0

please help! i keep getting the buffer overrun in explorer.exe error message and explorer keeps crashing. also, mozilla seems to be having huge problems on my computer and frequently pages won't load. certain websites won't work at all and sometime when i do searchs on google, it's 50-50 if it works or not. below is the hijackthis log, please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:25 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.astihosted.com/demo/clients/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDmYReEEaH4pX7SeRtBu0G4IlqwZ8CpQVsVnF1UfDb2TRJtOZ98Louq8C/HT0ZkASBpEo9wi9GPZmJj8Rk7SeYHbuiCXmr2+Y29Yd3z4nCKNw=
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BM2f30cb2b] Rundll32.exe "C:\WINDOWS\system32\txdmotat.dll",s
O4 - HKLM\..\Run: [2c03f8b7] rundll32.exe "C:\WINDOWS\system32\amlkymqo.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lldsrngs.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk14465US
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {00000005-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/1d31bcbdcf4477f5b84a4714dbbb0dc4_35.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_7_0/controls/YBUICtrl.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: M-Audio Xponent Installer (MAudioXponentService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 9610 bytes

2
Contributors
12
Replies
13
Views
9 Years
Discussion Span
Last Post by crunchie
0

Hi and welcome to the Daniweb forums :).

==========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

============

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Post new Hijackthis log.

0

thanks for the help! here's the logs,

malware:


Malwarebytes' Anti-Malware 1.15
Database version: 833


1:36:13 AM 6/6/2008
mbam-log-6-6-2008 (01-36-13).txt


Scan type: Full Scan (C:\|F:\|I:\|)
Objects scanned: 325734
Time elapsed: 2 hour(s), 12 minute(s), 6 second(s)


Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 21
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 24


Memory Processes Infected:
(No malicious items detected)


Memory Modules Infected:
C:\WINDOWS\system32\qoMdbXPi.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUmLDuV.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\txdmotat.dll (Trojan.Vundo) -> Unloaded module successfully.


Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aa1d3adf-6ff8-4641-bcba-b62b869d0bca} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{aa1d3adf-6ff8-4641-bcba-b62b869d0bca} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvumlduv (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bb175931-3ed1-420a-b108-c08467799157} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.


Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2c03f8b7 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM2f30cb2b (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (Adware.Starware) -> Quarantined and deleted successfully.


Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdbxpi -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdbxpi  -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.


Folders Infected:
C:\WINDOWS\system32\f02WtR (Malware.Trace) -> Quarantined and deleted successfully.


Files Infected:
C:\WINDOWS\system32\amlkymqo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oqmyklma.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\goputxqr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqxtupog.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMdbXPi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\iPXbdMoq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iPXbdMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUmLDuV.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelNE.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelQC.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelqx.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSlnchr.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelUpdate.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\WiseInstallUtility.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jishltjq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psbmqnug.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\txdmotat.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\qoMcdCRI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\G\Start Menu\Programs\Startup\TA_Start.lnk (Malware.Trace) -> Quarantined and deleted successfully.


combofix log:


ComboFix 08-06-05.3 - G 2008-06-06  1:45:01.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.154 [GMT -4:00]
Running from: C:\Documents and Settings\G\Desktop\ComboFix.exe
* Created a new restore point


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\BM2f30cb2b.xml
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aGNmoUtv.ini
C:\WINDOWS\system32\aGNmoUtv.ini2
C:\WINDOWS\system32\bjcjcpcn.ini
C:\WINDOWS\system32\gmyvdskj.dll
C:\WINDOWS\system32\iPXbdMoq.ini
C:\WINDOWS\system32\iPXbdMoq.ini2
C:\WINDOWS\system32\LRttBJjl.ini
C:\WINDOWS\system32\LRttBJjl.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\qoMdbXPi.dll
C:\WINDOWS\system32\ufdxfpre.ini
C:\WINDOWS\system32\uuvbgamu.dll
C:\WINDOWS\system32\wvUmLDuV.dll


.
(((((((((((((((((((((((((   Files Created from 2008-05-06 to 2008-06-06  )))))))))))))))))))))))))))))))
.


