: [WinFast Schedule] "C:\Program Files\WinFast\WFDTV\WFWIZ.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193131726484
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5291 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080529-012535-787 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
backup-20080529-012535-943 O21 - SSODL: vregfwlx - {D8FF8945-0B9E-441B-A857-123B1B7A7CB9} - C:\WINDOWS\vregfwlx.dll (file missing)
backup-20080529-012559-790 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
backup-20080529-013234-744 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
backup-20080529-122608-338 O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
backup-20080529-122608-629 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
backup-20080529-122653-160 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
backup-20080529-122653-827 O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
backup-20080529-123119-426 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
backup-20080529-123119-696 O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
backup-20080530-015352-589 O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
backup-20080530-020334-202 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
backup-20080530-020334-282 O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
backup-20080530-134124-170 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll
backup-20080530-134124-280 O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
backup-20080530-134124-390 O3 - Toolbar: (no name) - {636F6360-35BA-4603-B7B8-847380EAAC76} - (no file)
backup-20080530-163220-665 O2 - BHO: (no name) - {0B2AD9D5-67E0-449F-879F-C0F6A674B25A} - c:\windows\system32\cewmdmk.dll
backup-20080530-163220-885 O20 - Winlogon Notify: iynwuijm - C:\WINDOWS\SYSTEM32\cewmdmk.dll

-- File Associations -----------------------------------------------------------

.ini - inifile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1
.txt - txtfile - shell\open\command - C:\WINDOWS\SYSTEM32\NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 asuskbnt (Enhanced Display Driver Helper Service) - c:\windows\system32\drivers\atkkbnt.sys <Not Verified; ASUSTeK COMPUTER INC.; ASUS Help driver For Keyboard Service.>
R1 wfcxacap (WinFast TV PCI Audio Capture Driver) - c:\windows\system32\drivers\wfcxacap.sys <Not Verified; Leadtek Research Inc.; wfcxacap.sys>
R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R2 EIO - c:\windows\system32\drivers\eio.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Kernel Mode Driver for NT>
R2 wfcxatun (WinFast TV Analog Tuner Driver) - c:\windows\system32\drivers\wfcxatun.sys <Not Verified; Leadtek Research Inc.; wfcxatun.sys>
R2 WFCXVCAP (WinFast TV Video Capture Driver) - c:\windows\system32\drivers\wfcxvcap.sys <Not Verified; Leadtek Research Inc.; wfcxvcap.sys>
R3 wfcxdtun (WinFast DTV BDA Tuner/Demod Driver) - c:\windows\system32\drivers\wfcxdtun.sys <Not Verified; Leadtek Research Inc.; wfcxdtun.sys>
R3 wfcxtcap (WinFast DTV BDA Transport Stream Capture Driver) - c:\windows\system32\drivers\wfcxtcap.sys <Not Verified; Leadtek Research Inc.; wfcxtcap.sys>
R3 wfcxxbar (WinFast TV Crossbar Driver) - c:\windows\system32\drivers\wfcxxbar.sys <Not Verified; Leadtek Research Inc.; wfcxxbar.sys>
R3 WFIOCTL - c:\program files\winfast\wfdtv\wfioctl.sys <Not Verified; Leadtek Research Inc.; WinFast MultiMedia Device Driver (Windows 2000/XP)>

S2 diperto5bcb-2e62 - c:\windows\system32\diperto5bcb-2e62.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 MPE (BDA MPE Filter) - c:\windows\system32\drivers\mpe.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 NTACCESS - d:\ntaccess.sys (file missing)
S3 Partizan - c:\windows\system32\drivers\partizan.sys (file missing)
S3 RegGuard - c:\windows\system32\drivers\regguard.sys <Not Verified; Greatis Software; RegRun Security Suite>
S3 SetupNTGLM7X - d:\ntglm7x.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ATKKeyboardService (ATK Keyboard Service) - c:\windows\atkkbservice.exe <Not Verified; ASUSTeK COMPUTER INC.; ASUS Keyboard Service>

