Lavasoft Support Forums > Ad/Malware Problems. Need help.

Full Version: Ad/Malware Problems. Need help.

Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs

Dakilleux

Nov 14 2008, 04:04 AM

Recently I've been having problems including, but not limited to, computer slow downs, pop-up outbreaks (They usually come in large numbers at random intervals. When I leave the computer and come back there's always a few of them.), shady running processes and other stuff of the likes. I'm using a rather old version of HiJackThis, but I'm confident it'll work. Anyway, here's the log. I'm willing to give out any info you recquire. Also, Xoftspy and Ad-Aware scans brought back lots of results, all of which have been deleted or quarantined but the problems persist.

CODE

Logfile of HijackThis v1.99.1
Scan saved at 22:23:35, on 2008-11-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\csrssc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [wyixtmztdjrstadr] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\hxsqpyvxnwt.dll"
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [{F8-84-4C-C2-DW}] C:\windows\system32\dwwnw64r.exe DWmmm01FF
O4 - HKLM\..\Run: [vagcdinigipymvj] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\itqtovdzbujfa.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Muchobene] C:\Program Files\Muchobene\Muchobene.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\AssistantInternet\bin\matcli.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120831551936
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dbdlce.dll tvgdmi.dll zreoxr.dll ghvlsq.dll fztand.dll noxpuf.dll stcmdc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Blade81

Nov 14 2008, 10:23 AM

Hi

Rename HijackThis.exe -> whatever.exe and post a fresh hjt log when renaming is done.

Dakilleux

Nov 14 2008, 01:39 PM

CODE

Logfile of HijackThis v1.99.1
Scan saved at 07:59:25, on 2008-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogin.exe
C:\windows\system32\dwwnw64r.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\program files\steam\steam.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Muchobene\Muchobene.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\prun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\TEMP\csrssc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
C:\Documents and Settings\Administrator\Desktop\Whatever.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {42eaf5ab-7829-465b-beab-af52e782e086} - C:\WINDOWS\system32\efcDTjgh.dll
O2 - BHO: (no name) - {9e91ef7b-6846-45c3-a8ab-67cf7c900783} - C:\WINDOWS\system32\awttuRIx.dll
O2 - BHO: C:\WINDOWS\system32\jsne87fidgf.dll - {c5bf49a2-94f3-42bd-f434-3604812c897d} - C:\WINDOWS\system32\jsne87fidgf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [wyixtmztdjrstadr] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\hxsqpyvxnwt.dll"
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [{F8-84-4C-C2-DW}] C:\windows\system32\dwwnw64r.exe DWmmm01FF
O4 - HKLM\..\Run: [vagcdinigipymvj] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\itqtovdzbujfa.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Muchobene] C:\Program Files\Muchobene\Muchobene.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\AssistantInternet\bin\matcli.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120831551936
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dbdlce.dll tvgdmi.dll zreoxr.dll ghvlsq.dll fztand.dll noxpuf.dll stcmdc.dll
O20 - Winlogon Notify: awttuRIx - C:\WINDOWS\SYSTEM32\awttuRIx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ultjcxux - C:\WINDOWS\SYSTEM32\ultjcxux32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CbEvtSvc (cbevtsvc) - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Blade81

Nov 14 2008, 09:30 PM

Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Dakilleux

Nov 15 2008, 05:23 PM

ComboFix:

CODE

"Administrator" - 2007-06-06  8:14:35    Service Pack 2  NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Administrator\My Documents\"

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

-- Purity Folders:
C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\SSEMBL~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\STEM32~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\WNSXS~1
C:\DOCUME~1\ADMINI~1\APPLIC~1\YMANTE~1
C:\DOCUME~1\ADMINI~1\MYDOCU~1\FNTS~1
C:\DOCUME~1\ADMINI~1\MYDOCU~1\FNTS~2
C:\DOCUME~1\ADMINI~1\MYDOCU~1\TSKS~1
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\arch\1001.dfn
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\keys.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0104.dbd
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0106.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0204.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0315.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0412.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0504.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon0904.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1125.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1204.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1215.dbd
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1909.ddx
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon1920.dbd
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\nfo\mon2007.dbd
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\vidmon
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\vidmon\vidmon.inf
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\install.log
C:\Program Files\Common Files\{D03F8~1
C:\Program Files\Common Files\{D03F8~1\system.dll
C:\Program Files\Common Files\{D03F8~1\Update.exe
C:\Program Files\Common Files\APPATC~1
C:\Program Files\Common Files\ASEMBL~1
C:\Program Files\Common Files\CURITY~1
C:\Program Files\Common Files\SCURIT~1
C:\Program Files\Common Files\SKS~1
C:\Program Files\Common Files\SSEMBL~1
C:\Program Files\Common Files\Uninstall Information
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\YMANTE~1
C:\Program Files\Common Files\YSTEM3~1
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\pedevice
C:\Program Files\pedevice\communication.xml
C:\Program Files\pedevice\Domain.Watchlist.txt
C:\Program Files\pedevice\Downloader.exe
C:\Program Files\pedevice\pae-options.xml
C:\Program Files\pedevice\pae_url.xml
C:\Program Files\pedevice\PeDev.exe
C:\Program Files\pedevice\pedevPS.dll
C:\Program Files\pedevice\Preparation.dll
C:\Program Files\pedevice\search.watchlist.txt
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Wallpaper\Metal Gear Solid 3 - Green.jpg
C:\Temp\tn3
C:\WINDOWS\CROSOF~1
C:\WINDOWS\DOBE~1
C:\WINDOWS\SMBOLS~1
C:\WINDOWS\system32\ASEMBL~1
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\SSTEM~1
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\YSTEM3~1
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\YMBOLS~1

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_COM+_MESSAGES
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\COM+ Messages
-------\core
-------\Network Monitor
-------\nm
-------\NPF

(((((((((((((((((((((((((   Files Created from 2007-05-06 to 2007-06-06  )))))))))))))))))))))))))))))))

2007-06-05 21:57    <DIR>    d--------    C:\Program Files\My Video Converter
2007-06-05 21:39    <DIR>    d--------    C:\Program Files\STOIK Imaging
2007-06-05 21:39    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\APPLIC~1\STOIK
2007-06-05 21:35    <DIR>    d--------    C:\Program Files\AVI MPEG RM WMV Joiner
2007-06-05 21:28    31,232    --a------    C:\WINDOWS\system\vdremote.dll
2007-06-05 21:28    25,088    --a------    C:\WINDOWS\system\vdsvrlnk.dll
2007-06-05 21:24    <DIR>    d--------    C:\WINDOWS\system32\producer
2007-06-05 21:24    <DIR>    d--------    C:\Program Files\Easy AVI-MPEG-RM-WMV Joiner
2007-06-05 21:16    <DIR>    d--------    C:\Program Files\Manitools
2007-06-05 21:15    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\APPLIC~1\GetRightToGo
2007-06-05 17:24    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-06-05 17:14    <DIR>    d--------    C:\Program Files\Bonjour
2007-06-05 16:57    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\avidemux
2007-06-05 16:56    <DIR>    d--------    C:\Program Files\Avidemux
2007-06-05 16:41    <DIR>    d--------    C:\Program Files\Common Files\Macrovision Shared
2007-06-05 08:46    <DIR>    d--------    C:\Program Files\VDCodecPack3.7
2007-06-04 19:35    9,856    --a------    C:\WINDOWS\system32\drivers\pfc.sys
2007-06-04 19:35    671,744    --a------    C:\WINDOWS\system32\DolbyHph.dll
2007-06-04 19:35    60,416    --a------    C:\WINDOWS\system32\DSETUP.dll
2007-06-04 19:35    14,848    --a------    C:\WINDOWS\system32\drivers\nvndis.sys
2007-06-04 19:35    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA Corporation
2007-06-04 19:22    <DIR>    d--------    C:\Program Files\Windows Media Connect 2
2007-06-04 19:18    <DIR>    d--------    C:\WINDOWS\system32\drivers\UMDF
2007-06-01 11:29    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\WildTangent
2007-05-27 18:53    252    --a------    C:\WINDOWS\fcxuhc.exe
2007-05-27 18:52    <DIR>    d--------    C:\Program Files\WinTouch
2007-05-25 21:20    <DIR>    d--------    C:\DOCUME~1\ALLUSE~1\APPLIC~1\SwiftSwitch
2007-05-23 17:24    <DIR>    d--------    C:\Program Files\Power Tab Software
2007-05-21 11:34    20,480    --a------    C:\WINDOWS\system32\autosayer.exe
2007-05-18 18:08    10,556    --a------    C:\WINDOWS\system32\drivers\filedisk.sys
2007-05-18 18:08    <DIR>    d--------    C:\Program Files\PSP Brew
2007-05-13 18:41    <DIR>    d--------    C:\jython2.2b2
2007-05-10 22:17    <DIR>    d--------    C:\Program Files\thriXXX
2007-05-08 17:33    <DIR>    d--------    C:\Program Files\WinUHA
2007-05-06 11:28    <DIR>    d--------    C:\Program Files\TextPad 5
2007-05-06 11:28    <DIR>    d--------    C:\DOCUME~1\ADMINI~1\APPLIC~1\Helios