2008-06-05 23:14 . 2008-06-05 23:14 <DIR>    d--------   C:\Documents and Settings\G\Application Data\Malwarebytes
2008-06-05 23:13 . 2008-06-05 23:13 <DIR>    d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 23:13 . 2008-06-05 23:13 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 23:13 . 2008-06-05 16:04 34,296  --a------   C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 23:13 . 2008-06-05 16:04 15,864  --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-06-05 23:11 . 2008-06-05 23:11 <DIR>    d--------   C:\Program Files\Common Files\Download Manager
2008-06-05 13:09 . 2008-06-05 13:09 <DIR>    d--------   C:\Program Files\Trend Micro
2008-06-05 11:08 . 2008-06-05 11:08 180,224 --a------   C:\WINDOWS\system32\jumkfpjg.dll
2008-06-05 11:01 . 2008-06-06 01:36 156,160 ---------   C:\WINDOWS\system32\txdmotat.dll
2008-06-04 12:42 . 2008-06-04 12:42 <DIR>    d--------   C:\VundoFix Backups
2008-06-04 02:17 . 2008-06-04 02:46 <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-04 02:16 . 2008-06-04 02:17 <DIR>    d--------   C:\Program Files\Security Task Manager
2008-06-04 01:10 . 2008-06-04 01:56 211 --a------   C:\WINDOWS\wininit.ini
2008-06-04 00:25 . 2008-06-04 00:23 691,545 --a------   C:\WINDOWS\unins000.exe
2008-06-04 00:25 . 2008-06-04 00:25 2,538   --a------   C:\WINDOWS\unins000.dat
2008-06-02 23:06 . 2008-06-02 23:06 <DIR>    d--------   C:\Program Files\Outsim
2008-05-25 21:53 . 2008-05-25 21:53 <DIR>    d--------   C:\Documents and Settings\G\Application Data\atitray
2008-05-25 21:52 . 2006-02-21 20:05 136,272 --a------   C:\WINDOWS\system32\atmenuxx.hlp
2008-05-25 21:52 . 2006-02-21 20:05 40,651  --a------   C:\WINDOWS\system32\attenuxx.hlp
2008-05-25 21:52 . 2006-02-21 20:05 23,224  --a------   C:\WINDOWS\system32\atfenuxx.hlp
2008-05-13 20:10 . 2008-05-13 20:10 <DIR>    d--------   C:\Program Files\MultiRes
2008-05-13 20:09 . 2008-05-13 20:09 <DIR>    d--------   C:\Program Files\Radeon Omega Drivers
2008-05-13 20:09 . 2008-05-13 20:09 451,072 --a------   C:\WINDOWS\Radeon Omega Drivers v3.8.421 Uninstall.exe
2008-05-13 03:09 . 2004-11-22 10:42 524,288 --a------   C:\Documents and Settings\G\IC7P_18.BIN
2008-05-13 03:09 . 2004-03-09 11:44 43,979  --a------   C:\Documents and Settings\G\AWDFLASH.EXE
2008-05-13 03:09 . 2000-12-27 09:59 1,427   --a------   C:\Documents and Settings\G\ABITFAE.BAT
2008-05-13 03:09 . 2004-11-25 18:51 341 --a------   C:\Documents and Settings\G\RUNME.BAT
2008-05-12 22:10 . 2008-05-12 22:10 248 --a------   C:\WINDOWS\RomeTW.ini
2008-05-12 20:34 . 2008-05-12 20:34 0   --a------   C:\WINDOWS\ativpsrm.bin
2008-05-12 20:32 . 2004-09-15 21:10 516,096 --a------   C:\WINDOWS\system32\ati2sgag.exe
2008-05-12 20:31 . 2008-05-12 20:31 <DIR>    d--------   C:\ATI


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 17:38    ---------   d-----w C:\Program Files\Absolute Poker
2008-06-05 15:18    ---------   d-----w C:\Program Files\Plaxo
2008-06-04 04:35    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 04:29    ---------   d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 05:09    ---------   d-----w C:\Documents and Settings\G\Application Data\Azureus
2008-06-03 03:08    ---------   d-----w C:\Program Files\Image-Line
2008-05-26 01:50    ---------   d-----w C:\Documents and Settings\G\Application Data\WinFF
2008-05-13 04:07    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 05:15    ---------   d-----w C:\Program Files\Common Files\Adobe
2008-05-10 05:14    ---------   d-----w C:\Documents and Settings\G\Application Data\AdobeUM
2008-05-09 21:11    ---------   d-----w C:\Program Files\Full Tilt Poker
2008-04-29 07:06    ---------   d-----w C:\Program Files\PE
2008-04-25 07:25    ---------   d-----w C:\Program Files\ABC 3GP Converter
2008-04-25 07:07    ---------   d-----w C:\Program Files\Azureus
2008-04-25 04:10    ---------   d-----w C:\Program Files\LimeWire
2008-04-22 06:42    ---------   d-----w C:\Program Files\WinFF
2008-04-22 06:38    ---------   d-----w C:\Program Files\Video mp3 Extractor
2008-04-22 04:03    ---------   d-----w C:\Program Files\Red Kawa
2008-04-20 19:45    ---------   d-----w C:\Program Files\mIRC
2008-04-07 04:11    ---------   d-----w C:\Program Files\iTunes
2008-04-07 04:10    ---------   d-----w C:\Program Files\iPod
2008-04-07 04:08    ---------   d-----w C:\Program Files\QuickTime
2007-10-16 14:28    56,912  ----a-w C:\Documents and Settings\G\g2mdlhlpx.exe
2007-06-09 23:07    87,608  ----a-w C:\Documents and Settings\G\Application Data\inst.exe
2007-06-09 23:07    47,360  ----a-w C:\Documents and Settings\G\Application Data\pcouffin.sys
2006-11-07 14:40    56,912  ----a-w C:\Documents and Settings\Guest\g2mdlhlpx.exe
2005-02-12 03:49    36  ----a-w C:\Documents and Settings\G\Application Data\tvmuknwrd.dll
2005-02-11 16:43    255,232 ----a-w C:\Documents and Settings\G\Application Data\tvmknwrd.dll
2004-11-29 08:55    1,259   ----a-w C:\Program Files\INSTALL.LOG
1998-02-10 23:34    128,000 ----a-w C:\Program Files\UNWISE.EXE
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06E12C36-760F-4D92-8509-5E5DBF12C423}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B275C8A-DBFF-4ED7-BB22-1B2076DB0A93}]
C:\WINDOWS\system32\ljJBttRL.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13B90B82-0305-4A6C-A79A-F74C7A09BAD4}]
C:\WINDOWS\system32\vtUomNGa.dll


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EBEB9BB-9A35-451A-8DD7-538DECBA7844}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA1D3ADF-6FF8-4641-BCBA-B62B869D0BCA}]


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6BC2AFB-41B9-4511-8C0B-5168456D5ADA}]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
"VTTimer"="VTTimer.exe" [2003-05-07 17:32 36864 C:\WINDOWS\system32\VTTimer.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2007-09-11 11:58 200704]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 09:56 236016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"BM2f30cb2b"="C:\WINDOWS\system32\txdmotat.dll" [2008-06-06 01:36 156160]
"2c03f8b7"="C:\WINDOWS\system32\amlkymqo.dll" [ ]
"@"="" []


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-09-09 19:18:34 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 12:32:18 450560]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUmLDuV]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"MSACM.MI-SC4"= MI-SC4.acm
"SENTINEL"= snti386.dll
"MSVideo"= CSvidcap.dll


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
--a------ 2007-10-16 09:45 31816 C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2006-08-30 12:46 183367 C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
C:\Program Files\Shareaza\Shareaza.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 18:20 20058152 C:\Program Files\Skype\Phone\Skype.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2003-05-07 17:32 36864 C:\WINDOWS\system32\VTTimer.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherWatcher]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsHiderPro]
--a------ 2002-08-08 11:02 4608 C:\Program Files\WHidePro\whpro.exe


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"C:\\Program Files\\Quake III Arena\\quake3.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\javaw.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AutoXDCC\\AutoXDCC.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"C:\\MATLAB7\\bin\\win32\\MATLAB.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [2007-10-16 04:42]
R1 NPPTNT;NPPTNT;C:\WINDOWS\system32\npptNT.sys [2003-07-22 02:14]
R2 MAudioXponentService;M-Audio Xponent Installer;C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe [2007-09-11 11:54]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 14:56]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-04-29 20:43]
R3 padenum;Enumerador de dispositivos de NTPAD;C:\WINDOWS\system32\DRIVERS\padenum.sys [2002-03-07 04:33]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]
S3 MADFU;MADFU;C:\WINDOWS\system32\DRIVERS\MADFUXP.sys [2007-09-11 11:58]
S3 MAUSBXP;Service for M-Audio Xponent (WDM);C:\WINDOWS\system32\DRIVERS\mausbxp.sys [2007-09-11 11:58]
S3 VendorJoystickEnabler;Driver para joystick paralelo de consola;C:\WINDOWS\system32\drivers\ntpad.sys [2002-07-28 22:12]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{362baccc-7ce4-11db-9470-00904705c0d6}]
\Shell\AutoRun\command - G:\LaunchU3.exe


*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-03-26 17:54:34 C:\WINDOWS\Tasks\disc 7.job"
- C:\MP3\MP3 Disc 7\Bon Jovi - Its My Life.m4a
"2005-12-08 15:45:00 C:\WINDOWS\Tasks\MWF.job"
- C:\MP3\MP3 Disc 7\Survivor--0 - Eye of the tiger.mp3
"2005-03-21 09:45:34 C:\WINDOWS\Tasks\Th.job"
- C:\MP3\disc 7.m3u
"2005-02-26 10:38:20 C:\WINDOWS\Tasks\Tu.job"
- C:\MP3\disc 7.m3u
.
**************************************************************************


catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 01:56:52
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-06  2:07:05 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-06 06:06:59


Pre-Run: 8,887,484,416 bytes free
Post-Run: 9,091,211,264 bytes free


240 --- E O F ---   2008-05-18 14:01:32


new hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:59 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.astihosted.com/demo/clients/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {0B275C8A-DBFF-4ED7-BB22-1B2076DB0A93} - C:\WINDOWS\system32\ljJBttRL.dll (file missing)
O2 - BHO: (no name) - {13B90B82-0305-4A6C-A79A-F74C7A09BAD4} - C:\WINDOWS\system32\vtUomNGa.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [BM2f30cb2b] Rundll32.exe "C:\WINDOWS\system32\txdmotat.dll",s
O4 - HKLM\..\Run: [2c03f8b7] rundll32.exe "C:\WINDOWS\system32\amlkymqo.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk14465US
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {00000005-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/1d31bcbdcf4477f5b84a4714dbbb0dc4_35.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_7_0/controls/YBUICtrl.cab
O20 - Winlogon Notify: wvUmLDuV - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: M-Audio Xponent Installer (MAudioXponentService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe


--
End of file - 9903 bytes

Edited by happygeek: fixed formatting

0

another weird thing is when combofix restarted my computer, for some odd reason, mozilla was gone?

0

Mozilla might have to be reinstalled.

===========

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\Documents and Settings\G\Application Data\tvmuknwrd.dll
C:\Documents and Settings\G\Application Data\tvmknwrd.dll

============

Can you please do the following.

===============

You will have to disable Spybot's Teatimer before we begin, as it will interfere with the fix. To do this can you start Spybot and go to the Mode button and select Advanced. Go to Tools > Resident and uncheck the box next to Tea-Timer. Make sure that the icon in the system tray is no longer there. If it is, just right click on it and select "Exit".
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Do not forget to re-enable teatimer when we are done :).
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

===============

Go to Add/Remove programs and uninstall the following, if present:

MyWebSearch

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {0B275C8A-DBFF-4ED7-BB22-1B2076DB0A93} - C:\WINDOWS\system32\ljJBttRL.dll (file missing)
O2 - BHO: (no name) - {13B90B82-0305-4A6C-A79A-F74C7A09BAD4} - C:\WINDOWS\system32\vtUomNGa.dll (file missing)

O4 - HKLM\..\Run: [BM2f30cb2b] Rundll32.exe "C:\WINDOWS\system32\txdmotat.dll",s
O4 - HKLM\..\Run: [2c03f8b7] rundll32.exe "C:\WINDOWS\system32\amlkymqo.dll",b

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZNxmk14465US

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)

O16 - DPF: {00000005-0000-0000-0000-100005000004} - http://code.trasferimento.biz/l/1d31...bbb0dc4_35.exe

O20 - Winlogon Notify: wvUmLDuV - C:\WINDOWS\


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\txdmotat.dll
C:\WINDOWS\system32\amlkymqo.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

my computer seems to be running a lot better now! thanks!

i scanned the two files with virustotal and it said 0/32 for results for both

i couldn't find mywebsearch in the add/remove and deleted the txdmotat.dll file but couldn't find amlkymqo.dll

the following is the new hijackthis log, thanks!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:52 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.astihosted.com/demo/clients/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8EBEB9BB-9A35-451A-8DD7-538DECBA7844} - (no file)
O2 - BHO: (no name) - {AA1D3ADF-6FF8-4641-BCBA-B62B869D0BCA} - (no file)
O2 - BHO: (no name) - {C6BC2AFB-41B9-4511-8C0B-5168456D5ADA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_7_0/controls/YBUICtrl.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: M-Audio Xponent Installer (MAudioXponentService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 8581 bytes

0

my computer seems to be running a lot better now! thanks!

i scanned the two files with virustotal and it said 0/32 for results for both

You mean they cam3 back clear? The results from the scans can be pasted here :).

* Please download F2T (Files To Text)

  • *Doubleclick

F2Ts.exe to start the program.
*Next to Path on top, copy and paste the next line:

*C:\Documents and Settings\G\Application Data\tvmuknwrd.dll

*When done, press the GO button next to it.
*Then click the Select F2T-list button below to select the results.
*Right-click the selected text.
*Click on "copy"
*Paste the copied text into your next reply.

Repeat for this one;

C:\Documents and Settings\G\Application Data\tvmknwrd.dll

===============

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - (no file)
O2 - BHO: (no name) - {8EBEB9BB-9A35-451A-8DD7-538DECBA7844} - (no file)
O2 - BHO: (no name) - {AA1D3ADF-6FF8-4641-BCBA-B62B869D0BCA} - (no file)
O2 - BHO: (no name) - {C6BC2AFB-41B9-4511-8C0B-5168456D5ADA} - (no file)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

the following are the txt files, thanks!!

F2Ts version 1.1 (april 5, 2006)
Date: 6/6/2008 9:47:37 AM

F2Ts File-Properties of C:\Documents and Settings\G\Application Data\tvmuknwrd.dll
-------------------------------------------------------

No version available for this file
Company Name:
File Description:
Product version: File Version:
Internal Name:
Legal Copyright:
Original FileName:
Product Name:
Original FileName:Product Version:

F2Ts version 1.1 (april 5, 2006)
Date: 6/6/2008 9:48:15 AM

F2Ts File-Properties of C:\Documents and Settings\G\Application Data\tvmknwrd.dll
-------------------------------------------------------

No version available for this file
Company Name:
File Description:
Product version: File Version:
Internal Name:
Legal Copyright:
Original FileName:
Product Name:
Original FileName:Product Version:

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:27 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.astihosted.com/demo/clients/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_7_0/controls/YBUICtrl.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: M-Audio Xponent Installer (MAudioXponentService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 8365 bytes

0

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\Documents and Settings\G\Application Data\tvmuknwrd.dll
C:\Documents and Settings\G\Application Data\tvmknwrd.dllNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

thanks for all your help!

the following are the logs,

combofix

ComboFix 08-06-06.6 - G 2008-06-07 13:04:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
Running from: C:\Documents and Settings\G\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\G\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\G\Application Data\tvmknwrd.dll
C:\Documents and Settings\G\Application Data\tvmuknwrd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\G\Application Data\inst.exe
C:\Documents and Settings\G\Application Data\tvmknwrd.dll
C:\Documents and Settings\G\Application Data\tvmuknwrd.dll
C:\Documents and Settings\G\g2mdlhlpx.exe
C:\Documents and Settings\Guest\g2mdlhlpx.exe
C:\Documents and Settings\Guest\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\jumkfpjg.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-06 08:24 . 2008-06-06 08:26 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-05 23:14 . 2008-06-05 23:14 <DIR> d-------- C:\Documents and Settings\G\Application Data\Malwarebytes
2008-06-05 23:13 . 2008-06-05 23:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-05 23:13 . 2008-06-05 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-05 23:13 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-05 23:13 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-05 23:11 . 2008-06-05 23:11 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-05 13:09 . 2008-06-05 13:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-04 12:42 . 2008-06-04 12:42 <DIR> d-------- C:\VundoFix Backups
2008-06-04 02:17 . 2008-06-04 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-04 02:16 . 2008-06-04 02:17 <DIR> d-------- C:\Program Files\Security Task Manager
2008-06-04 01:10 . 2008-06-04 01:56 211 --a------ C:\WINDOWS\wininit.ini
2008-06-04 00:25 . 2008-06-04 00:23 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-04 00:25 . 2008-06-04 00:25 2,538 --a------ C:\WINDOWS\unins000.dat
2008-06-02 23:06 . 2008-06-02 23:06 <DIR> d-------- C:\Program Files\Outsim
2008-05-25 21:53 . 2008-05-25 21:53 <DIR> d-------- C:\Documents and Settings\G\Application Data\atitray
2008-05-25 21:52 . 2006-02-21 20:05 136,272 --a------ C:\WINDOWS\system32\atmenuxx.hlp
2008-05-25 21:52 . 2006-02-21 20:05 40,651 --a------ C:\WINDOWS\system32\attenuxx.hlp
2008-05-25 21:52 . 2006-02-21 20:05 23,224 --a------ C:\WINDOWS\system32\atfenuxx.hlp
2008-05-13 20:10 . 2008-05-13 20:10 <DIR> d-------- C:\Program Files\MultiRes
2008-05-13 20:09 . 2008-05-13 20:09 <DIR> d-------- C:\Program Files\Radeon Omega Drivers
2008-05-13 20:09 . 2008-05-13 20:09 451,072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.421 Uninstall.exe
2008-05-13 03:09 . 2004-11-22 10:42 524,288 --a------ C:\Documents and Settings\G\IC7P_18.BIN
2008-05-13 03:09 . 2004-03-09 11:44 43,979 --a------ C:\Documents and Settings\G\AWDFLASH.EXE
2008-05-13 03:09 . 2000-12-27 09:59 1,427 --a------ C:\Documents and Settings\G\ABITFAE.BAT
2008-05-13 03:09 . 2004-11-25 18:51 341 --a------ C:\Documents and Settings\G\RUNME.BAT
2008-05-12 22:10 . 2008-05-12 22:10 248 --a------ C:\WINDOWS\RomeTW.ini
2008-05-12 20:34 . 2008-05-12 20:34 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-05-12 20:32 . 2004-09-15 21:10 516,096 --a------ C:\WINDOWS\system32\ati2sgag.exe
2008-05-12 20:31 . 2008-05-12 20:31 <DIR> d-------- C:\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 13:01 11,166 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-06 14:00 --------- d-----w C:\Program Files\Plaxo
2008-06-06 12:43 --------- d-----w C:\Program Files\Java
2008-06-06 12:01 --------- d-----w C:\Documents and Settings\G\Application Data\Azureus
2008-06-05 17:38 --------- d-----w C:\Program Files\Absolute Poker
2008-06-04 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 04:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-03 03:08 --------- d-----w C:\Program Files\Image-Line
2008-05-26 01:50 --------- d-----w C:\Documents and Settings\G\Application Data\WinFF
2008-05-13 04:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 05:15 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-10 05:14 --------- d-----w C:\Documents and Settings\G\Application Data\AdobeUM
2008-05-09 21:11 --------- d-----w C:\Program Files\Full Tilt Poker
2008-04-29 07:06 --------- d-----w C:\Program Files\PE
2008-04-25 07:25 --------- d-----w C:\Program Files\ABC 3GP Converter
2008-04-25 07:07 --------- d-----w C:\Program Files\Azureus
2008-04-25 04:10 --------- d-----w C:\Program Files\LimeWire
2008-04-22 06:42 --------- d-----w C:\Program Files\WinFF
2008-04-22 06:38 --------- d-----w C:\Program Files\Video mp3 Extractor
2008-04-22 04:03 --------- d-----w C:\Program Files\Red Kawa
2008-04-20 19:45 --------- d-----w C:\Program Files\mIRC
2008-04-07 04:11 --------- d-----w C:\Program Files\iTunes
2008-04-07 04:10 --------- d-----w C:\Program Files\iPod
2008-04-07 04:08 --------- d-----w C:\Program Files\QuickTime
2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-06-09 23:07 47,360 ----a-w C:\Documents and Settings\G\Application Data\pcouffin.sys
2004-11-29 08:55 1,259 ----a-w C:\Program Files\INSTALL.LOG
2004-07-02 16:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
2004-06-18 03:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 17:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 17:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2004-02-04 16:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
2004-02-04 16:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
1998-02-10 23:34 128,000 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-06-06_ 2.06.38.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-06 05:55:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 16:59:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]
"DeadAIM"="C:\PROGRA~1\AIM\\DeadAIM.ocm" [2004-02-28 12:12 144896]
"VTTimer"="VTTimer.exe" [2003-05-07 17:32 36864 C:\WINDOWS\system32\VTTimer.exe]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2007-09-11 11:58 200704]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 09:56 236016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-09-09 19:18:34 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 12:32:18 450560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"MSACM.MI-SC4"= MI-SC4.acm
"SENTINEL"= snti386.dll
"MSVideo"= CSvidcap.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
--a------ 2007-10-16 09:45 31816 C:\Program Files\Citrix\GoToMeeting\198\g2mstart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
--a------ 2006-08-30 12:46 183367 C:\Program Files\Plaxo\2.11.1.5\PlaxoHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]
C:\Program Files\Shareaza\Shareaza.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2006-10-13 18:20 20058152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
--a------ 2003-05-07 17:32 36864 C:\WINDOWS\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherWatcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsHiderPro]
--a------ 2002-08-08 11:02 4608 C:\Program Files\WHidePro\whpro.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Kazaa Lite K++\\KazaaLite.kpp"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"C:\\Program Files\\Quake III Arena\\quake3.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AutoXDCC\\AutoXDCC.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\MATLAB7\\bin\\win32\\MATLAB.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 atitray;atitray;C:\Program Files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [2007-10-16 04:42]
R1 NPPTNT;NPPTNT;C:\WINDOWS\system32\npptNT.sys [2003-07-22 02:14]
R2 MAudioXponentService;M-Audio Xponent Installer;C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe [2007-09-11 11:54]
R2 SBKUPNT;SBKUPNT;C:\WINDOWS\system32\Drivers\SBKUPNT.SYS [2001-07-13 14:56]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-04-29 20:43]
R3 padenum;Enumerador de dispositivos de NTPAD;C:\WINDOWS\system32\DRIVERS\padenum.sys [2002-03-07 04:33]
S3 dwusbdnt;dwusbdnt;C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys [2002-05-24 11:52]
S3 MADFU;MADFU;C:\WINDOWS\system32\DRIVERS\MADFUXP.sys [2007-09-11 11:58]
S3 MAUSBXP;Service for M-Audio Xponent (WDM);C:\WINDOWS\system32\DRIVERS\mausbxp.sys [2007-09-11 11:58]
S3 VendorJoystickEnabler;Driver para joystick paralelo de consola;C:\WINDOWS\system32\drivers\ntpad.sys [2002-07-28 22:12]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{362baccc-7ce4-11db-9470-00904705c0d6}]
\Shell\AutoRun\command - G:\LaunchU3.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-07 04:00:00 C:\WINDOWS\Tasks\disc 7.job"
- C:\MP3\MP3 Disc 7\Bon Jovi - Its My Life.m4a
"2005-12-08 15:45:00 C:\WINDOWS\Tasks\MWF.job"
- C:\MP3\MP3 Disc 7\Survivor--0 - Eye of the tiger.mp3
"2005-03-21 09:45:34 C:\WINDOWS\Tasks\Th.job"
- C:\MP3\disc 7.m3u
"2005-02-26 10:38:20 C:\WINDOWS\Tasks\Tu.job"
- C:\MP3\disc 7.m3u
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 13:08:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-07 13:20:38
ComboFix-quarantined-files.txt 2008-06-07 17:20:34
ComboFix2.txt 2008-06-06 06:07:06

Pre-Run: 8,376,659,968 bytes free
Post-Run: 8,362,848,256 bytes free

216 --- E O F --- 2008-05-18 14:01:32

hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:24 PM, on 6/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.astihosted.com/demo/clients/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\G\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_7_0/controls/YBUICtrl.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: M-Audio Xponent Installer (MAudioXponentService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Xponent\MAUSBXPInst.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 8347 bytes

0

No worries :).

Let's get rid of Combofix now that we are finished with it. Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.






When shown the disclaimer, Select "2"


The above procedure will: Delete the following: ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

==================

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.Uncheck "Cookies" under "Internet Explorer".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
Close when finished.

====

An alternative to Ccleaner is ATF Cleaner.
Download ATF (Atribune Temp File) Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

====

Use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera, which in my opinion, is better still.

====

Use a firewall. It is an essential part of your computers security. There is a link to a good, free firewall in my signature.

====

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

====

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

====

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

=====

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Attachments th_CF_Cleanup.png 9.98 KB
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.