S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>
S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-30 15:02:07 360 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2008-05-30 15:02:07 286 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job


-- Files created between 2008-05-07 and 2008-06-07 -----------------------------

2008-06-06 23:51:59 2 --a------ C:\WINDOWS\system32\Dvbpws.dll
2008-06-04 23:58:46 0 d-------- C:\Program Files\EsetOnlineScanner
2008-06-03 14:39:07 260272 --a------ C:\cmldr
2008-06-03 14:39:04 0 d-------- C:\cmdcons
2008-06-03 14:32:41 68096 --a------ C:\WINDOWS\zip.exe
2008-06-03 14:32:41 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-03 14:32:41 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-03 14:32:41 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-03 14:32:41 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-03 14:32:41 98816 --a------ C:\WINDOWS\sed.exe
2008-06-03 14:32:41 80412 --a------ C:\WINDOWS\grep.exe
2008-06-03 14:32:41 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-01 14:38:11 0 d-------- C:\Program Files\Lavasoft
2008-06-01 14:38:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-30 15:07:43 3080 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-30 14:50:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-05-30 14:49:22 0 d-------- C:\Program Files\Uniblue
2008-05-30 14:05:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 13:52:24 0 d-------- C:\Program Files\Enigma Software Group
2008-05-29 01:24:29 0 d-------- C:\Program Files\Trend Micro
2008-05-29 00:34:42 0 d-------- C:\Program Files\Exterminate It!
2008-05-28 23:33:07 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-28 23:33:07 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-28 23:33:07 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-28 23:33:07 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-28 23:33:07 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-28 23:33:07 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-28 23:33:07 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-28 23:33:07 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-28 23:33:07 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-28 23:33:07 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-28 23:33:07 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-28 23:33:07 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-28 23:33:07 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-28 23:33:06 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-28 21:24:05 2372 --a------ C:\vundofix.reg
2008-05-28 21:22:20 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-05-28 21:11:10 0 d-------- C:\VundoFix Backups
2008-05-28 21:02:54 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-28 20:01:28 33280 --a------ C:\WINDOWS\system32\rundll32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-28 14:15:17 8944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys <Not Verified; Greatis Software, LLC.; UnHackme>
2008-05-16 15:14:09 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2008-05-16 15:14:08 0 d-------- C:\Documents and Settings\NetworkService\Application Data\yicggrcq
2008-05-16 01:44:46 0 d-------- C:\Documents and Settings\Steven K\Application Data\Mozilla
2008-05-16 01:44:45 0 d-------- C:\Documents and Settings\Steven K\Application Data\yicggrcq
2008-05-13 11:53:16 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-13 11:50:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-13 11:50:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-13 11:50:08 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-13 11:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-13 11:50:08 831488 --a------ C:\WINDOWS\system32\divx_xx0a.dll
2008-05-13 11:50:08 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-13 11:50:06 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-13 11:49:02 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-13 01:19:01 0 d-------- C:\Program Files\Eviews 5
2008-05-13 00:13:35 0 d-------- C:\Program Files\easetech


