0

I think I've half fixed a virus/trojan. I got spyguard on my system which kept reinstalling itself, windows explorer -> tools didn't give folder options, got pop-ups and slow-down

I found a file called csrssc.exe whcih I think was the main culprit, got rid of it using OTmoveIT, also ran hijackthis, removed some nasty stuff, malwarebytyes found vundu trojan, got rid of those.

All symptoms are gone, but malwarebytes still find 7 things, and my avira kicks in during the scan too.

Malwarebytes' Anti-Malware 1.31
Database version: 1596
Windows 5.1.2600 Service Pack 3

03/01/2009 05:07:46
mbam-log-2009-01-03 (05-07-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 135032
Time elapsed: 49 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{58256DB2-E610-4165-9A61-564F692C2DB3}\RP249\A0046476.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58256DB2-E610-4165-9A61-564F692C2DB3}\RP249\A0046474.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58256DB2-E610-4165-9A61-564F692C2DB3}\RP249\A0046477.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58256DB2-E610-4165-9A61-564F692C2DB3}\RP249\A0046478.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58256DB2-E610-4165-9A61-564F692C2DB3}\RP249\A0046509.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58256DB2-E610-4165-9A61-564F692C2DB3}\RP249\A0046511.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58256DB2-E610-4165-9A61-564F692C2DB3}\RP249\A0046512.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


and my hijack this:

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:00:05, on 03/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\lj\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\lj\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://k133-205.mgmt.purdue.edu/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{354E5EDE-327A-40EF-BC11-CD8176414CB6}: NameServer = 212.135.1.36,195.40.1.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: toydmj.dll ugnpwe.dll
O21 - SSODL: ieModule - {F3BCF87B-D47B-4024-9195-E177EA35FC28} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {034682E9-5089-4374-893A-65E085B4C2ED} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\djbuafprvo.dll
O22 - SharedTaskScheduler: mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - C:\WINDOWS\system32\jkse73hedfdgf.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5418 bytes

2
Contributors
21
Replies
22
Views
8 Years
Discussion Span
Last Post by SwaggeringCuban
0

The files found by MBA-M are in your System Restore.
The HiJackThis scan was run while the computer was in safe mode. This will not give a clear picture. It must be run in Normal Mode. Was the MBA-M run in normal or safe mode? This program is designed to be run in Normal Mode and shouldn't be run in safe mode unless instructed to do so.
Please reboot to normal mode and run HJT again.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:31:44, on 03/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MIRC\mirc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://k133-205.mgmt.purdue.edu/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{354E5EDE-327A-40EF-BC11-CD8176414CB6}: NameServer = 212.135.1.36,195.40.1.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: toydmj.dll ugnpwe.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5592 bytes

The mba-m log was from normal mode

0

Malwarebytes' should not be showing in the log. The computer evidently was not rebooted properly after running it.
From the looks of the HJT log I would say, no, the computer is not clean yet.
MBA-M must be run properly in order to work properly.
Please shut down the computer. Reboot. Update MBA-M and run another full system scan with it.
Be sure that everything is checked, and click Remove Selected.
Reboot the computer.
Scan again with HJT and save the log. Then post back here with the new MBA-M log and the new HJT log.
Also please turn off that uTorrent program until the computer is deemed clean. You shouldn't be doing "extra" things until the computer is clean.

0

Malwarebytes' Anti-Malware 1.31
Database version: 1596
Windows 5.1.2600 Service Pack 3

03/01/2009 12:58:46
mbam-log-2009-01-03 (12-58-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136371
Time elapsed: 6 hour(s), 43 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://k133-205.mgmt.purdue.edu/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{354E5EDE-327A-40EF-BC11-CD8176414CB6}: NameServer = 212.135.1.36,195.40.1.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: toydmj.dll ugnpwe.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5116 bytes

0

You have to be patient sometimes there is only one of us here...The last HJT log you posted is incomplete. The top part is missing, we always need to see the full log, including this part...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:31:44, on 03/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Can you run a NEW Full System scan and post that entire log for me?
Last night was a long night here.
Judy

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:46:58, on 05/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://k133-205.mgmt.purdue.edu/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{354E5EDE-327A-40EF-BC11-CD8176414CB6}: NameServer = 212.135.1.36,195.40.1.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: toydmj.dll ugnpwe.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5979 bytes

0

Still not clean. You are going to have to do the following:
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

0

ComboFix 09-01-02.01 - lj 2009-01-05 2:12:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1652 [GMT 0:00]
Running from: c:\documents and settings\lj\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\inf\rundll33.exe
c:\windows\system32\MabryObj.dll
c:\windows\system32\nett12.dll
c:\windows\system32\TDSSpqxt.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))
.

