# Need help please(I may have a virus/adware)



## MBGraphics

Hey there everybody, Just recently I have noticed my computer getting a little slower, so I did a sweep with Spy Sweeper. It caught 32 items overall One of them being "Adware". So I quarentined everything, restarted, then went back in and deleted it all then restarted again. This did absolutly nothing, I was still laging a LOT. And it was only getting worse. I was getting a few pop-ups but not many. Now there are maybe 1-2 pop-ups (nothing im THAT worried about).

My main concern is that now my internet is COMLETLY down, it wont let me access any websites or anything. I know it's not an internet problem because my dad's computer gets his internet through a router and my computer has the main line, so if I have no internet, he has no internet (but he has internet right now, and I dont, so I know it's somthing to do with thats messing with my computer).

The strange thing is everything else seems to be running pretty normal. Start-ups are horrible though, I had to force shut down (hold the power button) about 8-10 times today before it finaly let me fully boot.

Right now im running in "SafeMode with Networking" and internet works just fine (a bit slow and jumpy, but i think thats due to the safe mode.


Does anybody have any ideas of whats going on or how to fix it?
I can get a HijackThis log if needed.

Thanks in advanced!
-Mike


----------



## cohen

Pls post a hijackthis log, and might be worth Downloading and installing + run Malware bytes, if you do, can you pls post that log.

thanks


----------



## MBGraphics

Ok, here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:37 PM, on 9/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.freewebs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [{88263159-d7ea-a00a-302d-778d20c39157}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\dcftwsccwjivny.dll" DllStub
O4 - HKLM\..\Run: [BMc3f18164] "Rundll32.exe" "C:\WINDOWS\system32\nfxbdohd.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [c0c2b2f8] rundll32.exe "C:\WINDOWS\system32\efcBtSkI.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] "C:\Program Files\Rainlendar2\Rainlendar2.exe"
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136011116468
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O20 - AppInit_DLLs: xwvexa.dll gxnotq.dll dfhnhc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 10034 bytes


----------



## Respital

You mite want to clean up your start up entries as there are a lot. Otherwise I suggest taking a deeper look. 

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


----------



## cohen

Respital said:


> You mite want to clean up your start up entries as there are a lot. Otherwise I suggest taking a deeper look.
> 
> *Download and Run ComboFix*
> *If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*
> 
> *Download this file* from one of the three below listed places :
> 
> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
> http://www.forospyware.com/sUBs/ComboFix.exe
> http://subs.geekstogo.com/ComboFix.exe
> 
> Then double click *combofix.exe* & follow the prompts.
> When finished, it shall produce *a log* for you. *Post that log* in your next reply
> *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*
> 
> Combofix should never take more that 20 minutes including the reboot if malware is detected.
> If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
> If that happened we want to know, and also what process you had to end.



Yes do this, post the combo fix log and a fresh hijackthis.

Also for the next hijackthis log, can you pls do it in the full mode.

Thanks,


----------



## MBGraphics

Well I just tried doing this, and it's not letting me get to any of those websites while on "Safe Mode with Networking" and whatever is infecting my computer has gotten bad enough to the point where Its literally impossible to boot normaly. Every time it will do one of a few things, freeze on the welcome screen so I have to re-boot, freeze after logging in so I have to re-boot or go to a blue screen.

Any other ideas?


----------



## cohen

Google search and Download Malware Bytes Anti Malware, run it and post the log of that, if it works, and then we can go from there.


----------



## TFT

Locate this one, it's a Trojan downloader and delete it
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe

Valid svchost files only reside in the system32 folder. I don't know enough on how to clean your system but by deleting that file may give you a start.


----------



## MBGraphics

Cohen, I just did a search and im not finding one like that, the title says thats what it is but it trys to make me DL somthing like AVG, Advance Anti Virus and some others. I'm not finding any that are actually called Malware Bytes Anti Malware.

TFT, I just went into HijackThis and checked that and hit "fix selected" so that should be fixed now.

any other ideas?


----------



## cohen

Dowload and run this - http://www.malwarebytes.org/


----------



## MBGraphics

It wont let me follow the link


----------



## cohen

MBGraphics said:


> It wont let me follow the link



Can you download it on another computer and then put it onto a USB and install it and then go like that???


----------



## MBGraphics

I will try that. be back soon with an update.


----------



## MBGraphics

Ok,here is the ComboFix log:

ComboFix 08-09-20.05 - chevy 2008-09-20 18:00:08.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2385 [GMT -7:00]
Running from: G:\ComboFix.exe
 * Created a new restore point
 * Resident AV is active


*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\chevy\LOCALS~1\Temp\spwA.tmp
C:\Documents and Settings\chevy\Cookies\chevy@ad.yieldmanager[1].txt
C:\Documents and Settings\chevy\Cookies\chevy@trafficmp[1].txt
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BMc3f18164.txt
C:\WINDOWS\BMc3f18164.xml
C:\WINDOWS\Fonts\'
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Crack.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\_003284_.tmp.dll
C:\WINDOWS\system32\_003285_.tmp.dll
C:\WINDOWS\system32\_003286_.tmp.dll
C:\WINDOWS\system32\_003287_.tmp.dll
C:\WINDOWS\system32\_003292_.tmp.dll
C:\WINDOWS\system32\_003293_.tmp.dll
C:\WINDOWS\system32\_003294_.tmp.dll
C:\WINDOWS\system32\_003295_.tmp.dll
C:\WINDOWS\system32\_003296_.tmp.dll
C:\WINDOWS\system32\_003297_.tmp.dll
C:\WINDOWS\system32\_003298_.tmp.dll
C:\WINDOWS\system32\_003299_.tmp.dll
C:\WINDOWS\system32\_003300_.tmp.dll
C:\WINDOWS\system32\_003301_.tmp.dll
C:\WINDOWS\system32\_003303_.tmp.dll
C:\WINDOWS\system32\_003304_.tmp.dll
C:\WINDOWS\system32\_003306_.tmp.dll
C:\WINDOWS\system32\_003307_.tmp.dll
C:\WINDOWS\system32\_003308_.tmp.dll
C:\WINDOWS\system32\_003310_.tmp.dll
C:\WINDOWS\system32\_003313_.tmp.dll
C:\WINDOWS\system32\_003314_.tmp.dll
C:\WINDOWS\system32\_003316_.tmp.dll
C:\WINDOWS\system32\_003317_.tmp.dll
C:\WINDOWS\system32\_003318_.tmp.dll
C:\WINDOWS\system32\_003319_.tmp.dll
C:\WINDOWS\system32\_003320_.tmp.dll
C:\WINDOWS\system32\_003321_.tmp.dll
C:\WINDOWS\system32\_003323_.tmp.dll
C:\WINDOWS\system32\_003324_.tmp.dll
C:\WINDOWS\system32\_003325_.tmp.dll
C:\WINDOWS\system32\_003326_.tmp.dll
C:\WINDOWS\system32\_003327_.tmp.dll
C:\WINDOWS\system32\_003328_.tmp.dll
C:\WINDOWS\system32\_003329_.tmp.dll
C:\WINDOWS\system32\_003330_.tmp.dll
C:\WINDOWS\system32\_003333_.tmp.dll
C:\WINDOWS\system32\_003334_.tmp.dll
C:\WINDOWS\system32\_003335_.tmp.dll
C:\WINDOWS\system32\_003336_.tmp.dll
C:\WINDOWS\system32\_003337_.tmp.dll
C:\WINDOWS\system32\_003338_.tmp.dll
C:\WINDOWS\system32\_003339_.tmp.dll
C:\WINDOWS\system32\_003341_.tmp.dll
C:\WINDOWS\system32\_003342_.tmp.dll
C:\WINDOWS\system32\_003343_.tmp.dll
C:\WINDOWS\system32\_003344_.tmp.dll
C:\WINDOWS\system32\_003345_.tmp.dll
C:\WINDOWS\system32\_003346_.tmp.dll
C:\WINDOWS\system32\_003348_.tmp.dll
C:\WINDOWS\system32\_003351_.tmp.dll
C:\WINDOWS\system32\_003352_.tmp.dll
C:\WINDOWS\system32\_003356_.tmp.dll
C:\WINDOWS\system32\_003357_.tmp.dll
C:\WINDOWS\system32\_003359_.tmp.dll
C:\WINDOWS\system32\_003362_.tmp.dll
C:\WINDOWS\system32\_003364_.tmp.dll
C:\WINDOWS\system32\_003365_.tmp.dll
C:\WINDOWS\system32\_003366_.tmp.dll
C:\WINDOWS\system32\_003367_.tmp.dll
C:\WINDOWS\system32\_003370_.tmp.dll
C:\WINDOWS\system32\_003371_.tmp.dll
C:\WINDOWS\system32\_003372_.tmp.dll
C:\WINDOWS\system32\_003373_.tmp.dll
C:\WINDOWS\system32\_003374_.tmp.dll
C:\WINDOWS\system32\_003379_.tmp.dll
C:\WINDOWS\system32\_003381_.tmp.dll
C:\WINDOWS\system32\_003382_.tmp.dll
C:\WINDOWS\system32\bhlhbjde.dll
C:\WINDOWS\SYSTEM32\BIRsAJlm.ini
C:\WINDOWS\system32\bmimlplj.dll
C:\WINDOWS\system32\bvtivuaf.dll
C:\WINDOWS\system32\byXnKcBu.dll
C:\WINDOWS\system32\byXPHaWp.dll
C:\WINDOWS\system32\cbXQheEv.dll
C:\WINDOWS\system32\cbXQhGvw.dll
C:\WINDOWS\system32\cgvadhej.dll
C:\WINDOWS\system32\dfhnhc.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\efcBtSkI.dll
C:\WINDOWS\system32\efcYOifF.dll
C:\WINDOWS\system32\fcccyVlL.dll
C:\WINDOWS\system32\fccdaaBU.dll
C:\WINDOWS\system32\fogximhf.dll
C:\WINDOWS\system32\frjjdake.dll
C:\WINDOWS\system32\guknksmh.dll
C:\WINDOWS\system32\gxnotq.dll
C:\WINDOWS\system32\haemdi.dll
C:\WINDOWS\system32\IkStBcfe.ini
C:\WINDOWS\system32\jkkklKDS.dll
C:\WINDOWS\system32\jkkLETNf.dll
C:\WINDOWS\system32\khfFXooN.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJYPhee.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\SYSTEM32\MSrrqtwa.ini
C:\WINDOWS\system32\nnnmnLfd.dll
C:\WINDOWS\system32\otsdyhpk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnmlkiG.dll
C:\WINDOWS\system32\qaugjc.dll
C:\WINDOWS\system32\rqRJArPh.dll
C:\WINDOWS\system32\rqRKCvTJ.dll
C:\WINDOWS\system32\SDKlkkkj.ini
C:\WINDOWS\SYSTEM32\SDKlkkkj.ini2
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\ttgbjl(2).dll
C:\WINDOWS\system32\twddnsre.dll
C:\WINDOWS\SYSTEM32\uBcKnXyb.ini
C:\WINDOWS\SYSTEM32\uBcKnXyb.ini2
C:\WINDOWS\system32\vtUoPgda.dll
C:\WINDOWS\SYSTEM32\WEKTCJlm.ini
C:\WINDOWS\system32\xwvexa.dll
C:\WINDOWS\system32\yayvTmmL.dll

.
(((((((((((((((((((((((((   Files Created from 2008-08-21 to 2008-09-21  )))))))))))))))))))))))))))))))
.

2008-09-20 16:44 . 2008-09-20 16:44	<DIR>	d--------	C:\Program Files\Antivirus Protection
2008-09-20 15:03 . 2008-09-20 15:03	65	--a------	C:\WINDOWS\SYSTEM32\c0c2a076
2008-09-20 14:43 . 2008-09-20 14:43	355	--a------	C:\955.bat
2008-09-20 13:13 . 2008-09-20 13:13	71	--a------	C:\Documents and Settings\chevy\1359.bat
2008-09-20 12:35 . 2008-09-20 12:35	71	--a------	C:\Documents and Settings\chevy\4742.bat
2008-09-20 12:26 . 2008-09-20 12:26	355	--a------	C:\421.bat
2008-09-19 16:57 . 2008-09-19 16:57	71	--a------	C:\Documents and Settings\chevy\3480.bat
2008-09-19 16:01 . 2008-09-19 16:01	34,816	--a------	C:\WINDOWS\SYSTEM32\tuvWmJdb.dll
2008-09-19 16:01 . 2008-09-19 16:01	355	--a------	C:\356.bat
2008-09-17 19:49 . 2008-09-17 19:49	1,001,023	--ahs----	C:\WINDOWS\SYSTEM32\WEKTCJlm.tmp
2008-09-17 19:02 . 2008-09-17 19:02	(2)	-rahs-ot-	C:\WINDOWS\winstart.bat
2008-09-17 19:00 . 2008-09-17 19:49	<DIR>	d--------	C:\Program Files\UnHackMe
2008-09-17 16:37 . 2008-09-17 16:37	121	--ahs----	C:\WINDOWS\SYSTEM32\BIRsAJlm.tmp
2008-09-17 16:02 . 2008-09-17 16:02	147,456	--a------	C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-09-17 15:59 . 2008-09-17 18:23	<DIR>	d--hs----	C:\WINDOWS\Y2hldnk
2008-09-17 15:59 . 2008-09-17 15:59	71,711	--a------	C:\WINDOWS\SYSTEM32\eiytiugwtrfxaxske.exe
2008-09-17 15:58 . 2008-09-17 18:20	<DIR>	d--------	C:\WINDOWS\SYSTEM32\wp
2008-09-17 15:58 . 2008-09-17 15:58	<DIR>	d--------	C:\WINDOWS\SYSTEM32\RES
2008-09-17 15:58 . 2008-09-17 18:21	<DIR>	d--------	C:\WINDOWS\SYSTEM32\np5
2008-09-17 15:58 . 2008-09-17 15:58	<DIR>	d--------	C:\WINDOWS\SYSTEM32\mC02
2008-09-17 15:58 . 2008-09-17 15:58	<DIR>	d--------	C:\Temp\mtc2
2008-09-17 15:58 . 2008-09-20 18:02	<DIR>	d--------	C:\Temp
2008-09-05 17:28 . 2008-09-05 17:28	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-08-29 05:11 . 2008-08-29 05:11	166,400	--a------	C:\WINDOWS\SYSTEM32\dcftwsccwjivny.dll
2008-08-27 14:03 . 2008-08-27 14:03	42,320	--a------	C:\WINDOWS\SYSTEM32\xfcodec.dll
2008-08-27 13:35 . 2007-02-28 02:08	2,147,840	--a------	C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-08-26 23:08 . 2008-08-26 23:08	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Fugazo
2008-08-26 23:07 . 2008-08-26 23:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\scripting
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\en
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\bits
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\l2schemas
2008-08-26 19:45 . 2004-08-10 03:00	71,040	---------	C:\WINDOWS\SYSTEM32\DRIVERS\_003269_.tmp.dll
2008-08-26 19:07 . 2008-04-13 17:11	2,843,136	--a------	C:\WINDOWS\SYSTEM32\SET961.tmp
2008-08-26 18:46 . 2008-08-28 09:43	<DIR>	d--------	C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-23 19:59 . 2008-08-23 19:59	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Winferno

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 23:54	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-20 05:43	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Xfire
2008-09-19 03:41	---------	d-s---w	C:\Program Files\Xfire
2008-09-19 01:02	---------	d-----w	C:\Documents and Settings\chevy\Application Data\ZoomBrowser EX
2008-09-18 03:00	---------	d-----w	C:\Program Files\LimeWire
2008-09-17 22:57	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Azureus
2008-09-16 03:35	139,128	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-06 00:54	---------	d-----w	C:\Program Files\Canon
2008-09-06 00:26	---------	d-----w	C:\Program Files\Common Files\Canon
2008-08-27 21:12	---------	d-----w	C:\Program Files\Ascentive
2008-08-27 05:59	---------	d-----w	C:\Documents and Settings\chevy\Application Data\gtk-2.0
2008-08-27 03:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-27 03:08	---------	d-----w	C:\Program Files\Freeze.com Toolbar
2008-08-24 03:07	---------	d-----w	C:\Program Files\Bonjour
2008-08-24 03:03	---------	d-----w	C:\Program Files\Speeditup Free
2008-08-24 03:02	---------	d-----w	C:\Program Files\MySpace
2008-08-21 05:06	---------	d-----w	C:\Program Files\Free Offers from Freeze.com
2008-08-21 05:06	---------	d-----w	C:\Program Files\AWS
2008-08-21 05:06	---------	d-----w	C:\Documents and Settings\chevy\Application Data\WeatherBug
2008-08-20 07:49	---------	d-----w	C:\Program Files\Flickr Uploadr
2008-08-20 01:02	---------	d-----w	C:\Program Files\HD Tune
2008-08-13 21:58	---------	d-----w	C:\Documents and Settings\chevy\Application Data\BearShare
2008-08-12 05:50	---------	d-----w	C:\Program Files\BearShare Applications
2008-08-12 02:23	32,778	----a-w	C:\WINDOWS\Fonts\thematrix.zip
2008-08-12 02:07	81,312	----a-w	C:\WINDOWS\Fonts\fontz_1120_miltownmatrix.zip
2008-08-11 05:03	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Flickr
2008-08-09 23:09	---------	d-----w	C:\Program Files\GIMP-2.0
2008-08-04 22:27	---------	d-----w	C:\Program Files\UltraMon
2008-08-04 22:27	---------	d-----w	C:\Program Files\Common Files\Realtime Soft
2008-08-04 22:27	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Realtime Soft
2008-08-04 22:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-08-04 22:15	---------	d-----w	C:\Program Files\Common Files\Stardock
2008-07-23 08:17	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2007-12-25 17:58	22,328	----a-w	C:\Documents and Settings\chevy\Application Data\PnkBstrK.sys
2007-10-06 21:22	1,066,496	-csha-w	C:\Program Files\ehthumbs.db
2005-08-06 06:54	211,952	----a-w	C:\Program Files\new.sc3
2005-08-06 03:55	164,538	-c--a-w	C:\Program Files\new city.sc3
2005-07-29 22:52	56,192	----a-w	C:\Program Files\New City69.sc3
2005-07-07 23:07	251	----a-w	C:\Program Files\wt3d.ini
2003-05-27 03:08	8,964,958	----a-w	C:\Documents and Settings\chevy\SCXE26Setup.exe
2003-05-05 22:59	436,224	----a-w	C:\Documents and Settings\chevy\SCXEDirectoryFix.exe
2003-04-19 22:34	467,968	----a-w	C:\Documents and Settings\chevy\SCXEUpd.exe
.

------- Sigcheck -------

2005-03-01 17:36  2056832  d8aba3eab509627e707a3b14f00fbb6b	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 09:12  2059392  ba4b97c00a437c1cc3da365d93ee1e9d	C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 02:15  2059392  4d3dbdccbf97f5ba1e74f322b155c3ba	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-03 20:59  2015232  fb142b7007ca2eea76966c6c5cc12150	C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34  2015232  3cd941e472ddf3534e53038535719771	C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 05:55  2015744  bbb2322eb14ad9ad55b1024ffd4d88bf	C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 01:38  2057600  515d30e2c90a3665a2739309334c9283	C:\WINDOWS\Driver Cache\I386\ntkrnlpa.exe
2008-04-13 11:31  2065792  109f8e3e3c82e337bb71b6bc9b895d61	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-02-28 01:38  2027520  54a8b9806027049f8b19f1274a63c7b4	C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2007-02-28 01:38  2015744  a58ac1c6199ef34228abee7fc057ae09	C:\WINDOWS\SYSTEM32\VITrans\ntkrnlpa.exe

2005-03-01 18:04  2179456  28187802b7c368c0d3aef7d4c382aabb	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 09:51  2182016  cef243f6defd20be4adde26c7ecacb54	C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 02:55  2182144  5a5c8db4aa962c714c8371fbdf189fc9	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-03 21:18  2148352  626309040459c3915997ef98ec1c8d40	C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:57  2135552  48b3e89af7074cee0314a3e0c7faffdb	C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 07:15  2136064  8318ed54797f3e513fd5817a1d4bbd18	C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 02:10  2180352  582a8dbaa58c3b1f176eb2817daee77c	C:\WINDOWS\Driver Cache\I386\ntoskrnl.exe
2008-04-13 12:27  2188928  0c89243c7c3ee199b96fcc16990e0679	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-02-28 02:08  2147840  5fb20cabc9a81baaabbe63f30ffc5284	C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2007-02-28 02:08  2136064  1220faf071dea8653ee21de7dcda8bfd	C:\WINDOWS\SYSTEM32\VITrans\ntoskrnl.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18a44c72-d267-d443-1461-db8338bae54e}]
2008-08-29 05:11	166400	--a------	C:\WINDOWS\system32\dcftwsccwjivny.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-17 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 90112]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-04 187496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"{88263159-d7ea-a00a-302d-778d20c39157}"="C:\WINDOWS\system32\dcftwsccwjivny.dll" [2008-08-29 166400]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 5361464]
"CTHelper"="CTHELPER.EXE" [2004-03-11 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]

C:\Documents and Settings\chevy\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe [2006-12-14 214520]
PowerReg Scheduler V3.exe [2005-08-09 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [2008-08-04 29310]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xwvexa.dll gxnotq.dll dfhnhc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer for HDD Camcorder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageMixer for HDD Camcorder.lnk
backup=C:\WINDOWS\pss\ImageMixer for HDD Camcorder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^chevy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\chevy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^chevy^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\chevy\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 03:00 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 14:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 C:\WINDOWS\EHOME\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 17:24 50760 C:\Program Files\Common Files\AOL\1154645544\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2002-05-29 01:23 258118 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
--a------ 2004-09-20 02:27 65536 C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-06-28 21:51 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2007-07-19 22:54 5361464 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 04:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
--a------ 2007-11-19 14:01 163840 C:\Program Files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
--a------ 2007-11-20 14:51 524288 C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
--a------ 2007-11-26 20:27 593920 C:\Program Files\ViStart\ViStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 20280]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S1 agp4400;agp4400;C:\WINDOWS\system32\drivers\agp4400.sys [ ]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{26D81645-7E48-45C2-B063-9CB1E02045CB} - C:\WINDOWS\system32\jkkklKDS.dll
BHO-{5667B8CF-EB62-48DD-9155-6EB5D985388B} - C:\WINDOWS\system32\byXnKcBu.dll
BHO-{7186704C-C78F-425D-80DC-17A8E83F246F} - C:\WINDOWS\system32\yayvTmmL.dll
HKLM-Run-BMc3f18164 - C:\WINDOWS\system32\nfxbdohd.dll
HKLM-Run-c0c2b2f8 - C:\WINDOWS\system32\efcBtSkI.dll
ShellExecuteHooks-{07846E47-47CE-4C7C-989A-9A8380F3BD91} - (no file)
ShellExecuteHooks-{DA2E0515-F0D5-4773-8191-400CCD50783B} - (no file)
ShellExecuteHooks-{7186704C-C78F-425D-80DC-17A8E83F246F} - C:\WINDOWS\system32\yayvTmmL.dll
Notify-dimsntfy - (no file)
MSConfigStartUp-!AVG Anti-Spyware - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
MSConfigStartUp-ccApp - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-MySpaceIM - C:\Program Files\MySpace\IM\MySpaceIM.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\chevy\Application Data\Mozilla\Firefox\Profiles\0l1uaqr4.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://us.f825.mail.yahoo.com/dc/launch?.rand=4euaucs69t81s
FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npampx3.0.84.2.dll
FF -: plugin - C:\Program Files\Opera\program\plugins\npdivx32.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 18:20:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\EHOME\ehrecvr.exe
C:\WINDOWS\EHOME\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\WINDOWS\SYSTEM32\PnkBstrA.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\EHOME\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SYSTEM32\dllhost.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\WINDOWS\SYSTEM32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-20 18:43:24 - machine was rebooted
ComboFix-quarantined-files.txt  2008-09-21 01:43:05
ComboFix2.txt  2008-02-14 23:15:33
ComboFix3.txt  2008-02-14 02:37:11

Pre-Run: 181,409,173,504 bytes free
Post-Run: 181,386,924,032 bytes free

449	--- E O F ---	2008-09-10 22:01:21


----------



## Buzz1927

Please wait for Cohen to give his standard bullshit reply


----------



## Respital

Buzz1927 said:


> Please wait for Cohen to give his standard bullshit reply



I laughed so hard but since he isn't online... i'll do the honors. 
Buzz why don't you just simply give him a ComboFix script anyways? You are able to aren't you? 

*Run A Kaspersky Online Scan*
Using *Internet Explorer* Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the *Accept* button at the end of the page.

_Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%._

 Read the *Requirements and limitations* before you click *Accept*.
 Allow the ActiveX download if necessary.
 Once the database has downloaded, click *Next*.
 Click *Scan Settings* and change the "*Scan using the following antivirus database*" from *standard* to *extended* and then click *OK*.
 Click on "*My Computer*" and then put the kettle on!
When the scan has completed, click *Save Report As...*
 Enter a name for the file in the *Filename:* text box and then click the down arrow to the right of *Save as type:* and select *text file (*.txt)*
 Click *Save* - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.


----------



## Buzz1927

Respital said:


> Buzz why don't you just simply give him a ComboFix script anyways? You are able to aren't you?


Yes, but I won't while he's still around


----------



## Respital

Buzz1927 said:


> Yes, but I won't while he's still around



Oh then maybe i could lend him my toy which only he is allowed to touch. 





Cohen, only you are allowed to touch this.


----------



## Buzz1927

I'm not sure he'll wanna touch it all the time, I don't...


----------



## Buzz1927

We can call it "cohen's cock-up" !


----------



## cohen

Buzz1927 said:


> Please wait for Cohen to give his standard bullshit reply





Respital said:


> I laughed so hard but since he isn't online... i'll do the honors.
> Buzz why don't you just simply give him a ComboFix script anyways? You are able to aren't you?
> 
> *Run A Kaspersky Online Scan*
> Using *Internet Explorer* Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the *Accept* button at the end of the page.
> 
> _Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%._
> 
> Read the *Requirements and limitations* before you click *Accept*.
> Allow the ActiveX download if necessary.
> Once the database has downloaded, click *Next*.
> Click *Scan Settings* and change the "*Scan using the following antivirus database*" from *standard* to *extended* and then click *OK*.
> Click on "*My Computer*" and then put the kettle on!
> When the scan has completed, click *Save Report As...*
> Enter a name for the file in the *Filename:* text box and then click the down arrow to the right of *Save as type:* and select *text file (*.txt)*
> Click *Save* - by default the file will be saved to your Desktop, but you can change this if you wish.
> Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.



That is what i would've done.



Buzz1927 said:


> Yes, but I won't while he's still around





Buzz1927 said:


> We can call it "cohen's cock-up" !



by the way - you guys are nuts, and buzz you give the most stupidiest replies, at least i do something helpful


----------



## Buzz1927

Please don't make me get nasty..


----------



## MBGraphics

Wow, this scan takes FOREVER!! 
I'm at an hour and 40 mins and it says it's only at 40%


----------



## Respital

MBGraphics said:


> Wow, this scan takes FOREVER!!
> I'm at an hour and 40 mins and it says it's only at 40%



It's very thorough.  
Better to be long and thorough and detect everything then be short and detect nothing.


----------



## MBGraphics

I had to cancel it, It was pushing past 2 hours and still only at 45% and it was already around 12:00 at night.

I'll put it on again today and let it run.


----------



## Respital

MBGraphics said:


> I had to cancel it, It was pushing past 2 hours and still only at 45% and it was already around 12:00 at night.
> 
> I'll put it on again today and let it run.



That's fine but just make sure it finishes, you could leave it on overnight but you don't really have to monitor it.


----------



## MBGraphics

Ok, finaly done, Here is the Kaspersky scan log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Sunday, September 21, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Sunday, September 21, 2008 19:39:57
 Records in database: 1248376
--------------------------------------------------------------------------------

Scan settings:
	Scan using the following database: extended
	Scan archives: yes
	Scan mail databases: yes

Scan area - My Computer:
	C:\
	D:\
	E:\
	H:\

Scan statistics:
	Files scanned: 213128
	Threat name: 29
	Infected objects: 75
	Suspicious objects: 0
	Duration of the scan: 03:41:38


File name / Threat name / Threats count
C:\Documents and Settings\chevy\Incomplete\T-3545425-boats hoes.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
C:\Documents and Settings\chevy\Incomplete\T-3545425-true sound basshunter.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
C:\Documents and Settings\chevy\Incomplete\T-3545425-we dont give ****.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
C:\Documents and Settings\chevy\Incomplete\T-5745425-boats hoes.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
C:\Documents and Settings\chevy\Incomplete\T-5745425-nex episode snoop dog.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
C:\Documents and Settings\chevy\Incomplete\T-5745425-Skee Lo -i wish.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
C:\Documents and Settings\chevy\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\Antivirus_Protection_Setup.exe	Infected: not-a-virus:FraudTool.Win32.Agent.r	2
C:\Documents and Settings\chevy\Local Settings\Temporary Internet Files\Content.IE5\BW1UOR46\x12c[1].htm	Infected: Exploit.JS.Agent.vj	1
C:\Documents and Settings\chevy\Local Settings\Temporary Internet Files\Content.IE5\BW1UOR46\x7b[1].xml	Infected: Exploit.Multi.Qtp.g	1
C:\Documents and Settings\chevy\My Documents\vista2\Vista 2.4\LS Patch\LSPatch.exe	Infected: not-a-virus:RiskTool.Win32.CloseApp.a	1
C:\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
C:\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3	Infected: Trojan-Downloader.WMA.Wimad.o	1
C:\Program Files\Freeze.com Toolbar\freeze_int.dll	Infected: not-a-virus:AdWare.Win32.Mostofate.bn	1
C:\Program Files\Seagate\Utilities\pkill.exe	Infected: not-a-virus:RiskTool.Win32.PsKill.1101	1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080213-184402-306.dll	Infected: not-a-virus:AdWare.Win32.MyWay.v	1
C:\QooBox\Quarantine\C\WINDOWS\Fonts\a.zip.vir	Infected: Trojan.Win32.Agent.cmn	1
C:\QooBox\Quarantine\C\WINDOWS\Fonts\Crack.exe.vir	Infected: Trojan.Win32.Agent.cmn	1
C:\QooBox\Quarantine\C\WINDOWS\Fonts\svchost.exe.vir	Infected: Trojan.Win32.Agent.cmn	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bhlhbjde.dll.vir	Infected: Trojan.Win32.Monder.psh	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bvtivuaf.dll.vir	Infected: Trojan.Win32.Monder.psh	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\byXnKcBu.dll.vir	Infected: Trojan.Win32.Monder.pfy	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\byXPHaWp.dll.vir	Infected: Trojan.Win32.Monder.pqs	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cbXQheEv.dll.vir	Infected: Trojan.Win32.Monder.pqs	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cbXQhGvw.dll.vir	Infected: Trojan.Win32.Monder.pqs	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cgvadhej.dll.vir	Infected: Trojan.Win32.Monder.psh	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dfhnhc.dll.vir	Infected: Trojan.Win32.Monder.pse	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\efcBtSkI.dll.vir	Infected: Trojan.Win32.Monder.psh	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\efcYOifF.dll.vir	Infected: Trojan.Win32.Monder.psf	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fcccyVlL.dll.vir	Infected: Trojan.Win32.Monder.pqs	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fccdaaBU.dll.vir	Infected: Trojan.Win32.Monder.psf	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fogximhf.dll.vir	Infected: Trojan.Win32.Monder.pse	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\guknksmh.dll.vir	Infected: Trojan.Win32.Monder.png	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gxnotq.dll.vir	Infected: Trojan.Win32.Monder.png	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkkLETNf.dll.vir	Infected: Trojan.Win32.Monder.pph	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mlJYPhee.dll.vir	Infected: Trojan.Win32.Monder.pqs	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nnnmnLfd.dll.vir	Infected: Trojan.Win32.Monder.pmb	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\otsdyhpk.dll.vir	Infected: Trojan.Win32.Monder.psh	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pmnmlkiG.dll.vir	Infected: Trojan.Win32.Monder.pqs	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqRJArPh.dll.vir	Infected: Trojan.Win32.Monder.psf	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqRKCvTJ.dll.vir	Infected: Trojan.Win32.Monder.pph	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tdssadw.dll.vir	Infected: Rootkit.Win32.Clbd.jy	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tdssl.dll.vir	Infected: Backdoor.Win32.UltimateDefender.gen	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tdsslog.dll.vir	Infected: Backdoor.Win32.Agent.rfv	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tdssmain.dll.vir	Infected: Backdoor.Win32.Agent.rfw	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tdssserf.dll.vir	Infected: Trojan-Downloader.Win32.FraudLoad.vbxt	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtUoPgda.dll.vir	Infected: Trojan.Win32.Monder.psf	1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yayvTmmL.dll.vir	Infected: Trojan.Win32.Monder.pph	1
C:\QooBox\Quarantine\catchme2008-09-20_180932.51.zip	Infected: Trojan.Win32.Monder.gen	1
C:\WINDOWS\SYSTEM32\CloseApp.exe	Infected: not-a-virus:RiskTool.Win32.CloseApp.a	1
C:\WINDOWS\SYSTEM32\filekiller.dll	Infected: not-a-virus:FraudTool.Win32.Agent.r	1
C:\WINDOWS\SYSTEM32\mC02\mC022328.exe	Infected: Trojan-Downloader.Win32.VB.hpv	1
C:\WINDOWS\SYSTEM32\RES\comec130t.exe	Infected: not-a-virus:AdWare.Win32.WebHancer.f	1
C:\WINDOWS\SYSTEM32\RES\comec130t.exe	Infected: not-a-virus:AdWare.Win32.WebHancer.390	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Desktop\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Desktop\SmitfraudFix.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-anthum 2.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-full throttle.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day stayin up.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-souljah boy hardcore.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3566386-06 Track 6 (hardcore).wma	Infected: Trojan-Downloader.WMA.Wimad.l	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3	Infected: Trojan-Downloader.WMA.Wimad.o	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam@2008-03-17T22;12;06.mp3	Infected: Trojan-Downloader.WMA.Wimad.o	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-5745425-full throttle.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-1932750-Wicked Remix.wma	Infected: Trojan-Downloader.WMA.Wimad.l	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle@2008-06-19T06;11;20.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-nizlopi.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-souljah boy hardcore.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3566386-06 Track 6 (hardcore).wma	Infected: Trojan-Downloader.WMA.Wimad.l	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3	Infected: Trojan-Downloader.WMA.Wimad.o	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\My Documents\vista2\Vista 2.4\LS Patch\LSPatch.exe	Infected: not-a-virus:RiskTool.Win32.CloseApp.a	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3	Infected: Trojan-Downloader.WMA.Wimad.n	1
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3	Infected: Trojan-Downloader.WMA.Wimad.o	1

The selected area was scanned.


----------



## MBGraphics

And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:56 PM, on 9/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.freewebs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bambanner browser enhancer - {18a44c72-d267-d443-1461-db8338bae54e} - C:\WINDOWS\system32\dcftwsccwjivny.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{88263159-d7ea-a00a-302d-778d20c39157}] "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\system32\dcftwsccwjivny.dll" DllStub
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] "C:\Program Files\Rainlendar2\Rainlendar2.exe"
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136011116468
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O20 - AppInit_DLLs: xwvexa.dll gxnotq.dll dfhnhc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 11990 bytes


----------



## Buzz1927

cohen said:


> and buzz you give the most stupidiest replies, at least i do something helpful


You don't do shit, feckwit!


----------



## mep916

cohen said:


> by the way - you guys are nuts, and buzz you give the most stupidiest replies, at least i do something helpful



You do realize that insulting a moderator can get you banned, right? Replying with canned responses is not always helpful, BTW. Stop being lazy and get training at SWI. 



			
				Forum Rules said:
			
		

> If you insult any of the moderator or administrator team, your account will be instantly banned


----------



## MBGraphics

Are you guys going to finish helping me or try to kill each other? 

As far as computer behavior, it seems normal so far. Somtimes still a bit slow but nothing like it was.

Thanks for the help so far, it has worked great


----------



## cohen

MBGraphics said:


> Are you guys going to finish helping me or try to kill each other?
> 
> As far as computer behavior, it seems normal so far. Somtimes still a bit slow but nothing like it was.
> 
> Thanks for the help so far, it has worked great



Well there are a few things there, that might need to be fixed. I haven't seen ceewi1 on for ages!!! So not sure what is happening there....

But maybe Respital might be able to help.... depending on his training.

Mep - Yeah i will do my training in another term, over the 2 month Christmas break i have


----------



## Respital

cohen said:


> Well there are a few things there, that might need to be fixed. I haven't seen ceewi1 on for ages!!! So not sure what is happening there....
> 
> But maybe Respital might be able to help.... depending on his training...