-- Find3M Report ---------------------------------------------------------------

2008-06-07 14:59:21 0 d-------- C:\Program Files\Common Files
2008-06-04 12:56:51 0 d-------- C:\Program Files\DivX
2008-06-01 14:37:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 14:49:47 0 d-------- C:\Documents and Settings\Steven K\Application Data\Uniblue
2008-05-17 00:49:40 0 d-------- C:\Documents and Settings\Steven K\Application Data\Azureus
2008-05-07 02:07:01 0 d-------- C:\Program Files\Pegasus - Paradox Games' Utilities
2008-05-07 01:39:01 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-04-28 15:14:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-21 20:35:16 6490880 --a------ C:\WINDOWS\system32\rbdacory.dat
2008-04-21 20:35:16 35584 --a------ C:\WINDOWS\system32\cjlenlcj.dat
2008-04-21 20:35:15 36608 --a------ C:\WINDOWS\system32\ggmhlzfc.dat
2008-04-20 15:28:27 0 d-------- C:\Program Files\Azureus
2008-04-16 21:44:03 0 d-------- C:\Program Files\EViews4 SV
2008-04-15 23:35:51 0 d-------- C:\Documents and Settings\Steven K\Application Data\Quantitative Micro Software
2008-03-18 15:20:00 2 -rahs-o-t C:\WINDOWS\winstart.bat
2008-03-17 21:09:15 14336 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFastDTV"="C:\Program Files\WinFast\WFDTV\DTVSchdl.exe" [11/07/2006 16:10]
"WinFast Schedule"="C:\Program Files\WinFast\WFDTV\WFWIZ.exe" [07/07/2006 17:15]
"nwiz"="nwiz.exe" [05/12/2007 00:41 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [03/08/2004 23:56 C:\WINDOWS\system32\rundll32.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/10/2007 22:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25]
"rfagent"="C:\Program Files\RFA\rfagent.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27/10/2006 00:47]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/03/2007 19:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [22/09/2007 9:59:15 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Hmr48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe]
C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\FIFA08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32\PENIS.exe]
C:\WINDOWS\system32\PENIS.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-06-07 15:01:49 ------------

extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2400+
Percentage of Memory in Use: 23%
Physical Memory (total/avail): 1535.49 MiB / 1167.94 MiB
Pagefile Memory (total/avail): 2156.91 MiB / 1932.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.38 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.89 GiB total, 24.98 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - ST360015A - 55.9 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 55.89 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Steven K\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=STEVEN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Steven K
LOGONSERVER=\\STEVEN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp
USERDOMAIN=STEVEN
USERNAME=Steven K
USERPROFILE=C:\Documents and Settings\Steven K
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Steven K (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
ASUS Enhanced Display Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime9\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}\setup.exe" -l0x9
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Brother 1850 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Brother\BRHL1850\DeIsL2.isu" -cBRUNI185.dll
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Doomsday --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{69464949-AD9C-4C98-933F-C32FFC86F3C8}\setup.exe" -l0x9
EAX Unified --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\EAX Unified\Uninst.isu"
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
Europa Universalis 2 --> C:\games\strategy\EUROPA~2\UNWISE.EXE C:\games\strategy\EUROPA~2\INSTALL.LOG
Europa Universalis III --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59C80C5E-8C92-40FF-B910-2BB5C7281F61}\setup.exe" -l0x9
EViews 4 SV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2FC2486F-95F0-4F8F-9FD1-645B775864B4}\setup.exe" -uninst
F1 Challenge 99-02 --> C:\games\sport and racing\F1 Challenge\EAUninstall.exe
FIFA 08 --> MsiExec.exe /X{0A2A5039-B37F-489D-B1DC-A5258DF9E697}
Footy Fanatic FX --> C:\games\sport and racing\Footy Fanatic FX\Uninstal.exe
Fraps --> "C:\Fraps\uninstall.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Hearts of Iron 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98786147-80E3-41A5-A80C-1F3C028558CF}\setup.exe" -l0x9
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java 2 Runtime Environment, SE v1.4.2_15 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142150}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setup.exe /uninstall
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA Windows 2000/XP nForce Drivers --> rundll32.exe C:\WINDOWS\System32\NVNFINST.DLL,NvUninstallCrush
Pegasus - Lord Ederon's Paradox Entertainment Games' Utilities --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Pegasus - Paradox Games' Utilities\ST6UNST.LOG"
Pegasus - Lord Ederon's Paradox Entertainment Games' Utilities (C:\Program Files\Pegasus - Paradox Games' Utilities\) --> C:\WINDOWS\st6unst.exe -n "C:\Program Files\Pegasus - Paradox Games' Utilities\ST6UNST.000"
Race Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8E309767-4214-4A04-AB88-FE86155FC151} /l1033
Samsung Digital Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B79684C-6DAC-438C-8F30-10DF65C2068F}\Setup.exe"
Samsung Master --> C:\Program Files\InstallShield Installation Information\{AEC0CEBC-0FC7-4716-8222-1C4A742719B1}\Setup.exe -runfromtemp -l0x0009 -removeonly
Season 2003 High Detail Update --> "C:\games\sport and racing\F1 Challenge\SETUP.1\setup.exe" /u
Season 2003 High Detail Update --> "C:\games\sport and racing\F1 Challenge\SETUP.2\setup.exe" /u
Season 2003 High Detail Update --> "C:\games\sport and racing\F1 Challenge\SETUP\setup.exe" /u
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
The Sport of Kings --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CB13E5E-47C8-4BEF-8022-9206136CAA63}\Setup.exe" -l0x9
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinFast DTV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C92C584E-C781-475E-A8E2-C67D993A6B95}\Setup.exe" -l0x9 -removeonly
WinFast Entertainment Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE4AA694-815A-4045-BD49-C94F2BED7458}\setup.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5736 / Warning
Event Submitted/Written: 06/07/2008 01:09:39 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5732 / Warning
Event Submitted/Written: 06/07/2008 02:28:19 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5728 / Warning
Event Submitted/Written: 06/06/2008 03:56:39 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5724 / Warning
Event Submitted/Written: 06/06/2008 03:03:26 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type5708 / Warning
Event Submitted/Written: 06/05/2008 11:16:08 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type39082 / Error
Event Submitted/Written: 06/07/2008 03:01:30 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The BrSplService service has reported an invalid current state 0.