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-06 12:00:08    --------    d-----w    C:\Program Files\psquery
2007-06-06 11:35:12    --------    d-----w    C:\Program Files\mIRC
2007-06-06 01:39:16    --------    d--h--w    C:\Program Files\InstallShield Installation Information
2007-06-06 01:05:47    --------    d-----w    C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-06-05 21:24:46    84,928    ----a-w    C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2007-06-04 23:35:36    --------    d-----w    C:\Program Files\NVIDIA Corporation
2007-06-04 23:16:54    --------    d-----w    C:\Program Files\Windows Media Connect
2007-06-04 16:53:36    --------    d-----w    C:\Program Files\SwiftSwitch
2007-06-01 17:22:19    --------    d-----w    C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-29 12:26:49    --------    d-----w    C:\Program Files\XoftSpySE
2007-05-27 21:13:39    --------    d-----w    C:\Program Files\Conquer 2.0
2007-05-25 20:51:17    --------    d-----w    C:\Program Files\LimeWire
2007-05-23 18:27:36    --------    d-----w    C:\DOCUME~1\ADMINI~1\APPLIC~1\Hamachi
2007-05-21 20:31:29    --------    d-----w    C:\Program Files\MoparScape
2007-05-14 01:46:14    --------    d-----w    C:\Program Files\Hamachi
2007-05-09 23:07:25    --------    d-----w    C:\Program Files\Common Files\Blizzard Entertainment
2007-05-07 22:23:16    --------    d-----w    C:\Program Files\Blizzard
2007-05-07 20:54:31    --------    d-----w    C:\Program Files\Counter-Strike 1.6
2007-05-06 04:59:31    80    --sh--r    C:\WINDOWS\system32\CC4A4B8025.dll
2007-04-29 20:22:26    --------    d-----w    C:\Program Files\Morrowind Enchanted Editor
2007-04-28 04:47:46    --------    d-----w    C:\Program Files\SmartFTP Client 2.0
2007-04-26 04:36:18    --------    d-----w    C:\Program Files\pasystem
2007-04-24 21:32:34    --------    d-----w    C:\Program Files\Cheating-Death
2007-04-22 00:57:19    --------    d-----w    C:\DOCUME~1\ADMINI~1\APPLIC~1\Conceiva
2007-04-22 00:56:31    --------    d-----w    C:\Program Files\Conceiva
2007-04-22 00:31:19    --------    d-----w    C:\Program Files\Common Files\Wise Installation Wizard
2007-04-22 00:15:56    --------    d-----w    C:\DOCUME~1\ADMINI~1\APPLIC~1\DMCache
2007-04-20 01:33:52    --------    d-----w    C:\Program Files\Ragdoll Masters
2007-04-18 16:12:23    2,854,400    ----a-w    C:\WINDOWS\system32\msi.dll
2007-04-06 03:40:45    33,952    ----a-w    C:\WINDOWS\system32\drivers\oreans32.sys
2007-04-06 03:23:54    --------    d-----w    C:\Program Files\PremiumSoft
2007-04-06 03:15:51    --------    d-----w    C:\Program Files\MySQL
2007-03-22 00:54:16    77,312    ----a-w    C:\WINDOWS\system32\TWAIN_32.DLL
2007-03-22 00:54:16    69,632    ----a-w    C:\WINDOWS\system32\TWUNK_32.EXE
2007-03-22 00:54:16    48,560    ----a-w    C:\WINDOWS\system32\TWUNK_16.EXE
2007-03-17 13:43:01    292,864    ----a-w    C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28    577,536    ----a-w    C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28    40,960    ----a-w    C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28    281,600    ----a-w    C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48    1,843,584    ----a-w    C:\WINDOWS\system32\win32k.sys
2004-08-04 07:56:49    1,345,536    --sh--r    C:\WINDOWS\system32\.svchost.exe
2005-08-02 21:46:54    187,904    --sha-r    C:\WINDOWS\TW9udHBldGl0\asappsrv.dll
2005-07-29 21:24:26    472    --sha-r    C:\WINDOWS\TW9udHBldGl0\nq6RxJ15x35X.vbs

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}=C:\Program Files\Zero Knowledge\Freedom\pkR.dll [2005-02-11 10:04]
{56071E0D-C61B-11D3-B41C-00E02927A304}=C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll [2005-02-11 10:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{8170D7DC-BDD6-461e-88EB-F047257898C9}=C:\Program Files\Conceiva\DownloadStudio\DLMonitr.dll [2005-12-08 21:33]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-17 13:32]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-15 15:50]
"DownloadStudio"="C:\Program Files\Conceiva\DownloadStudio\DownloadStudioScheduleMonitor.exe" [2005-12-08 21:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 13:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 19:34]
"Steam"="C:\Program Files\Steam\Steam.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2005-08-31 21:27]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe" [2007-01-11 11:18]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-07 18:24]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 09:59]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"UpdateManager"=C:\Program Files\Common Files\Microsoft Shared\Web Components\vupdman.exe
"MSServInst"=C:\Program Files\Common Files\Microsoft Shared\Temp\MswService.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Mn@iboddPubswLfov"=0 (0x0)
"Mn@mlrf"=0 (0x0)
"MnOndNeg"=0 (0x0)
"MnQtm"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc    usnsvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-06 12:29:28  C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-05 10:55:42  C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 08:29:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

Completion time: 2007-06-06  8:31:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-06 08:31

    --- E O F ---

HijackThis:

CODE

Logfile of HijackThis v1.99.1
Scan saved at 11:45, on 2008-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\prun.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SoftwareDistribution\Download\8434d48f46ed0f72046e730a838b6254\update\update.exe
C:\Documents and Settings\Administrator\Desktop\Whatever.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: C:\WINDOWS\system32\jsne87fidgf.dll - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jsne87fidgf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [wyixtmztdjrstadr] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\hxsqpyvxnwt.dll"
O4 - HKLM\..\Run: [{F8-84-4C-C2-DW}] c:\windows\system32\rjwnw64s.exe DWmmm01FF
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vagcdinigipymvj] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\itqtovdzbujfa.dll"
O4 - HKLM\..\Run: [ALJSADPQ] %systemroot%\ALJSADPQ.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Muchobene] C:\Program Files\Muchobene\Muchobene.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrssc.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\AssistantInternet\bin\matcli.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120831551936
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ultjcxux - C:\WINDOWS\SYSTEM32\ultjcxux.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

I still get a few pop ups (they would come non-stop for a little while when I first booted, which didn't happen before the ComboFix scan) but overall it seems to have done some good.

Blade81

Nov 15 2008, 07:06 PM

Hi

Where did you grab that ComboFix log? It's some old one. Please check root of your c: drive (c:\) for ComboFix.txt file and post back its contents.

Dakilleux

Nov 17 2008, 01:31 AM

QUOTE(Blade81 @ Nov 15 2008, 01:06 PM)

Hi

Where did you grab that ComboFix log? It's some old one. Please check root of your c: drive (c:\) for ComboFix.txt file and post back its contents.

Strangely, it's not there. My computer would keep on restarting when it was trying to write the log. I thought it was normal. I can't find any recent log in the directory you pointed out.

Blade81

Nov 17 2008, 06:57 AM

Hi

In that case please download ComboFix.exe again from one of these locations and run it :
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

Dakilleux

Nov 18 2008, 06:21 PM

I did what you told me and I'm seeing immediate results! Thank you so far.

ComboFix:

CODE

ComboFix 08-11-17.01 - Administrator 2008-11-18  9:06:59.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.152 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
[i] ADS - svchost.exe: deleted 25088 bytes in 1 streams. [/i]

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ati0otxx.sys
c:\windows\system32\ultjcxux.dll
c:\windows\system32\ultjcxux32.dll
c:\windows\temp\1043675604.exe
c:\windows\temp\1062898088.exe
c:\windows\temp\1137752732.exe
c:\windows\temp\1230888626.exe
c:\windows\temp\1245042144.exe
c:\windows\temp\1292865538.exe
c:\windows\temp\1300670592.exe
c:\windows\temp\1357531250.exe
c:\windows\temp\1362505596.exe
c:\windows\temp\1373246850.exe
c:\windows\temp\1391085004.exe
c:\windows\temp\1396618986.exe
c:\windows\temp\1406408398.exe
c:\windows\temp\1423726494.exe
c:\windows\temp\1425158288.exe
c:\windows\temp\1438893638.exe
c:\windows\temp\1442203990.exe
c:\windows\temp\1475325542.exe
c:\windows\temp\1497138758.exe
c:\windows\temp\1505652384.exe
c:\windows\temp\1546055902.exe
c:\windows\temp\266757094.exe
c:\windows\temp\2857156702.exe
c:\windows\temp\3499871090.exe
c:\windows\temp\3710499824.exe
c:\windows\temp\374351560.exe
c:\windows\temp\3801291968.exe
c:\windows\temp\3817164236.exe
c:\windows\temp\3862331380.exe
c:\windows\temp\3883646612.exe
c:\windows\temp\3918476020.exe
c:\windows\temp\3929700366.exe
c:\windows\temp\3954842274.exe
c:\windows\temp\3965459828.exe
c:\windows\temp\3974936740.exe
c:\windows\temp\3987720138.exe
c:\windows\temp\3995536086.exe
c:\windows\temp\4011640730.exe
c:\windows\temp\4014326082.exe
c:\windows\temp\4029635134.exe
c:\windows\temp\4060271028.exe
c:\windows\temp\4076055726.exe
c:\windows\temp\4110597870.exe
c:\windows\temp\4110990494.exe
c:\windows\temp\412749064.exe
c:\windows\temp\4209823978.exe
c:\windows\temp\434922222.exe
c:\windows\temp\456706204.exe
c:\windows\temp\501041208.exe
c:\windows\temp\525401866.exe
c:\windows\temp\526560848.exe
c:\windows\temp\556819010.exe
c:\windows\temp\557574606.exe
c:\windows\temp\575507226.exe
c:\windows\temp\576052102.exe
c:\windows\temp\582825322.exe
c:\windows\temp\630830620.exe
c:\windows\temp\642240318.exe
c:\windows\temp\719279014.exe
c:\windows\temp\754446070.exe
.
---- Previous Run -------
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\prun.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\snapsnet.exe
c:\documents and settings\Administrator\Application Data\.#
c:\documents and settings\Administrator\Application Data\.#\MBX@F1C@B048E0.###
c:\documents and settings\Administrator\Application Data\.#\MBX@F1C@B048F0.###
c:\documents and settings\Administrator\Application Data\gadcom
c:\documents and settings\Administrator\Application Data\gadcom\gadcom.exe
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\network monitor
c:\program files\pasystem
c:\program files\pasystem\support.dat
c:\program files\pasystem\Uninstall.exe
c:\program files\wintouch
c:\program files\wintouch\wintouch.cfg
c:\program files\wintouch\WinTouch.exe
c:\program files\wintouch\WTUninstaller.exe
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\ajhmvxvc.dll
c:\windows\system32\awttuRIx.dll
c:\windows\system32\dbdlce.dll
c:\windows\system32\dliqraqu.dll
c:\windows\system32\drivers\345a9342.sys
c:\windows\system32\drivers\ati2puxx.sys
c:\windows\system32\dvmdgyhc.ini
c:\windows\system32\dwwnw64r.exe
c:\windows\system32\efcDTjgh.dll
c:\windows\system32\erukislo.dll
c:\windows\system32\fztand.dll
c:\windows\system32\ghvlsq.dll
c:\windows\system32\gkqqvywd.dll
c:\windows\system32\gxycflnm.dll
c:\windows\system32\hgjTDcfe.ini
c:\windows\system32\hgjTDcfe.ini2
c:\windows\system32\ietffntm.dll
c:\windows\system32\krhdotdm.ini
c:\windows\system32\mderjanr.ini
c:\windows\system32\mdtodhrk.dll
c:\windows\system32\mnlfcyxg.ini
c:\windows\system32\MSINET.oca
c:\windows\system32\mwkhiqii.dll
c:\windows\system32\njcmrdjb.dll
c:\windows\system32\noxpuf.dll
c:\windows\system32\oakusn.dll
c:\windows\system32\pac.txt
c:\windows\system32\rjwnw64s.exe
c:\windows\system32\rnajredm.dll
c:\windows\system32\sbaxwqsu.dll
c:\windows\system32\stcmdc.dll
c:\windows\system32\sxbdmmlu.dll
c:\windows\system32\tvgdmi.dll
c:\windows\system32\ulmmdbxs.ini
c:\windows\system32\ultjcxux.dll
c:\windows\system32\ultjcxux32.dll
c:\windows\system32\uqarqild.ini
c:\windows\system32\vbitdljm.ini
c:\windows\system32\wiqjmefb.dll
c:\windows\system32\xujkbyua.ini
c:\windows\system32\zreoxr.dll
c:\windows\Tasks\bveorfog.job
c:\windows\Tasks\pqemvieo.job
c:\windows\Tasks\uzgghlxp.job
c:\windows\Tasks\zarpnftt.job
c:\windows\Temp\1052639926.exe
c:\windows\Temp\1063152010.exe
c:\windows\Temp\111895004.exe
c:\windows\Temp\1126040768.exe
c:\windows\Temp\1247810122.exe
c:\windows\Temp\1286240924.exe
c:\windows\Temp\1308751730.exe
c:\windows\Temp\1399845568.exe
c:\windows\Temp\1471430785.exe
c:\windows\Temp\1567150251.exe
c:\windows\Temp\162509110.exe
c:\windows\Temp\1635286145.exe
c:\windows\Temp\1895521458.exe
c:\windows\Temp\1940753350.exe
c:\windows\Temp\2154809240.exe
c:\windows\Temp\3422490704.exe
c:\windows\Temp\3430485993.exe
c:\windows\Temp\3528392959.exe
c:\windows\Temp\3621949518.exe
c:\windows\Temp\3648620716.exe
c:\windows\Temp\3950561410.exe
c:\windows\Temp\4041834127.exe
c:\windows\Temp\4130438771.exe
c:\windows\Temp\418526536.exe
c:\windows\Temp\4207251987.exe
c:\windows\Temp\513849842.exe
c:\windows\Temp\576835.exe
c:\windows\Temp\613018719.exe
c:\windows\Temp\700060863.exe
c:\windows\Temp\770228007.exe
c:\windows\Temp\77178006.exe
c:\windows\Temp\806796892.exe
c:\windows\Temp\866884973.exe
c:\windows\Temp\90587729.exe
c:\windows\Temp\956270867.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_cbevtsvc
-------\Legacy_fci
-------\Legacy_icf
-------\Legacy_OREANS32
-------\Legacy_XPROTECTOR
-------\Service_fci
-------\Service_icf
-------\Service_restore
-------\Service_XPROTECTOR
-------\Legacy_ati0otxx
-------\Legacy_ICF
-------\Service_ati0otxx
-------\Service_ICF
-------\Service_restore

(((((((((((((((((((((((((   Files Created from 2008-10-18 to 2008-11-18  )))))))))))))))))))))))))))))))
.

2008-11-17 14:24 . 2008-11-17 14:24    <DIR>    d---s----    c:\windows\system32\config\systemprofile\UserData
2008-11-16 19:25 . 2008-11-18 08:56    5,760    --a------    c:\windows\system32\drivers\restore.sys
2008-11-15 11:43 . 2008-11-16 21:27    <DIR>    d--------    c:\windows\system32\CatRoot_bak
2008-11-15 11:13 . 2008-11-15 11:13    29    --a------    c:\windows\system32\pfquriad.tmp
2008-11-11 08:43 . 2008-11-11 08:43    60,928    --ahs----    c:\windows\system32\geBtRiFY.dll
2008-11-09 01:55 . 2008-11-09 01:57    <DIR>    d--------    c:\program files\Hero Editor
2008-11-08 09:47 . 2008-11-14 15:24    77,895    --a------    c:\windows\system32\famsttixlivg.exe
2008-11-08 09:46 . 2008-11-08 09:46    548,928    --a------    c:\windows\system32\qcntqtdl.exe
2008-11-08 09:46 . 2008-11-08 09:46    153,484    --a------    c:\windows\system32\g10.exe
2008-11-08 09:43 . 2008-11-08 09:43    60,928    --ahs----    c:\windows\system32\nnnlmjhe.dll
2008-11-08 01:00 . 2008-11-08 01:00    83,456    --a------    C:\ulakr.exe
2008-11-08 01:00 . 2008-11-08 01:00    79,094    --a------    c:\windows\system32\newitqtbsnlwzaf.exe
2008-11-08 01:00 . 2008-11-08 01:00    77,950    --a------    C:\emqpiguk.exe
2008-11-08 01:00 . 2008-11-08 01:00    20,480    --a------    C:\pqggin.exe
2008-11-08 01:00 . 2008-11-08 01:00    10,000    --a------    c:\windows\system32\jsne87fidgf.dll
2008-11-08 00:59 . 2008-11-08 00:59    <DIR>    d--------    c:\windows\system32\sX3i19
2008-11-08 00:59 . 2008-11-10 18:04    <DIR>    d--------    c:\windows\system32\pg3
2008-11-08 00:59 . 2008-11-08 00:59    <DIR>    d--------    c:\windows\system32\OMS
2008-11-08 00:59 . 2008-11-08 01:01    <DIR>    d--------    c:\windows\system32\emi
2008-11-08 00:59 . 2008-11-08 00:59    <DIR>    d--------    c:\windows\system32\db1
2008-11-08 00:59 . 2008-11-08 00:59    <DIR>    d--------    c:\temp\PRE45
2008-11-08 00:59 . 2008-11-08 00:59    <DIR>    d--------    c:\documents and settings\Administrator\Application Data\NI.GSCNS
2008-11-08 00:59 . 2008-11-08 00:59    368,427    --a------    c:\temp\ueBC85.exe
2008-11-08 00:59 . 2008-11-08 00:59    60,928    --ahs----    c:\windows\system32\geBtQGXN.dll
2008-11-08 00:58 . 2008-11-08 00:58    34,816    --a------    c:\windows\system32\prun.exe
2008-11-07 22:58 . 2008-11-07 22:58    <DIR>    d--------    c:\program files\BestGameEver
2008-11-07 22:13 . 2008-11-07 22:13    <DIR>    d--------    c:\documents and settings\All Users\Application Data\TechSmith
2008-11-07 22:12 . 2008-11-07 22:12    <DIR>    d--------    c:\program files\TechSmith
2008-11-07 22:12 . 2008-11-07 22:12    <DIR>    d--------    c:\program files\Common Files\TechSmith Shared
2008-11-03 22:34 . 2008-11-03 22:34    <DIR>    d--------    c:\documents and settings\Administrator\T_LOKZz
2008-11-03 22:34 . 2008-11-03 22:44    <DIR>    d--------    c:\documents and settings\Administrator\Application Data\Mercenary
2008-11-03 22:33 . 2008-11-17 19:25    <DIR>    d--------    c:\program files\Awesom-O
2008-11-01 04:37 . 2008-11-01 04:37    178,176    --a------    c:\windows\system32\itqtovdzbujfa.dll
2008-10-28 22:28 . 2008-10-28 22:28    <DIR>    d--------    c:\program files\Frets on Fire
2008-10-28 22:28 . 2008-10-28 22:37    <DIR>    d--------    c:\documents and settings\Administrator\Application Data\fretsonfire
2008-10-27 16:04 . 2008-10-27 16:04    54,156    --ah-----    c:\windows\QTFont.qfn
2008-10-27 16:04 . 2008-10-27 16:04    1,409    --a------    c:\windows\QTFont.for
2008-10-24 10:59 . 2008-11-17 19:25    <DIR>    d--------    c:\program files\Diablo II
2008-10-18 13:59 . 2008-10-18 13:59    <DIR>    d--------    c:\documents and settings\Administrator\Application Data\Blender Foundation

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 14:24    ---------    d-----w    c:\program files\Steam
2008-11-18 13:59    ---------    d-----w    c:\documents and settings\Administrator\Application Data\Muchobene
2008-11-18 13:46    ---------    d-----w    c:\program files\XoftSpySE
2008-11-18 04:14    ---------    d-----w    c:\program files\World of Warcraft
2008-11-18 00:33    ---------    d-----w    c:\program files\Common Files\Blizzard Entertainment
2008-11-18 00:27    ---------    d--h--w    c:\program files\InstallShield Installation Information
2008-11-09 06:55    249,856    ------w    c:\windows\Setup1.exe
2008-11-09 06:54    73,216    ----a-w    c:\windows\ST6UNST.EXE
2008-11-08 03:53    ---------    d-----w    c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-04 04:11    ---------    d-----w    c:\documents and settings\Administrator\Application Data\Hamachi
2008-10-27 21:55    ---------    d-----w    c:\program files\mIRC
2008-10-17 12:29    ---------    d-----w    c:\program files\Microsoft Games
2008-10-06 03:09    ---------    d-----w    c:\program files\Freelancer Mod Manager
2008-10-06 02:54    ---------    d-----w    c:\documents and settings\Administrator\Application Data\My Games
2008-10-06 02:51    ---------    d-----w    c:\program files\GameSpy Arcade
2008-10-06 02:36    ---------    d-----w    c:\documents and settings\Administrator\Application Data\Microsoft Games
2008-10-06 02:29    ---------    d-----w    c:\program files\TheUniversal
2008-09-25 16:48    23    ----a-w    c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2008-08-10 05:23    36    ----a-w    c:\program files\path.ini
2008-07-23 23:18    1,589,248    ----a-w    c:\documents and settings\Administrator\Conquer.exe
2008-07-23 23:13    135,168    ----a-w    c:\documents and settings\Administrator\Chat.dll
2008-07-23 23:13    114,688    ----a-w    c:\documents and settings\Administrator\RoleView.dll
2008-07-23 23:12    102,400    ----a-w    c:\documents and settings\Administrator\GameData.dll
2008-07-23 22:48    4    ----a-w    c:\documents and settings\Administrator\version.dat
2008-07-21 18:16    9,670    ----a-w    c:\documents and settings\Administrator\Server.dat
2008-04-10 23:15    4,162    ----a-w    c:\program files\color1.bmp
2007-04-24 17:03    32    ----a-r    c:\documents and settings\All Users\hash.dat
2007-05-06 04:59    80    --sh--r    c:\windows\system32\CC4A4B8025.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D1AAA0B-CDAD-A423-D17E-D2EA11FA2539}]
2008-10-14 10:39    171520    --a------    c:\windows\system32\hxsqpyvxnwt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE70D443-BF25-AD46-FB94-9E72B798D83C}]
2008-11-01 04:37    178176    --a------    c:\windows\system32\itqtovdzbujfa.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Steam"="c:\program files\steam\steam.exe" [2008-10-08 1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2005-08-31 1658592]
"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe" [2007-01-11 5288960]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2004-06-15 106571]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 196608]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Muchobene"="c:\program files\Muchobene\Muchobene.exe" [2008-10-09 651264]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]
"prunnet"="c:\windows\system32\prun.exe" [2008-11-08 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 339968]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 69705]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"prunnet"="c:\windows\system32\prun.exe" [2008-11-08 34816]
"wyixtmztdjrstadr"="c:\windows\system32\hxsqpyvxnwt.dll" [2008-10-14 171520]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-15 282624]
"vagcdinigipymvj"="c:\windows\system32\itqtovdzbujfa.dll" [2008-11-01 178176]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Mn@iboddPubswLfov"= 0 (0x0)
"Mn@mlrf"= 0 (0x0)
"MnOndNeg"= 0 (0x0)
"MnQtm"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\counter-strike\\hl.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\day of defeat\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\MoonEdit\\me.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Python25\\pythonw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27015:TCP"= 27015:TCP:Half Life Server
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader:6112

R1 SSHDRV76;SSHDRV76;\??\c:\windows\system32\drivers\SSHDRV76.sys [2008-06-12 53760]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe []
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2008-03-05 33792]
S0 black;black;c:\windows\system32\drivers\BlackDrv.sys []
S1 345a9342;345a9342;c:\windows\system32\drivers\345a9342.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;c:\windows\system32\DRIVERS\AN983.sys [2008-07-04 36224]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\ewdmaudn.sys []
S3 RapFile;RapFile;\??\c:\windows\system32\drivers\RapFile.sys [2006-07-11 36644]
S3 RapNet;RapNet;\??\c:\windows\system32\drivers\RapNet.sys [2006-07-11 24344]
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd302e80-f0a5-11dc-a201-000c76f47c70}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-09-16 c:\windows\Tasks\[u]0[/u]1 - Paradigm Shift.job
- c:\documents and settings\Administrator\My Documents\My Music\Liquid Tension Experiment\[u]0[/u]1 - Paradigm Shift.mp3 [2008-07-02 18:36]

2008-09-15 c:\windows\Tasks\[u]0[/u]3 Time.job
- c:\documents and settings\Administrator\My Documents\My Music\Pink Floyd\The Dark Side of the Moon\[u]0[/u]3 Time.mp3 [2008-07-26 05:13]

2008-11-18 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]

2008-11-18 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-{F8-84-4C-C2-DW} - c:\windows\system32\rjwnw64s.exe
HKLM-Run-ALJSADPQ - c:\windows\ALJSADPQ.exe
HKLM-Run-Emurayden PSX Emulator - (no file)
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
HKLM-Explorer_Run-UpdateManager - c:\program files\Common Files\Microsoft Shared\Web Components\vupdman.exe
HKLM-Explorer_Run-MSServInst - c:\program files\Common Files\Microsoft Shared\Temp\MswService.exe
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\Administrator\Application Data\Microsoft\Windows\lsass.exe
ShellExecuteHooks-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - c:\windows\system32\awttuRIx.dll
SafeBoot-ati2puxx.sys

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\20s371xs.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 09:25:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  Lsass Service = c:\documents and settings\Administrator\Application Data\Microsoft\Windows\lsass.exe??4?????????????????????????H?H???H???@????

scanning hidden files ...

c:\windows\system32\drivers\RUOUQPPT.sys 180224 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Abiosdsk]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RUOUQPPT]
"ImagePath"="\??\c:\windows\system32\drivers\RUOUQPPT.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2]

.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-18  9:42:05 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt  2008-11-18 14:41:49
ComboFix2.txt  2007-06-06 16:51:53

Pre-Run: 4,775,194,624 bytes free
Post-Run: 4,819,562,496 bytes free

427    --- E O F ---    2008-11-17 22:00:12

HiJackThis

CODE

Logfile of HijackThis v1.99.1
Scan saved at 12:57:47, on 2008-11-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Muchobene\Muchobene.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\Whatever.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/defaultf.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: netupbanner browser enhancer - {2D1AAA0B-CDAD-A423-D17E-D2EA11FA2539} - C:\WINDOWS\system32\hxsqpyvxnwt.dll
O2 - BHO: agadoo browser enhancer - {BE70D443-BF25-AD46-FB94-9E72B798D83C} - C:\WINDOWS\system32\itqtovdzbujfa.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [wyixtmztdjrstadr] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\hxsqpyvxnwt.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vagcdinigipymvj] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\itqtovdzbujfa.dll"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Muchobene] C:\Program Files\Muchobene\Muchobene.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\AssistantInternet\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120831551936
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Blade81

Nov 18 2008, 07:23 PM

Hi Dakilleux,

If R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local proxy settings isn't set by yourself start hjt.

Do a system scan, check (if found):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

Close browsers and fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

CODE

Driver::
345a9342
RUOUQPPT

File::
c:\windows\system32\pfquriad.tmp
c:\windows\system32\geBtRiFY.dll
c:\windows\system32\famsttixlivg.exe
c:\windows\system32\qcntqtdl.exe
c:\windows\system32\g10.exe
c:\windows\system32\nnnlmjhe.dll
C:\ulakr.exe
c:\windows\system32\newitqtbsnlwzaf.exe
C:\emqpiguk.exe
C:\pqggin.exe
c:\windows\system32\jsne87fidgf.dll
c:\temp\ueBC85.exe
c:\windows\system32\geBtQGXN.dll
c:\windows\system32\prun.exe
c:\windows\system32\itqtovdzbujfa.dll
c:\windows\system32\drivers\345a9342.sys
c:\windows\system32\drivers\RUOUQPPT.sys
c:\documents and settings\Administrator\Application Data\Microsoft\Windows\lsass.exe
C:\WINDOWS\system32\hxsqpyvxnwt.dll

Folder::
c:\windows\system32\sX3i19
c:\windows\system32\pg3
c:\windows\system32\OMS
c:\windows\system32\emi
c:\windows\system32\db1
c:\temp\PRE45
c:\documents and settings\Administrator\Application Data\NI.GSCNS

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D1AAA0B-CDAD-A423-D17E-D2EA11FA2539}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE70D443-BF25-AD46-FB94-9E72B798D83C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"=-
"wyixtmztdjrstadr"=-
"vagcdinigipymvj"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
Lsass Service =-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Mn@iboddPubswLfov"=-
"Mn@mlrf"=-
"MnOndNeg"=-
"MnQtm"=-

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post back its contents, a fresh hjt log and above mentioned ComboFix resultant log.

Dakilleux

Nov 18 2008, 11:02 PM

Hi. Here's the log

CODE

ComboFix 08-11-18.02 - Administrator 2008-11-18 16:57:33.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.221 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
c:\documents and settings\Administrator\Application Data\Microsoft\Windows\lsass.exe
C:\emqpiguk.exe
C:\pqggin.exe
c:\temp\ueBC85.exe
C:\ulakr.exe
c:\windows\system32\drivers\345a9342.sys
c:\windows\system32\drivers\RUOUQPPT.sys
c:\windows\system32\famsttixlivg.exe
c:\windows\system32\g10.exe
c:\windows\system32\geBtQGXN.dll
c:\windows\system32\geBtRiFY.dll
c:\windows\system32\hxsqpyvxnwt.dll
c:\windows\system32\itqtovdzbujfa.dll
c:\windows\system32\jsne87fidgf.dll
c:\windows\system32\newitqtbsnlwzaf.exe
c:\windows\system32\nnnlmjhe.dll
c:\windows\system32\pfquriad.tmp
c:\windows\system32\prun.exe
c:\windows\system32\qcntqtdl.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\NI.GSCNS
c:\documents and settings\Administrator\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Administrator\Application Data\NI.GSCNS\IUpd721.exe
c:\documents and settings\Administrator\Application Data\NI.GSCNS\settings.ini
C:\emqpiguk.exe
C:\pqggin.exe
c:\temp\PRE45
c:\temp\ueBC85.exe
C:\ulakr.exe
c:\windows\system32\db1
c:\windows\system32\db1\ZVRE2I25.exe
c:\windows\system32\drivers\RUOUQPPT.sys
c:\windows\system32\emi
c:\windows\system32\famsttixlivg.exe
c:\windows\system32\g10.exe
c:\windows\system32\geBtQGXN.dll
c:\windows\system32\geBtRiFY.dll
c:\windows\system32\hxsqpyvxnwt.dll
c:\windows\system32\itqtovdzbujfa.dll
c:\windows\system32\jsne87fidgf.dll
c:\windows\system32\newitqtbsnlwzaf.exe
c:\windows\system32\nnnlmjhe.dll
c:\windows\system32\OMS
c:\windows\system32\OMS\NLIP56v.exe
c:\windows\system32\pfquriad.tmp
c:\windows\system32\pg3
c:\windows\system32\prun.exe
c:\windows\system32\qcntqtdl.exe
c:\windows\system32\sX3i19
c:\windows\system32\sX3i19\sX3i191065.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RUOUQPPT
-------\Service_345a9342
-------\Service_RUOUQPPT

(((((((((((((((((((((((((   Files Created from 2008-10-18 to 2008-11-18  )))))))))))))))))))))))))))))))
.

2008-11-17 14:24 . 2008-11-17 14:24    <DIR>    d---s----    c:\windows\system32\config\systemprofile\UserData
2008-11-16 19:25 . 2008-11-18 08:56    5,760    --a------    c:\windows\system32\drivers\restore.sys
2008-11-15 11:43 . 2008-11-16 21:27    <DIR>    d--------    c:\windows\system32\CatRoot_bak
2008-11-15 11:42 . 2008-06-13 08:10    272,128    -----c---    c:\windows\system32\dllcache\bthport.sys
2008-11-15 11:42 . 2008-08-14 04:51    138,368    -----c---    c:\windows\system32\dllcache\afd.sys
2008-11-15 11:23 . 2008-05-01 09:30    331,776    -----c---    c:\windows\system32\dllcache\msadce.dll
2008-11-15 11:17 . 2008-09-04 11:42    1,106,944    --a------    c:\windows\system32\SET59.tmp
2008-11-15 11:16 . 2008-10-15 11:57    332,800    --a------    c:\windows\system32\SET5F.tmp
2008-11-09 01:55 . 2008-11-09 01:57    <DIR>    d--------    c:\program files\Hero Editor
2008-11-07 22:58 . 2008-11-07 22:58    <DIR>    d--------    c:\program files\BestGameEver
2008-11-07 22:13 . 2008-11-07 22:13    <DIR>    d--------    c:\documents and settings\All Users\Application Data\TechSmith
2008-11-07 22:12 . 2008-11-07 22:12    <DIR>    d--------    c:\program files\TechSmith
2008-11-07 22:12 . 2008-11-07 22:12    <DIR>    d--------    c:\program files\Common Files\TechSmith Shared
2008-11-03 22:34 . 2008-11-03 22:34    <DIR>    d--------    c:\documents and settings\Administrator\T_LOKZz
2008-11-03 22:34 . 2008-11-03 22:44    <DIR>    d--------    c:\documents and settings\Administrator\Application Data\Mercenary
2008-11-03 22:33 . 2008-11-17 19:25    <DIR>    d--------    c:\program files\Awesom-O
2008-10-28 22:28 . 2008-10-28 22:28    <DIR>    d--------    c:\program files\Frets on Fire
2008-10-28 22:28 . 2008-10-28 22:37    <DIR>    d--------    c:\documents and settings\Administrator\Application Data\fretsonfire
2008-10-27 16:04 . 2008-10-27 16:04    54,156    --ah-----    c:\windows\QTFont.qfn
2008-10-27 16:04 . 2008-10-27 16:04    1,409    --a------    c:\windows\QTFont.for
2008-10-24 10:59 . 2008-11-17 19:25    <DIR>    d--------    c:\program files\Diablo II
2008-10-18 13:59 . 2008-10-18 13:59    <DIR>    d--------    c:\documents and settings\Administrator\Application Data\Blender Foundation

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 21:44    ---------    d-----w    c:\program files\World of Warcraft
2008-11-18 14:25    ---------    d-----w    c:\documents and settings\Administrator\Application Data\Muchobene
2008-11-18 14:24    ---------    d-----w    c:\program files\Steam
2008-11-18 13:46    ---------    d-----w    c:\program files\XoftSpySE
2008-11-18 00:33    ---------    d-----w    c:\program files\Common Files\Blizzard Entertainment
2008-11-18 00:27    ---------    d--h--w    c:\program files\InstallShield Installation Information
2008-11-09 06:55    249,856    ------w    c:\windows\Setup1.exe
2008-11-09 06:54    73,216    ----a-w    c:\windows\ST6UNST.EXE
2008-11-08 03:53    ---------    d-----w    c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-04 04:11    ---------    d-----w    c:\documents and settings\Administrator\Application Data\Hamachi
2008-10-27 21:55    ---------    d-----w    c:\program files\mIRC
2008-10-24 11:10    453,632    ----a-w    c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 12:29    ---------    d-----w    c:\program files\Microsoft Games
2008-10-06 03:09    ---------    d-----w    c:\program files\Freelancer Mod Manager
2008-10-06 02:54    ---------    d-----w    c:\documents and settings\Administrator\Application Data\My Games
2008-10-06 02:51    ---------    d-----w    c:\program files\GameSpy Arcade
2008-10-06 02:36    ---------    d-----w    c:\documents and settings\Administrator\Application Data\Microsoft Games
2008-10-06 02:29    ---------    d-----w    c:\program files\TheUniversal
2008-09-25 16:48    23    ----a-w    c:\documents and settings\Administrator\jagex_runescape_preferences.dat
2008-08-10 05:23    36    ----a-w    c:\program files\path.ini
2008-07-23 23:18    1,589,248    ----a-w    c:\documents and settings\Administrator\Conquer.exe
2008-07-23 23:13    135,168    ----a-w    c:\documents and settings\Administrator\Chat.dll
2008-07-23 23:13    114,688    ----a-w    c:\documents and settings\Administrator\RoleView.dll
2008-07-23 23:12    102,400    ----a-w    c:\documents and settings\Administrator\GameData.dll
2008-07-23 22:48    4    ----a-w    c:\documents and settings\Administrator\version.dat
2008-07-21 18:16    9,670    ----a-w    c:\documents and settings\Administrator\Server.dat
2008-04-10 23:15    4,162    ----a-w    c:\program files\color1.bmp
2007-04-24 17:03    32    ----a-r    c:\documents and settings\All Users\hash.dat
2007-05-06 04:59    80    --sh--r    c:\windows\system32\CC4A4B8025.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-11-18_ 9.40.55.04   )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-04 10:40:05    72,704    ----a-w    c:\windows\$hf_mig$\KB925720\SP2QFE\magnify.exe
+ 2006-10-04 10:40:06    53,760    ----a-w    c:\windows\$hf_mig$\KB925720\SP2QFE\narrator.exe
+ 2006-10-04 10:40:06    215,552    ----a-w    c:\windows\$hf_mig$\KB925720\SP2QFE\osk.exe
+ 2006-10-04 14:05:57    35,840    ----a-w    c:\windows\$hf_mig$\KB925720\SP2QFE\umandlg.dll
+ 2006-10-04 10:40:06    50,176    ----a-w    c:\windows\$hf_mig$\KB925720\SP2QFE\utilman.exe
+ 2005-10-12 23:16:49    14,048    ----a-w    c:\windows\$hf_mig$\KB925720\spmsg.dll
+ 2005-10-12 23:16:49    213,216    ----a-w    c:\windows\$hf_mig$\KB925720\spuninst.exe
+ 2005-10-12 23:16:49    22,752    ----a-w    c:\windows\$hf_mig$\KB925720\update\spcustom.dll
+ 2005-10-12 23:16:51    716,000    ----a-w    c:\windows\$hf_mig$\KB925720\update\update.exe
+ 2005-10-12 23:16:56    371,424    ----a-w    c:\windows\$hf_mig$\KB925720\update\updspapi.dll
+ 2007-12-18 14:32:13    450,560    ----a-w    c:\windows\$hf_mig$\KB944338-v2\SP2QFE\jscript.dll
+ 2007-12-18 14:32:13    417,792    ----a-w    c:\windows\$hf_mig$\KB944338-v2\SP2QFE\vbscript.dll
+ 2007-03-06 01:22:36    14,048    ----a-w    c:\windows\$hf_mig$\KB944338-v2\spmsg.dll
+ 2007-03-06 01:22:41    213,216    ----a-w    c:\windows\$hf_mig$\KB944338-v2\spuninst.exe
+ 2007-03-06 01:22:34    22,752    ----a-w    c:\windows\$hf_mig$\KB944338-v2\update\spcustom.dll
+ 2007-03-06 01:22:59    716,000    ----a-w    c:\windows\$hf_mig$\KB944338-v2\update\update.exe
+ 2007-03-06 01:23:51    371,424    ----a-w    c:\windows\$hf_mig$\KB944338-v2\update\updspapi.dll
+ 2008-07-07 20:06:43    253,952    ----a-w    c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
+ 2008-07-07 20:26:58    253,952    ----a-w    c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
+ 2008-07-07 20:23:18    253,952    ----a-w    c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
+ 2007-11-30 12:39:22    17,272    ----a-w    c:\windows\$hf_mig$\KB950974\spmsg.dll
+ 2007-11-30 12:39:22    231,288    ----a-w    c:\windows\$hf_mig$\KB950974\spuninst.exe
+ 2007-11-30 12:39:22    26,488    ----a-w    c:\windows\$hf_mig$\KB950974\update\spcustom.dll
+ 2007-11-30 12:39:18    755,576    ----a-w    c:\windows\$hf_mig$\KB950974\update\update.exe
+ 2007-11-30 12:39:19    382,840    ----a-w    c:\windows\$hf_mig$\KB950974\update\updspapi.dll
+ 2008-07-14 11:03:00    62,976    ----a-w    c:\windows\$hf_mig$\KB951072-v2\SP2QFE\tzchange.exe
+ 2008-07-11 12:42:28    62,976    ----a-w    c:\windows\$hf_mig$\KB951072-v2\SP3GDR\tzchange.exe
+ 2008-07-11 12:51:51    62,976    ----a-w    c:\windows\$hf_mig$\KB951072-v2\SP3QFE\tzchange.exe
+ 2007-11-30 11:18:51    17,272    ----a-w    c:\windows\$hf_mig$\KB951072-v2\spmsg.dll
+ 2007-11-30 11:18:51    231,288    ----a-w    c:\windows\$hf_mig$\KB951072-v2\spuninst.exe
+ 2007-11-30 11:18:51    26,488    ----a-w    c:\windows\$hf_mig$\KB951072-v2\update\spcustom.dll
+ 2007-11-30 12:39:22    755,576    ----a-w    c:\windows\$hf_mig$\KB951072-v2\update\update.exe
+ 2007-11-30 12:39:22    382,840    ----a-w    c:\windows\$hf_mig$\KB951072-v2\update\updspapi.dll
+ 2008-05-07 04:55:40    1,288,192    ----a-w    c:\windows\$hf_mig$\KB951698\SP2QFE\quartz.dll
+ 2008-05-07 05:12:40    1,288,192    ----a-w    c:\windows\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15    1,288,192    ----a-w    c:\windows\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51    17,272    ----a-w    c:\windows\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51    231,288    ----a-w    c:\windows\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51    26,488    ----a-w    c:\windows\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22    755,576    ----a-w    c:\windows\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22    382,840    ----a-w    c:\windows\$hf_mig$\KB951698\update\updspapi.dll
+ 2008-06-24 16:28:00    74,240    ----a-w    c:\windows\$hf_mig$\KB952954\SP2QFE\mscms.dll
+ 2008-06-24 16:43:16    74,240    ----a-w    c:\windows\$hf_mig$\KB952954\SP3GDR\mscms.dll
+ 2008-06-24 16:53:10    74,240    ----a-w    c:\windows\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2007-11-30 12:39:22    17,272    ----a-w    c:\windows\$hf_mig$\KB952954\spmsg.dll
+ 2007-11-30 12:39:22    231,288    ----a-w    c:\windows\$hf_mig$\KB952954\spuninst.exe
+ 2007-11-30 12:39:22    26,488    ----a-w    c:\windows\$hf_mig$\KB952954\update\spcustom.dll
+ 2007-11-30 12:39:22    755,576    ----a-w    c:\windows\$hf_mig$\KB952954\update\update.exe
+ 2007-11-30 12:39:22    382,840    ----a-w    c:\windows\$hf_mig$\KB952954\update\updspapi.dll
+ 2008-08-20 05:30:53    3,067,904    ----a-w    c:\windows\$hf_mig$\KB956390\SP3GDR\mshtml.dll
+ 2008-08-20 05:30:51    1,499,136    ----a-w    c:\windows\$hf_mig$\KB956390\SP3GDR\shdocvw.dll
+ 2008-08-20 05:30:52    619,520    ----a-w    c:\windows\$hf_mig$\KB956390\SP3GDR\urlmon.dll
+ 2008-08-20 05:30:51    666,112    ----a-w    c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
+ 2008-08-20 04:58:54    3,067,904    ----a-w    c:\windows\$hf_mig$\KB956390\SP3QFE\mshtml.dll
+ 2008-08-20 04:58:47    1,499,136    ----a-w    c:\windows\$hf_mig$\KB956390\SP3QFE\shdocvw.dll
+ 2008-08-20 04:58:50    620,032    ----a-w    c:\windows\$hf_mig$\KB956390\SP3QFE\urlmon.dll
+ 2008-08-20 04:58:48    666,624    ----a-w    c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
+ 2007-11-30 11:18:51    17,272    ----a-w    c:\windows\$hf_mig$\KB956390\spmsg.dll
+ 2007-11-30 11:18:51    231,288    ----a-w    c:\windows\$hf_mig$\KB956390\spuninst.exe
+ 2007-11-30 11:18:51    26,488    ----a-w    c:\windows\$hf_mig$\KB956390\update\spcustom.dll
+ 2007-11-30 12:39:22    755,576    ----a-w    c:\windows\$hf_mig$\KB956390\update\update.exe
+ 2007-11-30 12:39:22    382,840    ----a-w    c:\windows\$hf_mig$\KB956390\update\updspapi.dll
+ 2008-06-13 13:10:50    272,128    ------w    c:\windows\Driver Cache\i386\bthport.sys
- 2006-05-05 09:41:45    453,120    ------w    c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-24 11:10:42    453,632    ------w    c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-18 22:11:43    2,176    ----a-w    c:\windows\SoftwareDistribution\EventCache\{E75E5912-990E-4584-AD62-25AF19D2C5E6}.bin
+ 2007-03-08 13:47:48    1,843,584    ------w    c:\windows\system32\_000006_.tmp.dll
- 2007-06-15 08:12:28    1,022,976    ----a-w    c:\windows\system32\browseui.dll
+ 2008-08-20 05:33:19    1,024,000    ----a-w    c:\windows\system32\browseui.dll
- 2007-06-15 08:12:28    151,040    ----a-w    c:\windows\system32\cdfview.dll
+ 2008-08-20 05:33:17    151,040    ----a-w    c:\windows\system32\cdfview.dll
- 2007-06-15 08:12:28    1,054,208    ----a-w    c:\windows\system32\danim.dll
+ 2008-08-20 05:33:18    1,054,208    ----a-w    c:\windows\system32\danim.dll
- 2007-06-15 08:12:28    1,022,976    -c----w    c:\windows\system32\dllcache\browseui.dll
+ 2008-08-20 05:33:19    1,024,000    -c----w    c:\windows\system32\dllcache\browseui.dll
- 2007-06-15 08:12:28    151,040    -c----w    c:\windows\system32\dllcache\cdfview.dll
+ 2008-08-20 05:33:17    151,040    -c----w    c:\windows\system32\dllcache\cdfview.dll
- 2007-06-15 08:12:28    1,054,208    -c----w    c:\windows\system32\dllcache\danim.dll
+ 2008-08-20 05:33:18    1,054,208    -c----w    c:\windows\system32\dllcache\danim.dll
- 2007-06-15 08:12:28    357,888    -c----w    c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-08-20 05:33:18    357,888    -c----w    c:\windows\system32\dllcache\dxtmsft.dll
- 2007-06-15 08:12:28    205,824    -c----w    c:\windows\system32\dllcache\dxtrans.dll
+ 2008-08-20 05:33:18    205,312    -c----w    c:\windows\system32\dllcache\dxtrans.dll
+ 2008-07-07 20:32:22    253,952    -c----w    c:\windows\system32\dllcache\es.dll
- 2007-06-15 08:12:28    55,808    -c----w    c:\windows\system32\dllcache\extmgr.dll
+ 2008-08-20 05:33:18    55,808    -c----w    c:\windows\system32\dllcache\extmgr.dll
- 2007-06-14 10:32:36    18,432    -c----w    c:\windows\system32\dllcache\iedw.exe
+ 2008-08-19 09:38:57    18,432    -c----w    c:\windows\system32\dllcache\iedw.exe
- 2007-06-15 08:12:28    251,904    -c----w    c:\windows\system32\dllcache\iepeers.dll
+ 2008-08-20 05:33:18    251,904    -c----w    c:\windows\system32\dllcache\iepeers.dll
- 2007-05-16 15:12:02    683,520    -c----w    c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43    683,520    -c----w    c:\windows\system32\dllcache\inetcomm.dll
- 2007-06-15 08:12:28    96,256    -c----w    c:\windows\system32\dllcache\inseng.dll
+ 2008-08-20 05:33:18    96,256    -c----w    c:\windows\system32\dllcache\inseng.dll
- 2006-05-18 05:24:25    450,560    -c----w    c:\windows\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58    450,560    -c----w    c:\windows\system32\dllcache\jscript.dll
- 2007-06-15 08:12:28    16,384    -c----w    c:\windows\system32\dllcache\jsproxy.dll
+ 2008-08-20 05:33:19    16,384    -c----w    c:\windows\system32\dllcache\jsproxy.dll
+ 2006-10-04 08:48:36    72,704    -c----w    c:\windows\system32\dllcache\magnify.exe
- 2006-05-05 09:41:45    453,120    -c----w    c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-10-24 11:10:42    453,632    -c----w    c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-06-24 16:23:05    74,240    -c----w    c:\windows\system32\dllcache\mscms.dll
- 2007-06-15 08:12:29    3,064,320    -c----w    c:\windows\system32\dllcache\mshtml.dll
+ 2008-08-20 05:33:20    3,067,392    -c----w    c:\windows\system32\dllcache\mshtml.dll
- 2007-06-15 08:12:29    449,024    -c----w    c:\windows\system32\dllcache\mshtmled.dll
+ 2008-08-20 05:33:19    449,024    -c----w    c:\windows\system32\dllcache\mshtmled.dll
- 2007-06-15 08:12:29    146,432    -c----w    c:\windows\system32\dllcache\msrating.dll
+ 2008-08-20 05:33:18    146,432    -c----w    c:\windows\system32\dllcache\msrating.dll
- 2007-06-15 08:12:29    532,480    -c----w    c:\windows\system32\dllcache\mstime.dll
+ 2008-08-20 05:33:18    532,480    -c----w    c:\windows\system32\dllcache\mstime.dll
- 2007-06-26 06:08:16    1,104,896    -c----w    c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02    1,106,944    -c----w    c:\windows\system32\dllcache\msxml3.dll
+ 2006-10-04 08:48:36    53,760    -c----w    c:\windows\system32\dllcache\narrator.exe
- 2006-08-17 12:28:27    332,288    -c----w    c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55    332,800    -c----w    c:\windows\system32\dllcache\netapi32.dll
+ 2006-10-04 08:48:37    215,552    -c----w    c:\windows\system32\dllcache\osk.exe
- 2007-06-15 08:12:29    39,424    -c----w    c:\windows\system32\dllcache\pngfilt.dll
+ 2008-08-20 05:33:18    39,424    -c----w    c:\windows\system32\dllcache\pngfilt.dll
+ 2008-05-07 05:18:48    1,287,680    -c----w    c:\windows\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58    202,240    -c--a-w    c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49    202,752    -c--a-w    c:\windows\system32\dllcache\rmcast.sys
- 2007-06-15 08:12:30    1,498,112    -c----w    c:\windows\system32\dllcache\shdocvw.dll
+ 2008-08-20 05:33:19    1,499,136    -c----w    c:\windows\system32\dllcache\shdocvw.dll
- 2007-06-15 08:12:30    474,112    -c----w    c:\windows\system32\dllcache\shlwapi.dll
+ 2008-08-20 05:33:19    474,112    -c----w    c:\windows\system32\dllcache\shlwapi.dll
- 2006-08-14 10:34:41    332,928    -c----w    c:\windows\system32\dllcache\srv.sys
+ 2008-08-28 10:04:17    333,056    -c----w    c:\windows\system32\dllcache\srv.sys
+ 2006-10-04 13:33:38    35,840    -c----w    c:\windows\system32\dllcache\umandlg.dll
- 2007-06-15 08:12:30    616,960    -c----w    c:\windows\system32\dllcache\urlmon.dll
+ 2008-08-20 05:33:19    619,008    -c----w    c:\windows\system32\dllcache\urlmon.dll
+ 2006-10-04 08:48:37    50,176    -c----w    c:\windows\system32\dllcache\utilman.exe
+ 2007-12-18 14:40:58    417,792    -c----w    c:\windows\system32\dllcache\vbscript.dll
- 2007-03-08 13:47:48    1,843,584    -c----w    c:\windows\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41    1,846,016    -c----w    c:\windows\system32\dllcache\win32k.sys
- 2007-06-26 14:35:54    665,600    -c----w    c:\windows\system32\dllcache\wininet.dll
+ 2008-08-20 05:33:19    667,648    -c----w    c:\windows\system32\dllcache\wininet.dll
- 2006-10-19 01:47:18    222,208    -c--a-w    c:\windows\system32\dllcache\WMASF.dll
+ 2007-10-27 22:40:30    222,720    -c--a-w    c:\windows\system32\dllcache\wmasf.dll
- 2004-08-04 06:14:14    138,496    ----a-w    c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43    138,368    ----a-w    c:\windows\system32\drivers\afd.sys
- 2004-08-04 06:10:37    274,304    ------w    c:\windows\system32\drivers\bthport.sys
+ 2008-06-13 13:10:50    272,128    ------w    c:\windows\system32\drivers\bthport.sys
- 2006-07-13 08:48:58    202,240    ----a-w    c:\windows\system32\drivers\rmcast.sys
+ 2008-05-08 12:28:49    202,752    ----a-w    c:\windows\system32\drivers\rmcast.sys
- 2006-08-14 10:34:41    332,928    ----a-w    c:\windows\system32\drivers\srv.sys
+ 2008-08-28 10:04:17    333,056    ----a-w    c:\windows\system32\drivers\srv.sys
- 2007-06-15 08:12:28    357,888    ----a-w    c:\windows\system32\dxtmsft.dll
+ 2008-08-20 05:33:18    357,888    ----a-w    c:\windows\system32\dxtmsft.dll
- 2007-06-15 08:12:28    205,824    ----a-w    c:\windows\system32\dxtrans.dll
+ 2008-08-20 05:33:18    205,312    ----a-w    c:\windows\system32\dxtrans.dll
- 2007-06-15 08:12:28    55,808    ----a-w    c:\windows\system32\extmgr.dll
+ 2008-08-20 05:33:18    55,808    ----a-w    c:\windows\system32\extmgr.dll
- 2008-11-08 06:03:37    1,548,016    ----a-w    c:\windows\system32\FNTCACHE.DAT
+ 2008-11-18 22:14:57    1,548,016    ----a-w    c:\windows\system32\FNTCACHE.DAT
- 2007-06-15 08:12:28    251,904    ----a-w    c:\windows\system32\iepeers.dll
+ 2008-08-20 05:33:18    251,904    ----a-w    c:\windows\system32\iepeers.dll
- 2007-05-16 15:12:02    683,520    ----a-w    c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43    683,520    ----a-w    c:\windows\system32\inetcomm.dll
- 2007-06-15 08:12:28    96,256    ----a-w    c:\windows\system32\inseng.dll
+ 2008-08-20 05:33:18    96,256    ----a-w    c:\windows\system32\inseng.dll
- 2007-06-15 08:12:28    16,384    ----a-w    c:\windows\system32\jsproxy.dll
+ 2008-08-20 05:33:19    16,384    ----a-w    c:\windows\system32\jsproxy.dll
- 2004-08-04 07:56:50    72,704    ----a-w    c:\windows\system32\magnify.exe
+ 2006-10-04 08:48:36    72,704    ----a-w    c:\windows\system32\magnify.exe
- 2007-06-15 08:12:29    449,024    ----a-w    c:\windows\system32\mshtmled.dll
+ 2008-08-20 05:33:19    449,024    ----a-w    c:\windows\system32\mshtmled.dll
- 2007-06-15 08:12:29    146,432    ----a-w    c:\windows\system32\msrating.dll
+ 2008-08-20 05:33:18    146,432    ----a-w    c:\windows\system32\msrating.dll
- 2007-06-15 08:12:29    532,480    ----a-w    c:\windows\system32\mstime.dll
+ 2008-08-20 05:33:18    532,480    ----a-w    c:\windows\system32\mstime.dll
- 2004-08-04 07:56:54    53,760    ----a-w    c:\windows\system32\narrator.exe
+ 2006-10-04 08:48:36    53,760    ----a-w    c:\windows\system32\narrator.exe
- 2004-08-04 07:56:55    215,552    ----a-w    c:\windows\system32\osk.exe
+ 2006-10-04 08:48:37    215,552    ----a-w    c:\windows\system32\osk.exe
- 2007-06-15 08:12:29    39,424    ----a-w    c:\windows\system32\pngfilt.dll
+ 2008-08-20 05:33:18    39,424    ----a-w    c:\windows\system32\pngfilt.dll
- 2005-08-30 03:54:26    1,287,168    ----a-w    c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48    1,287,680    ----a-w    c:\windows\system32\quartz.dll
- 2006-10-16 20:10:58    14,640    ----a-w    c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51    17,272    ------w    c:\windows\system32\spmsg.dll
- 2007-01-29 08:58:06    60,416    ----a-w    c:\windows\system32\tzchange.exe
+ 2008-07-14 11:09:18    62,976    ----a-w    c:\windows\system32\tzchange.exe
- 2004-08-04 07:56:46    35,840    ----a-w    c:\windows\system32\umandlg.dll
+ 2006-10-04 13:33:38    35,840    ----a-w    c:\windows\system32\umandlg.dll
- 2004-08-04 07:56:57    50,176    ----a-w    c:\windows\system32\utilman.exe
+ 2006-10-04 08:48:37    50,176    ----a-w    c:\windows\system32\utilman.exe
- 2004-08-04 07:56:46    417,792    ----a-w    c:\windows\system32\vbscript.dll
+ 2007-12-18 14:40:58    417,792    ----a-w    c:\windows\system32\vbscript.dll
- 2007-03-08 13:47:48    1,843,584    ----a-w    c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41    1,846,016    ----a-w    c:\windows\system32\win32k.sys
- 2006-10-19 01:47:18    222,208    ----a-w    c:\windows\system32\wmasf.dll
+ 2007-10-27 22:40:30    222,720    ----a-w    c:\windows\system32\wmasf.dll
- 2006-10-19 01:47:20    295,936    ----a-w    c:\windows\system32\wmpeffects.dll
+ 2008-06-24 23:12:58    295,936    ----a-w    c:\windows\system32\wmpeffects.dll
+ 2008-04-15 17:54:19    1,724,416    ----a-w    c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Steam"="c:\program files\steam\steam.exe" [2008-10-08 1410296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2005-08-31 1658592]
"Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe" [2007-01-11 5288960]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2004-06-15 106571]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 196608]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Muchobene"="c:\program files\Muchobene\Muchobene.exe" [2008-10-09 651264]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 339968]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 69705]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-15 282624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\counter-strike\\hl.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\day of defeat\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Steam\\steamapps\\2139035345435\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\MoonEdit\\me.exe"=
"c:\\Program Files\\MAIET\\Gunz\\GunzLauncher.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Python25\\pythonw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27015:TCP"= 27015:TCP:Half Life Server
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader:6112

R1 SSHDRV76;SSHDRV76;\??\c:\windows\system32\drivers\SSHDRV76.sys [2008-06-12 53760]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe []
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2008-03-05 33792]
S0 black;black;c:\windows\system32\drivers\BlackDrv.sys []
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;c:\windows\system32\DRIVERS\AN983.sys [2008-07-04 36224]
S3 ewdmaudn;ewdmaudn;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\ewdmaudn.sys []
S3 RapFile;RapFile;\??\c:\windows\system32\drivers\RapFile.sys [2006-07-11 36644]
S3 RapNet;RapNet;\??\c:\windows\system32\drivers\RapNet.sys [2006-07-11 24344]
S4 hpt3xx;hpt3xx; []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd302e80-f0a5-11dc-a201-000c76f47c70}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-09-16 c:\windows\Tasks\[u]0[/u]1 - Paradigm Shift.job
- c:\documents and settings\Administrator\My Documents\My Music\Liquid Tension Experiment\[u]0[/u]1 - Paradigm Shift.mp3 [2008-07-02 18:36]

2008-09-15 c:\windows\Tasks\[u]0[/u]3 Time.job
- c:\documents and settings\Administrator\My Documents\My Music\Pink Floyd\The Dark Side of the Moon\[u]0[/u]3 Time.mp3 [2008-07-26 05:13]

2008-11-18 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]

2008-11-18 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 17:18:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Command Software\dvpapi.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-11-18 17:35:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-11-18 22:35:40
ComboFix2.txt  2008-11-18 14:42:07
ComboFix3.txt  2007-06-06 16:51:53

Pre-Run: 2 179 006 464 bytes free
Post-Run: 1,997,283,328 bytes free

436    --- E O F ---    2008-11-17 22:00:12

I'm about to do the rest.

Blade81

Nov 19 2008, 06:53 AM

Ok. Shall come back to this when you've got other reports ready

Blade81

Dec 12 2008, 03:59 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.