2009-01-04 00:00 . 2009-01-04 00:01 <DIR> d-------- c:\program files\Internet Download Manager
2009-01-04 00:00 . 2009-01-04 00:24 <DIR> d-------- c:\documents and settings\lj\Application Data\IDM
2009-01-04 00:00 . 2009-01-05 02:16 <DIR> d-------- c:\documents and settings\lj\Application Data\DMCache
2009-01-03 21:41 . 2009-01-03 21:41 <DIR> d-------- c:\documents and settings\lj\DoctorWeb
2009-01-03 03:45 . 2005-11-09 00:26 38,400 --a------ c:\windows\system32\moveex.exe
2009-01-03 02:50 . 2009-01-03 02:55 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-03 02:25 . 2009-01-03 02:25 <DIR> d-------- C:\_OTMoveIt
2009-01-03 01:57 . 2009-01-03 01:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-03 01:54 . 2009-01-03 01:54 <DIR> d-------- c:\program files\CCleaner
2009-01-02 15:14 . 2009-01-05 02:12 <DIR> d-------- c:\windows\system32\inf
2009-01-02 15:14 . 2009-01-02 15:33 565 --a------ c:\windows\xccwinsys.ini
2009-01-02 15:14 . 2009-01-02 15:15 196 --a------ c:\windows\system32\xcchit32.ini
2009-01-02 15:14 . 2009-01-03 00:39 2 --a------ C:\475804924
2008-12-28 20:34 . 2008-12-28 21:42 <DIR> d-------- c:\program files\DOSBox-0.72
2008-12-28 19:37 . 2008-12-28 19:37 <DIR> d-------- c:\program files\JoWood
2008-12-23 10:52 . 2008-12-17 11:03 206,256 --a------ c:\windows\system32\idmmbc.dll
2008-12-21 06:06 . 2000-05-16 10:40 83,968 --a------ c:\windows\UnGins.exe
2008-12-21 06:05 . 2008-12-21 06:05 <DIR> d-------- c:\program files\ASCII
2008-12-21 06:05 . 2000-03-07 00:00 473,600 --a------ c:\windows\system32\Harmony.dll
2008-12-21 06:05 . 2000-03-07 00:00 237,568 --a------ c:\windows\system32\Unlha32.dll
2008-12-21 01:56 . 2008-12-21 01:57 848 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-12-21 01:56 . 2008-12-21 01:56 56 -r-hs---- c:\windows\system32\8B4B73CBA4.sys
2008-12-20 19:06 . 2008-12-20 19:06 <DIR> d-------- c:\program files\Trend Micro
2008-12-20 17:48 . 2008-12-20 17:48 <DIR> d-------- c:\documents and settings\lj\Application Data\Malwarebytes
2008-12-20 17:47 . 2008-12-20 17:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-20 17:47 . 2008-12-20 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 17:47 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-20 17:47 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 02:58 . 2009-01-02 07:06 <DIR> d-------- c:\documents and settings\lj\Orson Scott Card
2008-12-18 19:22 . 2008-12-20 15:30 <DIR> d-------- c:\program files\Google
2008-12-17 22:33 . 2008-12-17 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-12-17 22:31 . 2008-12-18 12:17 <DIR> d-------- c:\program files\ATI
2008-12-17 20:43 . 2008-12-17 20:43 <DIR> d-------- C:\ATI
2008-12-17 20:43 . 2008-12-01 14:35 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-12-16 16:39 . 2008-12-16 16:39 <DIR> d-------- c:\documents and settings\lj\RPG Maker XP
2008-12-16 16:26 . 2008-12-16 16:26 <DIR> d-------- c:\documents and settings\lj\rmkey
2008-12-14 06:01 . 2009-01-03 01:20 <DIR> d-------- c:\documents and settings\lj\China Mieville - New Crobuzon series
2008-12-12 21:58 . 2008-12-17 08:11 <DIR> d-------- c:\documents and settings\lj\Orson Scott Card - Seventh Son - Unabridged
2008-12-12 21:02 . 2008-12-12 21:44 <DIR> d-------- c:\documents and settings\lj\Orson Scott Card - Ender in Exile - Unb
2008-12-10 21:32 . 2008-12-14 23:44 <DIR> d-------- c:\documents and settings\lj\GadgetTrial
2008-12-10 13:57 . 2004-08-04 12:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-10 13:47 . 2008-12-10 13:47 <DIR> d-------- c:\windows\system32\scripting
2008-12-10 13:47 . 2008-12-10 13:47 <DIR> d-------- c:\windows\system32\en
2008-12-10 13:47 . 2008-12-10 13:47 <DIR> d-------- c:\windows\system32\bits
2008-12-10 13:47 . 2008-12-10 13:47 <DIR> d-------- c:\windows\l2schemas
2008-12-10 13:45 . 2008-12-10 13:45 <DIR> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-05 02:16 --------- d-----w c:\documents and settings\lj\Application Data\uTorrent
2009-01-05 00:46 --------- d-----w c:\program files\MIRC
2009-01-04 13:54 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-01-03 21:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 02:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-03 02:04 --------- d-----w c:\documents and settings\lj\Application Data\ImgBurn
2008-12-28 21:03 --------- d-----w c:\program files\DAEMON Tools Pro
2008-12-20 18:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-20 15:17 --------- d-----w c:\program files\RegCleaner
2008-12-17 22:31 --------- d-----w c:\program files\ATI Technologies
2008-12-11 23:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 20:08 --------- d-----w c:\program files\MSXML 6.0
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-30 16:48 --------- d--h--w c:\documents and settings\All Users\Application Data\{AFD61B9C-946C-4129-B53C-E1C5D51A536D}
2008-11-30 16:48 --------- d-----w c:\program files\Transparent
2008-11-30 16:48 --------- d-----w c:\documents and settings\All Users\Application Data\Transparent
2008-11-25 12:53 --------- d-----w c:\program files\iTunes
2008-11-25 12:53 --------- d-----w c:\program files\iPod
2008-11-25 12:53 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 12:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 12:52 --------- d-----w c:\program files\QuickTime
2008-11-16 22:02 --------- d-----w c:\documents and settings\lj\Application Data\DVD Flick
2008-11-10 01:28 --------- d-----w c:\program files\DVD Flick
2008-11-10 01:26 --------- d-----w c:\program files\Common Files\Nero
2008-11-10 01:18 --------- d-----w c:\program files\ImgBurn
2008-11-10 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-10 00:54 --------- d-----w c:\program files\Total Video Converter
2008-11-10 00:46 --------- d-----w c:\documents and settings\lj\Application Data\Nero
2008-11-09 19:01 --------- d-----w c:\program files\Common Files\VideoMate
2008-10-29 23:35 35,002,635 ----a-w c:\documents and settings\lj\Beyond Tv 4.6(with serial).zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-09-25 1159168]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-11-24 270128]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-01-04 2745776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-09-28 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=toydmj.dll ugnpwe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"vidc.tscc"= tsccvid.dll 0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ComproRemote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ComproRemote.lnk
backup=c:\windows\pss\ComproRemote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ComproSchedulerDTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ComproSchedulerDTV.lnk
backup=c:\windows\pss\ComproSchedulerDTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sitecom Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sitecom Wireless Utility.lnk
backup=c:\windows\pss\Sitecom Wireless Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-28 17:09 133104 c:\documents and settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 12:00 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleBrowsing]
--a------ 2008-09-29 02:45 8454144 c:\program files\Invisible Browsing\InvisibleBrowsing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 03:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe]
--a------ 2008-04-11 15:17 374272 c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 12:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 12:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
--a------ 2004-08-13 18:05 2532576 c:\progra~1\Sygate\SPF\Smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-09-30 19:38 144792 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 23:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 10:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-09-27 06:20 16844800 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2007-08-03 05:22 1826816 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SmcService"=2 (0x2)
"SessionLauncher"=2 (0x2)
"RoxWatch10"=2 (0x2)
"RoxMediaDB10"=3 (0x3)
"RoxLiveShare10"=2 (0x2)
"Roxio Upnp Server 10"=2 (0x2)
"Roxio UPnP Renderer 10"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"IBService"=2 (0x2)
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-10-06 244736]
R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-07-10 12288]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-10 89600]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-07-10 10752]
S3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2008-10-29 26368]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [2008-10-29 1053440]
S4 IBService;IBService;c:\program files\Invisible Browsing\servers\IBService.exe [2008-09-29 45056]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S4 SessionLauncher;SessionLauncher;c:\docume~1\lj\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\lj\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{006ab646-8d26-11dd-8c7f-000cf61d9fa5}]
\Shell\AutoRun\command - F:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0205E2EC-9287-F190-D979-2B16801B1900}]
c:\windows\system32:msnmsgr.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-725345543-2064436218-1003.job
- c:\documents and settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-28 17:09]