Event Record #/Type39057 / Error
Event Submitted/Written: 06/07/2008 01:27:53 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep

Event Record #/Type39056 / Error
Event Submitted/Written: 06/07/2008 01:27:53 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The diperto5bcb-2e62 service failed to start due to the following error:
%%2

Event Record #/Type39036 / Error
Event Submitted/Written: 06/07/2008 00:25:58 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep

Event Record #/Type39035 / Error
Event Submitted/Written: 06/07/2008 00:25:58 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The diperto5bcb-2e62 service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-06-07 15:01:49 ------------

I think everything is fixed now. I haven't noticed anything wrong over a week and i was simply able to delete that cewmdmk.dll.bak. Thanks for all the help. You can now archive this or whatever.

Hello,

I apologize for the late reply, I've had problems with an ISP outage. I don't see Mozilla or firefox current installed but apparently it was at some time in the past.

Some final cleanup and prevention recommendations follow.

This step will uninstall the ComboFix tool, delete any remaining quarantined files, and reset your Windows Folder options to default (to rehide operating system files, etc), since it isn't needed anymore:

Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
......................

Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also, forgot to have you do this.

Your Sun Java is very out of date and a security vulnerability!

Old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java.
They will appear in the "J's" something similar to:

j2re1.4.2_05 or

JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06

(or similar, and there may be more than one. Remove them all)

Then go get the latest up to date version here:
http://www.java.com/en/download/manual.jsp

Here's why removing old versions of Sun Java is important:
Potential Vulnerability with Sun Java auto update
http://www.dslreports.com/forum/remark,14738046

This is a vulnerability in that Sun Java new updated versions do not remove prior vulnerable versions. You will have to remember to do that manually whenever you update your Sun Java.

These are the outdated versions you still have on there and need to remove.
Java 2 Runtime Environment, SE v1.4.2_15 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142150}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}

Current version of Sun Java is now: Version 6 Update 6
http://www.java.com/en/download/index.jsp

Yes i did have firefox installed and have now deleted it. Thanks for the recommendations, i've now done all that. And thanks once again for all the help. Hopefully i won't need to come back here again

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !