http://www.daniweb.com/forums/thread83821.html

Updated HiJack Log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:59 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.248.254.11:8080
O1 - Hosts: http://imran.org/images/other/webscr.php paypal.com
O1 - Hosts: http://imran.org/images/other/webscr.php www.paypal.com
O2 - BHO: mscorews - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\system32\mscorews.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\mpcodecplg.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Druid: Download All Files - C:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - C:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - C:\Program Files\XemiComputers\Download Druid\DruidBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100805643683
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://content-loader.com/load/ccaccess.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

--
End of file - 5484 bytes

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: mscorews - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\system32\mscorews.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\mpcodecplg.dll

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\mscorews.dll
C:\WINDOWS\mpcodecplg.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

C:\WINDOWS\system32\mscorews.dll
C:\WINDOWS\mpcodecplg.dll

These files were not present. I did the fix as you instructed, but I think the ads are still present. It's difficult to tell what is supposed to be on the page and what isn't.
I'm running another ewido scan to see if it finds anything as it had before.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:22:39 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Documents and Settings\anyuser\Desktop\Anti-Spyware\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.248.254.11:8080
O1 - Hosts: http://imran.org/images/other/webscr.php paypal.com
O1 - Hosts: http://imran.org/images/other/webscr.php www.paypal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Druid: Download All Files - C:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - C:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - C:\Program Files\XemiComputers\Download Druid\DruidBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100805643683
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://content-loader.com/load/ccaccess.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

--
End of file - 5407 bytes

You are still running the Beta version. Please uninstall it.

==

Download
SDFix
and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the
following :

• Restart your computer
• After hearing your computer beep once during startup, but before the
  Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract
  All,
• Open the extracted folder and double click RunThis.bat to
  start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the
  registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool
  will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and
  display Finished, then press any key to end the script and load
  your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the
  contents of the results file Report.txt back onto the forum with
  a new HijackThis log

SDFix: Version 1.195
Run by anyuser on Sat 06/21/2008 at 03:17 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\anyuser\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\cmnocfg.xml - Deleted
C:\WINDOWS\system32\comsatac.dll - Deleted
C:\WINDOWS\system32\msratnit.dll - Deleted
C:\WINDOWS\system32\qviexio3.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 03:28:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,0f,50,1f,80,12,4d,f2,06,13,7e,dd,e3,de,3a,72,df,7a,..
"hj34z0"=hex:42,e0,b4,1a,bc,23,cb,97,ca,77,65,ab,eb,cf,f7,aa,f9,df,8b,9f,49,..
"hj34z1"=hex:cd,e0,b4,1a,c4,23,cb,97,cb,77,64,ab,ea,cf,f7,aa,f9,df,8b,9f,80,..
"hj34z2"=hex:cd,e0,b4,1a,c4,23,cb,97,cb,77,64,ab,ea,cf,f7,aa,f9,df,8b,9f,80,..
"hj34z3"=hex:cd,e0,b4,1a,c4,23,cb,97,cb,77,64,ab,ea,cf,f7,aa,f9,df,8b,9f,80,..
"hj34z4"=hex:cd,e0,b4,1a,c4,23,cb,97,cb,77,64,ab,ea,cf,f7,aa,f9,df,8b,9f,80,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\DOCUME~1\anyuser\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 18 Sep 2005 56 ..SHR --- "C:\WINDOWS\system32\8E39731748.sys"
Sat 21 Jun 2008 785 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Fri 6 Oct 2006 29,184 ...H. --- "C:\Documents and Settings\All Users\Documents\~WRL0002.tmp"
Thu 12 Oct 2006 27,136 ...H. --- "C:\Documents and Settings\All Users\Documents\~WRL0498.tmp"
Thu 12 Oct 2006 28,672 ...H. --- "C:\Documents and Settings\All Users\Documents\~WRL1295.tmp"
Thu 12 Oct 2006 28,672 ...H. --- "C:\Documents and Settings\All Users\Documents\~WRL2471.tmp"
Thu 12 Oct 2006 28,160 ...H. --- "C:\Documents and Settings\All Users\Documents\~WRL4029.tmp"
Fri 19 Nov 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 2 Feb 2007 224 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti51.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Thu 18 Nov 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Thu 18 Nov 2004 12,888 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:13 AM, on 6/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.248.254.11:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Druid: Download All Files - C:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - C:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - C:\Program Files\XemiComputers\Download Druid\DruidBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100805643683
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://content-loader.com/load/ccaccess.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

--
End of file - 5085 bytes



Ads are definitely still around. :/

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Post new HJT log.

Anti-Malware Log:

Malwarebytes' Anti-Malware 1.18
Database version: 881

11:24:40 PM 6/22/2008
mbam-log-6-22-2008 (23-24-40).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 168693
Time elapsed: 55 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\winlogon.Del (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



ComboFix Log:

ComboFix 08-06-20.4 - anyuser 2008-06-22 23:32:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.263 [GMT -4:00]
Running from: C:\Documents and Settings\anyuser\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-22 22:24 . 2008-06-22 22:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 22:24 . 2008-06-22 22:24 <DIR> d-------- C:\Documents and Settings\anyuser\Application Data\Malwarebytes
2008-06-22 22:24 . 2008-06-22 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-22 22:24 . 2008-06-19 17:55 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-22 22:24 . 2008-06-19 17:55 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-21 19:11 . 2008-06-21 19:11 <DIR> d-------- C:\Program Files\TryMedia
2008-06-21 19:11 . 2008-06-21 19:11 <DIR> d-------- C:\Program Files\FreshGames
2008-06-21 03:12 . 2008-06-21 03:13 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-20 13:41 . 2008-06-20 13:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-10 22:23 . 2008-06-10 22:23 <DIR> d-------- C:\WINDOWS\system32\quicktime
2008-06-10 22:23 . 2008-06-10 22:23 <DIR> d-------- C:\Program Files\AVI Codec Pack
2008-06-05 16:01 . 2008-06-05 16:01 <DIR> d-------- C:\Documents and Settings\anyuser\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 18:00 --------- d-----w C:\Program Files\Azureus
2008-06-20 18:00 --------- d-----w C:\Documents and Settings\anyuser\Application Data\Azureus
2008-06-05 19:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2005-09-18 20:51 56 --sh--r C:\WINDOWS\system32\8E39731748.sys
.

------- Sigcheck -------

2004-05-26 21:38 483328 e7f9d2e4e4a94a6f58014e5ffa16a65e C:\WINDOWS\$hf_mig$\KB840987\SP1QFE\winlogon.exe
2001-08-23 08:00 430080 2b0e480e975ee51f2d5ce5f068fed6e2 C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2007-09-03 17:18 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2007-12-06_15.12.59.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-17 14:01:16 2,816 -c----w C:\WINDOWS\$NtServicePackUninstall$\drmkaud.sys
+ 2001-08-23 12:00:00 184,320 -c----w C:\WINDOWS\$NtServicePackUninstall$\msh261.drv
+ 2001-08-23 12:00:00 286,720 -c----w C:\WINDOWS\$NtServicePackUninstall$\msh263.drv
+ 2001-08-23 12:00:00 22,016 -c----w C:\WINDOWS\$NtServicePackUninstall$\wdmaud.drv
+ 2001-08-23 12:00:00 131,584 -c----w C:\WINDOWS\$NtServicePackUninstall$\winspool.drv
- 2007-10-11 22:50:35 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-06-05 20:10:22 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2007-10-11 22:50:36 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-06-05 20:10:22 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2007-10-11 22:50:37 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-06-05 20:10:22 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2007-10-11 22:50:30 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-06-05 20:10:17 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-10-11 22:50:32 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-06-05 20:10:18 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-10-11 22:50:32 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-06-05 20:10:19 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-10-11 22:50:33 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-06-05 20:10:19 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-10-11 22:50:33 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-06-05 20:10:20 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-10-11 22:50:34 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-06-05 20:10:20 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-10-11 22:50:34 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-06-05 20:10:21 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-10-11 22:50:37 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-06-05 20:10:23 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2007-10-11 22:50:37 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-06-05 20:10:23 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2007-10-11 22:50:37 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-06-05 20:10:23 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2007-10-11 22:50:37 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-06-05 20:10:24 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2007-10-11 22:50:38 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-06-05 20:10:24 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2007-10-11 22:50:35 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-06-05 20:10:21 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-03-18 06:54:45 749,568 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.Xna.Framework\1.0.0.0__6d5c3888ef60e27d\Microsoft.Xna.Framework.dll
+ 2008-03-18 06:54:45 94,208 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Xna.Framework.Game\1.0.0.0__6d5c3888ef60e27d\Microsoft.Xna.Framework.Game.dll
+ 2008-06-23 03:26:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-10-08 21:01:22 372,736 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2006-06-20 20:44:04 379,704 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2006-11-20 16:04:18 117,088 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-ca.dll
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-06-20 15:55:10 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-06-21 07:13:40 6,225,920 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-21 07:13:40 241,664 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-20 15:55:10 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-06-21 07:13:18 6,225,920 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-06-21 07:13:19 241,664 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2000-08-31 12:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 12:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
- 2007-06-17 05:11:58 51,200 ----a-w C:\WINDOWS\NirCmd.exe
+ 2000-08-31 12:00:00 28,672 ----a-w C:\WINDOWS\NirCmd.exe
+ 2004-11-18 20:11:48 2,722 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\SkuStore.bin
+ 2005-01-08 04:55:02 2,560 ----a-w C:\WINDOWS\Runservice.exe
+ 2000-08-31 12:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2004-08-04 08:07:21 1,788 ------w C:\WINDOWS\ServicePackFiles\i386\dcache.bin
+ 2004-08-04 06:07:57 2,944 ------w C:\WINDOWS\ServicePackFiles\i386\drmkaud.sys
+ 2004-08-04 07:56:57 188,416 ------w C:\WINDOWS\ServicePackFiles\i386\msh261.drv
+ 2004-08-04 07:56:57 294,912 ------w C:\WINDOWS\ServicePackFiles\i386\msh263.drv
+ 2004-08-04 07:56:57 23,552 ------w C:\WINDOWS\ServicePackFiles\i386\wdmaud.drv
+ 2004-08-04 07:56:57 146,432 ------w C:\WINDOWS\ServicePackFiles\i386\winspool.drv
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
+ 2001-08-23 12:00:00 2,000 ----a-w C:\WINDOWS\system\KEYBOARD.DRV
+ 2001-08-23 12:00:00 73,376 ----a-w C:\WINDOWS\system\MCIAVI.DRV
+ 2001-08-23 12:00:00 25,264 ----a-w C:\WINDOWS\system\MCISEQ.DRV
+ 2001-08-23 12:00:00 28,160 ----a-w C:\WINDOWS\system\MCIWAVE.DRV
+ 2001-08-23 12:00:00 2,032 ----a-w C:\WINDOWS\system\MOUSE.DRV
+ 2001-08-23 12:00:00 1,744 ----a-w C:\WINDOWS\system\SOUND.DRV
+ 2001-08-23 12:00:00 3,360 ----a-w C:\WINDOWS\system\SYSTEM.DRV
+ 2001-08-23 12:00:00 4,048 ----a-w C:\WINDOWS\system\TIMER.DRV
+ 2001-08-23 12:00:00 2,176 ----a-w C:\WINDOWS\system\VGA.DRV
+ 2001-08-23 12:00:00 13,600 ----a-w C:\WINDOWS\system\WFWNET.DRV
+ 1994-09-21 05:00:00 6,736 ----a-w C:\WINDOWS\system\WINGDIB.DRV
+ 2004-08-04 07:56:57 146,432 ----a-w C:\WINDOWS\system\winspool.drv
+ 2001-08-23 12:00:00 10,544 ----a-w C:\WINDOWS\system32\comm.drv
+ 2006-09-28 20:05:20 2,414,360 ----a-w C:\WINDOWS\system32\d3dx9_31.dll
+ 2004-08-04 08:07:21 1,788 ----a-w C:\WINDOWS\system32\dcache.bin
- 2005-06-09 20:32:26 692,736 ----a-w C:\WINDOWS\system32\DivX.dll
+ 2002-05-13 13:49:10 594,432 ----a-w C:\WINDOWS\system32\DivX.dll
+ 2001-08-23 12:00:00 2,000 -c--a-w C:\WINDOWS\system32\dllcache\keyboard.drv
+ 2001-08-23 12:00:00 2,560 -c--a-w C:\WINDOWS\system32\dllcache\lz32.dll
+ 2001-08-23 12:00:00 73,376 -c--a-w C:\WINDOWS\system32\dllcache\mciavi.drv
+ 2001-08-23 12:00:00 25,264 -c--a-w C:\WINDOWS\system32\dllcache\mciseq.drv
+ 2001-08-23 12:00:00 28,160 -c--a-w C:\WINDOWS\system32\dllcache\mciwave.drv
+ 2001-08-23 12:00:00 2,032 -c--a-w C:\WINDOWS\system32\dllcache\mouse.drv
+ 2001-08-23 12:00:00 2,944 -c--a-w C:\WINDOWS\system32\dllcache\null.sys
+ 2001-08-23 12:00:00 1,744 -c--a-w C:\WINDOWS\system32\dllcache\sound.drv
+ 2001-08-23 12:00:00 3,360 -c--a-w C:\WINDOWS\system32\dllcache\system.drv
+ 2001-08-23 12:00:00 4,048 -c--a-w C:\WINDOWS\system32\dllcache\timer.drv
+ 2001-08-23 12:00:00 2,176 -c--a-w C:\WINDOWS\system32\dllcache\vga.drv
+ 2001-08-23 12:00:00 13,600 -c--a-w C:\WINDOWS\system32\dllcache\wfwnet.drv
+ 2001-08-23 12:00:00 2,864 -c--a-w C:\WINDOWS\system32\dllcache\winsock.dll
+ 2004-08-04 07:56:57 146,432 -c--a-w C:\WINDOWS\system32\dllcache\winspool.drv
+ 2001-08-23 12:00:00 2,112 -c--a-w C:\WINDOWS\system32\dllcache\winspool.exe
+ 2001-08-23 12:00:00 2,736 -c--a-w C:\WINDOWS\system32\dllcache\wowdeb.exe
+ 2004-08-04 06:07:57 2,944 ----a-w C:\WINDOWS\system32\drivers\drmkaud.sys
- 2006-04-09 21:22:25 10,345 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
+ 2008-02-27 02:40:08 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
+ 2001-08-23 12:00:00 2,944 ----a-w C:\WINDOWS\system32\drivers\null.sys
+ 2001-08-23 12:00:00 2,000 ----a-w C:\WINDOWS\system32\keyboard.drv
+ 2001-08-23 12:00:00 221,600 ----a-w C:\WINDOWS\system32\lanman.drv
+ 2001-08-23 12:00:00 2,560 ----a-w C:\WINDOWS\system32\lz32.dll
+ 2004-04-10 13:42:36 2,944 ----a-w C:\WINDOWS\system32\mbmiodrvr.sys
+ 2001-08-23 12:00:00 73,376 ----a-w C:\WINDOWS\system32\mciavi.drv
+ 2001-08-23 12:00:00 25,264 ----a-w C:\WINDOWS\system32\mciseq.drv
+ 2001-08-23 12:00:00 28,160 ----a-w C:\WINDOWS\system32\mciwave.drv
+ 2001-08-23 12:00:00 2,032 ----a-w C:\WINDOWS\system32\mouse.drv
+ 2002-05-15 23:38:40 91,136 ----a-w C:\WINDOWS\system32\mp4fil32.dll
+ 2001-04-01 23:47:18 416,304 ----a-w C:\WINDOWS\system32\Mpg4c32.dll
+ 2001-08-23 12:00:00 20,480 ----a-w C:\WINDOWS\system32\msacm32.drv
+ 2004-08-04 07:56:57 188,416 ----a-w C:\WINDOWS\system32\msh261.drv
+ 2004-08-04 07:56:57 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
- 2004-10-16 01:20:16 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
+ 2002-01-05 03:37:28 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
+ 2001-08-23 12:00:00 2,656 ----a-w C:\WINDOWS\system32\netware.drv
+ 2002-10-04 23:04:16 45,056 ----a-w C:\WINDOWS\system32\ogg.dll
+ 2002-10-06 18:42:56 237,568 ----a-w C:\WINDOWS\system32\OggDS.dll
- 2007-11-04 08:47:28 59,440 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-10 19:35:45 59,440 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-04 08:47:28 395,200 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-10 19:35:45 395,200 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-08-04 07:56:57 23,552 ----a-w C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\wdmaud.drv
+ 2001-08-23 12:00:00 1,744 ----a-w C:\WINDOWS\system32\sound.drv
+ 2007-03-26 15:17:44 2,862,592 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpbcfgre.dll
+ 2006-11-30 16:14:06 671,816 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpcdmc32.dll
+ 2007-02-23 00:35:00 314,880 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpfie5ha.dll
+ 2007-02-20 16:29:02 337,920 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpfig5ha.dll
+ 2006-12-06 21:31:56 113,152 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpfrs5ha.dll
+ 2007-03-28 17:53:28 977,920 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpz3c5ha.dll
+ 2007-03-28 19:01:08 1,739,264 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpz3r5ha.dll
+ 2007-03-28 19:01:28 233,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzc35ha.dll
+ 2007-03-28 18:59:04 446,976 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzev5ha.dll
+ 2007-03-28 19:00:22 5,189,120 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzla5ha.dll
+ 2007-03-28 18:57:04 782,848 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzle5ha.dll
+ 2007-03-28 18:59:20 299,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzpr5ha.dll
+ 2007-03-28 18:57:18 853,504 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzse5ha.dll
+ 2007-03-28 18:32:56 670,208 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzss5ha.dll
+ 2007-03-28 17:52:24 8,602,112 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzst5ha.dll
+ 2007-03-28 18:58:06 3,291,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzui5ha.dll
+ 2007-03-28 17:53:22 3,419,648 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzur5ha.dll
+ 2006-12-20 17:50:04 269,824 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2006-12-20 17:50:02 206,336 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRVUI.DLL
+ 2006-12-20 17:49:58 619,520 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIRES.DLL
+ 2001-08-23 12:00:00 3,360 ----a-w C:\WINDOWS\system32\system.drv
+ 2001-08-23 12:00:00 4,048 ----a-w C:\WINDOWS\system32\timer.drv
+ 2001-08-23 12:00:00 2,176 ----a-w C:\WINDOWS\system32\vga.drv
+ 2002-10-04 23:04:24 188,416 ----a-w C:\WINDOWS\system32\vorbis.dll
+ 2002-10-04 23:04:24 921,600 ----a-w C:\WINDOWS\system32\VorbisEnc.dll
+ 2004-08-04 07:56:57 23,552 ----a-w C:\WINDOWS\system32\wdmaud.drv
+ 2001-08-23 12:00:00 13,600 ----a-w C:\WINDOWS\system32\wfwnet.drv
+ 2001-08-23 12:00:00 2,864 ----a-w C:\WINDOWS\system32\winsock.dll
+ 2004-08-04 07:56:57 146,432 ----a-w C:\WINDOWS\system32\winspool.drv
+ 2001-08-23 12:00:00 2,112 ----a-w C:\WINDOWS\system32\winspool.exe
+ 2001-08-23 12:00:00 2,736 ----a-w C:\WINDOWS\system32\wowdeb.exe
+ 2005-09-28 19:46:30 1,184,984 ----a-w C:\WINDOWS\system32\wvc1dmod.dll
+ 2006-09-28 20:03:28 15,128 ----a-w C:\WINDOWS\system32\x3daudio1_1.dll
+ 2006-09-28 20:05:56 237,848 ----a-w C:\WINDOWS\system32\xactengine2_4.dll
+ 2006-09-28 20:04:02 68,888 ----a-w C:\WINDOWS\system32\xinput1_3.dll
+ 2000-08-31 12:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
- 2007-01-25 17:05:51 57,237 ----a-w C:\WINDOWS\War3Unin.dat
+ 2008-02-07 06:35:47 57,613 ----a-w C:\WINDOWS\War3Unin.dat
+ 2004-11-19 01:09:29 2,829 ----a-w C:\WINDOWS\War3Unin.pif
+ 2000-08-31 12:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2004-06-01 11:46 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AHQInit"="C:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 12:49 102400]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-06-01 12:09 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-06-01 12:03 217088]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-08-02 21:03 4493312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-18 18:41:55 113664]
NkvMon.exe.lnk - C:\Program Files\Nikon\NkView6\NkvMon.exe [2004-11-18 18:24:18 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=MsgPlusLoader.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.enc"= ITIG726.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\drivers\si3112r.sys [2004-08-27 17:18]
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-05-20 18:35]
R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 07:12]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2005-01-08 00:55]
S2 SvcProc;System Startup Service ;C:\WINDOWS\svcproc.exe []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 17:10]
S3 NVNR25USB;Novation ReMOTE25 USB MIDI WDM Driver;C:\WINDOWS\system32\Drivers\NVNXPMe1.sys [1903-12-31 20:00]
S3 NVNRMUSB;Novation ReMOTE USB MIDI WDM Driver;C:\WINDOWS\system32\Drivers\Remote.sys [2005-01-03 14:04]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 22:36:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-23 03:27:01 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-15 07:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 23:34:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-22 23:36:30
ComboFix-quarantined-files.txt 2008-06-23 03:35:28
ComboFix2.txt 2007-12-06 20:13:27

Pre-Run: 217,075,712 bytes free
Post-Run: 571,199,488 bytes free

267 --- E O F --- 2007-07-11 02:55:19







Fresh HiJack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:48 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.248.254.11:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Druid: Download All Files - C:\Program Files\XemiComputers\Download Druid\Druid.html
O8 - Extra context menu item: Druid: Download Highlighted Files - C:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - C:\Program Files\XemiComputers\Download Druid\DruidBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100805643683
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://content-loader.com/load/ccaccess.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

--
End of file - 5467 bytes

Any particular reason you ran combofix twice? Do you have the original log from the first run?

==