2009-01-05 c:\windows\Tasks\mgjnjhuy.job
- c:\windows\system32\rundll32.exe [2008-04-14 00:12]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-1c5c3453 - c:\windows\system32\kougjdcm.dll
MSConfigStartUp-DMXLauncher - c:\program files\Roxio\CinePlayer\DMXLauncher.exe
MSConfigStartUp-jnskdfmf9eldfd - c:\docume~1\lj\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-jsf8j34rgfght - c:\docume~1\lj\LOCALS~1\Temp\winloggn.exe
MSConfigStartUp-MSServer - c:\windows\system32\hgGyvuVL.dll
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
MSConfigStartUp-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {354E5EDE-327A-40EF-BC11-CD8176414CB6} = 212.135.1.36,195.40.1.36
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 02:15:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-725345543-2064436218-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\KumasanTeam\¬0¸0§0Ã0È0 *NULL*È0é0¤0¢0ë0]
"Order"=hex:08,00,00,00,02,00,00,00,8a,00,00,00,01,00,00,00,01,00,00,00,7e,00,\
00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,32,\
00,e8,07,00,00,8d,39,c5,04,20,00,45,37,31,36,7e,31,2e,4c,4e,4b,00,00,36,00,\
03,00,04,00,ef,be,8d,39,c5,04,8d,39,c5,04,14,00,00,00,ac,30,b8,30,a7,30,c3,\
30,c8,30,20,00,c8,30,e9,30,a4,30,a2,30,eb,30,2e,00,6c,00,6e,00,6b,00,00,00,\
1a,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1a,00,00,00,00,00,00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\program files\Internet Download Manager\IEMonitor.exe
.
**************************************************************************
.
Completion time: 2009-01-05 2:18:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-05 02:18:03
ComboFix2.txt 2009-01-03 03:45:54

Pre-Run: 89,175,654,400 bytes free
Post-Run: 89,630,797,824 bytes free

316 --- E O F --- 2008-12-19 03:00:49

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:57, on 05/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://k133-205.mgmt.purdue.edu/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{354E5EDE-327A-40EF-BC11-CD8176414CB6}: NameServer = 212.135.1.36,195.40.1.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: toydmj.dll ugnpwe.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6186 bytes

0

Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
·Open Notepad and copy/paste the text in the below quote box into it.

KillAll::

File::

c:\windows\system32\inf
c:\windows\xccwinsys.ini
c:\windows\system32\xcchit32.ini
C:\475804924
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\8B4B73CBA4.sys
c:\windows\Tasks\mgjnjhuy.job

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=toydmj.dll ugnpwe.dll

·Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
·At this point, you MUST EXIT ALL BROWSERS NOW before continuing.
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
·Follow the prompts.
·When it finishes, a log will be produced named c:\combofix.txt
·Please post back here with that log and also a new HJT scan.

0

CFScript should read this way.....Ignore my last post.

KillAll::

File::

c:\windows\system32\inf
c:\windows\xccwinsys.ini
c:\windows\system32\xcchit32.ini
C:\475804924
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\8B4B73CBA4.sys
c:\windows\Tasks\mgjnjhuy.job

Registry::

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs""

0

Sorry was at work.

This is my combofix log, I disabled my antivirus rather than killing the process completely (which requires a reboot) hope this is sufficient. Combox didn't prompt me with a warning as it does when it is enabled anyway.

ComboFix 09-01-05.05 - lj 2009-01-06 19:30:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1557 [GMT 0:00]
Running from: c:\documents and settings\lj\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\lj\Desktop\CFscript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\475804924
c:\windows\system32\8B4B73CBA4.sys
c:\windows\system32\inf
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\xcchit32.ini
c:\windows\Tasks\mgjnjhuy.job
c:\windows\xccwinsys.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\475804924
c:\windows\system32\8B4B73CBA4.sys
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\xcchit32.ini
c:\windows\Tasks\mgjnjhuy.job
c:\windows\xccwinsys.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-04 00:00 . 2009-01-04 00:01 <DIR> d-------- c:\program files\Internet Download Manager
2009-01-04 00:00 . 2009-01-04 00:24 <DIR> d-------- c:\documents and settings\lj\Application Data\IDM
2009-01-04 00:00 . 2009-01-05 02:16 <DIR> d-------- c:\documents and settings\lj\Application Data\DMCache
2009-01-03 21:41 . 2009-01-03 21:41 <DIR> d-------- c:\documents and settings\lj\DoctorWeb
2009-01-03 03:45 . 2005-11-09 00:26 38,400 --a------ c:\windows\system32\moveex.exe
2009-01-03 02:50 . 2009-01-03 02:55 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-03 02:25 . 2009-01-03 02:25 <DIR> d-------- C:\_OTMoveIt
2009-01-03 01:57 . 2009-01-03 01:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-03 01:54 . 2009-01-03 01:54 <DIR> d-------- c:\program files\CCleaner
2009-01-02 15:14 . 2009-01-05 02:12 <DIR> d-------- c:\windows\system32\inf
2009-01-02 15:14 . 2009-01-02 15:33 565 --a------ c:\windows\xccwinsys.ini
2009-01-02 15:14 . 2009-01-02 15:15 196 --a------ c:\windows\system32\xcchit32.ini
2009-01-02 15:14 . 2009-01-03 00:39 2 --a------ C:\475804924
2008-12-28 20:34 . 2008-12-28 21:42 <DIR> d-------- c:\program files\DOSBox-0.72
2008-12-28 19:37 . 2008-12-28 19:37 <DIR> d-------- c:\program files\JoWood
2008-12-23 10:52 . 2008-12-17 11:03 206,256 --a------ c:\windows\system32\idmmbc.dll
2008-12-21 06:06 . 2000-05-16 10:40 83,968 --a------ c:\windows\UnGins.exe
2008-12-21 06:05 . 2008-12-21 06:05 <DIR> d-------- c:\program files\ASCII
2008-12-21 06:05 . 2000-03-07 00:00 473,600 --a------ c:\windows\system32\Harmony.dll
2008-12-21 06:05 . 2000-03-07 00:00 237,568 --a------ c:\windows\system32\Unlha32.dll
2008-12-21 01:56 . 2008-12-21 01:57 848 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-12-21 01:56 . 2008-12-21 01:56 56 -r-hs---- c:\windows\system32\8B4B73CBA4.sys
2008-12-20 19:06 . 2008-12-20 19:06 <DIR> d-------- c:\program files\Trend Micro
2008-12-20 17:48 . 2008-12-20 17:48 <DIR> d-------- c:\documents and settings\lj\Application Data\Malwarebytes
2008-12-20 17:47 . 2008-12-20 17:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-20 17:47 . 2008-12-20 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 17:47 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-20 17:47 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 02:58 . 2009-01-02 07:06 <DIR> d-------- c:\documents and settings\lj\Orson Scott Card
2008-12-18 19:22 . 2008-12-20 15:30 <DIR> d-------- c:\program files\Google
2008-12-17 22:33 . 2008-12-17 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-12-17 22:31 . 2008-12-18 12:17 <DIR> d-------- c:\program files\ATI
2008-12-17 20:43 . 2008-12-17 20:43 <DIR> d-------- C:\ATI
2008-12-17 20:43 . 2008-12-01 14:35 593,920 --a------ c:\windows\system32\ati2sgag.exe
2008-12-16 16:39 . 2008-12-16 16:39 <DIR> d-------- c:\documents and settings\lj\RPG Maker XP
2008-12-16 16:26 . 2008-12-16 16:26 <DIR> d-------- c:\documents and settings\lj\rmkey
2008-12-14 06:01 . 2009-01-03 01:20 <DIR> d-------- c:\documents and settings\lj\China Mieville - New Crobuzon series
2008-12-12 21:58 . 2008-12-17 08:11 <DIR> d-------- c:\documents and settings\lj\Orson Scott Card - Seventh Son - Unabridged
2008-12-12 21:02 . 2008-12-12 21:44 <DIR> d-------- c:\documents and settings\lj\Orson Scott Card - Ender in Exile - Unb
2008-12-10 21:32 . 2008-12-14 23:44 <DIR> d-------- c:\documents and settings\lj\GadgetTrial
2008-12-10 13:57 . 2004-08-04 12:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-10 13:47 . 2008-12-10 13:47 <DIR> d-------- c:\windows\system32\scripting
2008-12-10 13:47 . 2008-12-10 13:47 <DIR> d-------- c:\windows\system32\en
2008-12-10 13:47 . 2008-12-10 13:47 <DIR> d-------- c:\windows\system32\bits
2008-12-10 13:47 . 2008-12-10 13:47 <DIR> d-------- c:\windows\l2schemas
2008-12-10 13:45 . 2008-12-10 13:45 <DIR> d-------- c:\windows\ServicePackFiles


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 19:35 --------- d-----w c:\documents and settings\lj\Application Data\uTorrent
2009-01-05 22:22 --------- d-----w c:\program files\MIRC
2009-01-05 14:54 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-01-03 21:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 02:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-03 02:04 --------- d-----w c:\documents and settings\lj\Application Data\ImgBurn
2008-12-28 21:03 --------- d-----w c:\program files\DAEMON Tools Pro
2008-12-20 18:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-20 15:17 --------- d-----w c:\program files\RegCleaner
2008-12-17 22:31 --------- d-----w c:\program files\ATI Technologies
2008-12-11 23:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 20:08 --------- d-----w c:\program files\MSXML 6.0
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-30 16:48 --------- d--h--w c:\documents and settings\All Users\Application Data\{AFD61B9C-946C-4129-B53C-E1C5D51A536D}
2008-11-30 16:48 --------- d-----w c:\program files\Transparent
2008-11-30 16:48 --------- d-----w c:\documents and settings\All Users\Application Data\Transparent
2008-11-25 12:53 --------- d-----w c:\program files\iTunes
2008-11-25 12:53 --------- d-----w c:\program files\iPod
2008-11-25 12:53 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 12:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 12:52 --------- d-----w c:\program files\QuickTime
2008-11-16 22:02 --------- d-----w c:\documents and settings\lj\Application Data\DVD Flick
2008-11-10 01:28 --------- d-----w c:\program files\DVD Flick
2008-11-10 01:26 --------- d-----w c:\program files\Common Files\Nero
2008-11-10 01:18 --------- d-----w c:\program files\ImgBurn
2008-11-10 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-10 00:54 --------- d-----w c:\program files\Total Video Converter
2008-11-10 00:46 --------- d-----w c:\documents and settings\lj\Application Data\Nero
2008-11-09 19:01 --------- d-----w c:\program files\Common Files\VideoMate
2008-10-29 23:35 35,002,635 ----a-w c:\documents and settings\lj\Beyond Tv 4.6(with serial).zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-09-25 1159168]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-11-24 270128]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-01-04 2745776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-09-28 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=toydmj.dll ugnpwe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"vidc.tscc"= tsccvid.dll 0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ComproRemote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ComproRemote.lnk
backup=c:\windows\pss\ComproRemote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ComproSchedulerDTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ComproSchedulerDTV.lnk
backup=c:\windows\pss\ComproSchedulerDTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sitecom Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sitecom Wireless Utility.lnk
backup=c:\windows\pss\Sitecom Wireless Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-28 17:09 133104 c:\documents and settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 12:00 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleBrowsing]
--a------ 2008-09-29 02:45 8454144 c:\program files\Invisible Browsing\InvisibleBrowsing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 03:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe]
--a------ 2008-04-11 15:17 374272 c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 12:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 12:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
--a------ 2004-08-13 18:05 2532576 c:\progra~1\Sygate\SPF\Smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-09-30 19:38 144792 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 23:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 10:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-09-27 06:20 16844800 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2007-08-03 05:22 1826816 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SmcService"=2 (0x2)
"SessionLauncher"=2 (0x2)
"RoxWatch10"=2 (0x2)
"RoxMediaDB10"=3 (0x3)
"RoxLiveShare10"=2 (0x2)
"Roxio Upnp Server 10"=2 (0x2)
"Roxio UPnP Renderer 10"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"IBService"=2 (0x2)
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-10-06 244736]
R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-07-10 12288]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-10 89600]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-07-10 10752]
S3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2008-10-29 26368]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [2008-10-29 1053440]
S4 IBService;IBService;c:\program files\Invisible Browsing\servers\IBService.exe [2008-09-29 45056]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S4 SessionLauncher;SessionLauncher;c:\docume~1\lj\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\lj\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{006ab646-8d26-11dd-8c7f-000cf61d9fa5}]
\Shell\AutoRun\command - F:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0205E2EC-9287-F190-D979-2B16801B1900}]
c:\windows\system32:msnmsgr.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-725345543-2064436218-1003.job
- c:\documents and settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-28 17:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {354E5EDE-327A-40EF-BC11-CD8176414CB6} = 212.135.1.36,195.40.1.36
TCP: {EB6308B2-42CA-4A6B-9ADE-6637804D270C} = 212.135.1.36,195.40.1.36
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 19:35:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-725345543-2064436218-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\KumasanTeam\¬0¸0§0Ã0È0 *NULL*È0é0¤0¢0ë0]
"Order"=hex:08,00,00,00,02,00,00,00,8a,00,00,00,01,00,00,00,01,00,00,00,7e,00,\
00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,32,\
00,e8,07,00,00,8d,39,c5,04,20,00,45,37,31,36,7e,31,2e,4c,4e,4b,00,00,36,00,\
03,00,04,00,ef,be,8d,39,c5,04,8d,39,c5,04,14,00,00,00,ac,30,b8,30,a7,30,c3,\
30,c8,30,20,00,c8,30,e9,30,a4,30,a2,30,eb,30,2e,00,6c,00,6e,00,6b,00,00,00,\
1a,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1a,00,00,00,00,00,00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-06 19:36:57 - machine was rebooted [lj]
ComboFix-quarantined-files.txt 2009-01-06 19:36:55
ComboFix2.txt 2009-01-05 02:27:21
ComboFix3.txt 2009-01-03 03:45:54

Pre-Run: 84,397,367,296 bytes free
Post-Run: 84,401,287,168 bytes free

320 --- E O F --- 2008-12-19 03:00:49

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 19:35 --------- d-----w c:\documents and settings\lj\Application Data\uTorrent
2009-01-05 22:22 --------- d-----w c:\program files\MIRC
2009-01-05 14:54 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
2009-01-03 21:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 02:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-03 02:04 --------- d-----w c:\documents and settings\lj\Application Data\ImgBurn
2008-12-28 21:03 --------- d-----w c:\program files\DAEMON Tools Pro
2008-12-20 18:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-20 15:17 --------- d-----w c:\program files\RegCleaner
2008-12-17 22:31 --------- d-----w c:\program files\ATI Technologies
2008-12-11 23:53 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 20:08 --------- d-----w c:\program files\MSXML 6.0
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-30 16:48 --------- d--h--w c:\documents and settings\All Users\Application Data\{AFD61B9C-946C-4129-B53C-E1C5D51A536D}
2008-11-30 16:48 --------- d-----w c:\program files\Transparent
2008-11-30 16:48 --------- d-----w c:\documents and settings\All Users\Application Data\Transparent
2008-11-25 12:53 --------- d-----w c:\program files\iTunes
2008-11-25 12:53 --------- d-----w c:\program files\iPod
2008-11-25 12:53 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 12:53 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-25 12:52 --------- d-----w c:\program files\QuickTime
2008-11-16 22:02 --------- d-----w c:\documents and settings\lj\Application Data\DVD Flick
2008-11-10 01:28 --------- d-----w c:\program files\DVD Flick
2008-11-10 01:26 --------- d-----w c:\program files\Common Files\Nero
2008-11-10 01:18 --------- d-----w c:\program files\ImgBurn
2008-11-10 01:17 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-10 00:54 --------- d-----w c:\program files\Total Video Converter
2008-11-10 00:46 --------- d-----w c:\documents and settings\lj\Application Data\Nero
2008-11-09 19:01 --------- d-----w c:\program files\Common Files\VideoMate
2008-10-29 23:35 35,002,635 ----a-w c:\documents and settings\lj\Beyond Tv 4.6(with serial).zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2008-09-25 1159168]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-11-24 270128]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-01-04 2745776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-09-28 266497]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=toydmj.dll ugnpwe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"vidc.tscc"= tsccvid.dll 0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0autocheck lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ComproRemote.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ComproRemote.lnk
backup=c:\windows\pss\ComproRemote.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ComproSchedulerDTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ComproSchedulerDTV.lnk
backup=c:\windows\pss\ComproSchedulerDTV.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sitecom Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sitecom Wireless Utility.lnk
backup=c:\windows\pss\Sitecom Wireless Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-28 17:09 133104 c:\documents and settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 12:00 208952 c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleBrowsing]
--a------ 2008-09-29 02:45 8454144 c:\program files\Invisible Browsing\InvisibleBrowsing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 03:40 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mount.exe]
--a------ 2008-04-11 15:17 374272 c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 12:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 12:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmcService]
--a------ 2004-08-13 18:05 2532576 c:\progra~1\Sygate\SPF\Smc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-09-30 19:38 144792 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-09-26 18:14 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-03 23:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 10:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-09-27 06:20 16844800 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2007-08-03 05:22 1826816 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"SmcService"=2 (0x2)
"SessionLauncher"=2 (0x2)
"RoxWatch10"=2 (0x2)
"RoxMediaDB10"=3 (0x3)
"RoxLiveShare10"=2 (0x2)
"Roxio Upnp Server 10"=2 (0x2)
"Roxio UPnP Renderer 10"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"IBService"=2 (0x2)
"Diskeeper"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-10-06 244736]
R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-07-10 12288]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-10 89600]
R3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\Video3D32.sys [2008-07-10 10752]
S3 PhTVTune;Philips WDM TVTuner;c:\windows\system32\drivers\PhTVTune.sys [2008-10-29 26368]
S3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [2008-10-29 1053440]
S4 IBService;IBService;c:\program files\Invisible Browsing\servers\IBService.exe [2008-09-29 45056]
S4 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" --> c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [?]
S4 SessionLauncher;SessionLauncher;c:\docume~1\lj\LOCALS~1\Temp\DX9\SessionLauncher.exe --> c:\docume~1\lj\LOCALS~1\Temp\DX9\SessionLauncher.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{006ab646-8d26-11dd-8c7f-000cf61d9fa5}]
\Shell\AutoRun\command - F:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{0205E2EC-9287-F190-D979-2B16801B1900}]
c:\windows\system32:msnmsgr.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-725345543-2064436218-1003.job
- c:\documents and settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-28 17:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = about:blank
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {354E5EDE-327A-40EF-BC11-CD8176414CB6} = 212.135.1.36,195.40.1.36
TCP: {EB6308B2-42CA-4A6B-9ADE-6637804D270C} = 212.135.1.36,195.40.1.36
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 19:35:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-725345543-2064436218-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\KumasanTeam\¬0¸0§0Ã0È0 *NULL*È0é0¤0¢0ë0]
"Order"=hex:08,00,00,00,02,00,00,00,8a,00,00,00,01,00,00,00,01,00,00,00,7e,00,\
00,00,00,00,00,00,70,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,5e,00,32,\
00,e8,07,00,00,8d,39,c5,04,20,00,45,37,31,36,7e,31,2e,4c,4e,4b,00,00,36,00,\
03,00,04,00,ef,be,8d,39,c5,04,8d,39,c5,04,14,00,00,00,ac,30,b8,30,a7,30,c3,\
30,c8,30,20,00,c8,30,e9,30,a4,30,a2,30,eb,30,2e,00,6c,00,6e,00,6b,00,00,00,\
1a,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,1a,00,00,00,00,00,00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-06 19:36:57 - machine was rebooted [lj]
ComboFix-quarantined-files.txt 2009-01-06 19:36:55
ComboFix2.txt 2009-01-05 02:27:21
ComboFix3.txt 2009-01-03 03:45:54

Pre-Run: 84,397,367,296 bytes free
Post-Run: 84,401,287,168 bytes free

320 --- E O F --- 2008-12-19 03:00:49


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:37:45, on 06/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://k133-205.mgmt.purdue.edu/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{354E5EDE-327A-40EF-BC11-CD8176414CB6}: NameServer = 212.135.1.36,195.40.1.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB6308B2-42CA-4A6B-9ADE-6637804D270C}: NameServer = 212.135.1.36,195.40.1.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: toydmj.dll ugnpwe.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6302 bytes

0

Run HiJackThis again.
Place a check mark next to the following entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - AppInit_DLLs: toydmj.dll ugnpwe.dll
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot.
Then run HJT again and post the log here.
Judy

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:12:08, on 07/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\lj\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://k133-205.mgmt.purdue.edu/activex/AxisCamControl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{354E5EDE-327A-40EF-BC11-CD8176414CB6}: NameServer = 212.135.1.36,195.40.1.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB6308B2-42CA-4A6B-9ADE-6637804D270C}: NameServer = 212.135.1.36,195.40.1.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6382 bytes

0

You should remove HiJackThis, you don't need it any more.
and you must uninstall combofix as it cannot be used again either.

* Click START then RUN
* Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"


You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.
If all seems well after that you can mark this thread closed.
Judy

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.