Well i'll do my best that's for sure.
Ceewi1 is working cohen like 15 hour days so don't expect him to help out to much, like come on he's working his ass off.

@ OP

*: Download and Run DSS :*

Download *Deckard's System Scanner (DSS)* to your *Desktop*. You must be logged onto an account with administrator privileges.

*Close* all applications and windows.
*Double-click* on *dss.exe* to run it, and follow the prompts.
When the scan is complete, two text files will open - *main.txt* <- this one will be maximized and *extra.txt*<- this one will be minimized.
Copy *(Ctrl+A then Ctrl+C)* and paste *(Ctrl+V)* the contents of *main.txt* and the *extra.txt* in your reply.


----------



## MBGraphics

Wont follow link, it says "page not found"


----------



## cohen

Respital said:


> Well i'll do my best that's for sure.
> Ceewi1 is working cohen like 15 hour days so don't expect him to help out to much, like come on he's working his ass off.



Right, i understand, i might start my training now then


----------



## Respital

MBGraphics said:


> Wont follow link, it says "page not found"



I apologize it seems the link is out of date. 
Unfortunately i have to go do my homework i apologize but I'm sure Buzz would be able to help you if he has a moment.


----------



## MBGraphics

Thats fine Respital 
I'll get whatever help I can get whenever I can get it. My computer is at least in working condition now


----------



## Buzz1927

Boot into safemode and delete all the files Kaspersky found.

The Malwarebytes link is down at the minute..


----------



## nobbly niblets

A CF script will be able to clean out 99% of the files Kespersky found.
The problem is there is a rootkit present which could protect or repopulate an infection.
Some of the infections found already have been fixed with ComboFix and HJT, and are quarantined or in a back-up folder.

Here's the CF Script I came up with.



> File::
> 
> C:\Documents and Settings\chevy\Incomplete\T-3545425-boats hoes.mp3
> C:\Documents and Settings\chevy\Incomplete\T-3545425-true sound basshunter.mp3
> C:\Documents and Settings\chevy\Incomplete\T-3545425-we dont give ****.mp3
> C:\Documents and Settings\chevy\Incomplete\T-5745425-boats hoes.mp3
> C:\Documents and Settings\chevy\Incomplete\T-5745425-nex episode snoop dog.mp3
> C:\Documents and Settings\chevy\Incomplete\T-5745425-Skee Lo -i wish.mp3
> C:\Documents and Settings\chevy\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download \Antivirus_Protection_Setup.exe
> C:\Documents and Settings\chevy\Local Settings\Temporary Internet Files\Content.IE5\BW1UOR46\x12c[1].htm
> C:\Documents and Settings\chevy\Local Settings\Temporary Internet Files\Content.IE5\BW1UOR46\x7b[1].xml
> C:\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3
> C:\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3
> C:\WINDOWS\SYSTEM32\mC02\mC022328.exe
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-anthum 2.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-full throttle.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day stayin up.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-souljah boy hardcore.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3566386-06 Track 6 (hardcore).wma
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam@2008-03-17T22;12;06.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-5745425-full throttle.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-1932750-Wicked Remix.wma
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle@2008-06-19T06;11;20.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-nizlopi.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-souljah boy hardcore.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3566386-06 Track 6 (hardcore).wma
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3
> H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3



If the H drive is an external device that will need to be connected while the script runs.


----------



## mep916

cohen said:


> Pls create your own thread in the same section.



Let Buzz handle it, Cohen.


----------



## nobbly niblets

Cohen, lol..... that's a ComboFix script to clean out the infected files for MBGraphics.

If you have a close look and compare to the Kaspersky scan performed you will find it lists the infected files.

Geez you're swift, I posted that not 2 minutes ago.

<EDIT> I refrained from giving detailed instructions on running the script.... Just thought it could save some one time</EDIT>


----------



## cohen

nobbly niblets said:


> Cohen, lol..... that's a ComboFix script to clean out the infected files for MBGraphics.
> 
> If you have a close look and compare to the Kaspersky scan performed you will find it lists the infected files.
> 
> Geez you're swift, I posted that not 2 minutes ago.
> 
> <EDIT> I refrained from giving detailed instructions on running the script.... Just thought it could save some one time</EDIT>



Sorry, i just thought it was a hijackthis log.

Sorry.


----------



## nobbly niblets

That's cool... I'm not here often. Easy mistake to make. No harm, No Foul.


----------



## nobbly niblets

Here are alternative links to MBAM (MalwareBytes' Anti-Malware)

This one starts the downloader:

http://www.besttechie.net/tools/mbam-setup.exe

From Major Geeks:

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html


----------



## ceewi1

As some of you have noticed, my activity here has been limited recently and is likely to stay that way for the foreseeable future.  It's rather sad to see what's happening with these threads, though.

I notice you have the Freeze.com Toolbar installed.  This is considered by many to be adware.  See http://www.emsisoft.com/en/malware/?Adware.Win32.Freeze.com+Toolbar for more information.  I suggest you remove it.  To do so click on *Start* -> *Control Panel* -> *Add or Remove Programs*.  If *Freeze.com Toolbar* appears, click on it and click *Remove*.  Once done, delete the following folder:
C:\Program Files\*Freeze.com Toolbar*

Please download *SDFix* and save it to your Desktop but do not run it yet.

Please download *ATF Cleaner* by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser

Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Double click *SDFix.exe* and it will extract the files to *C:\SDFix*

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in *Safe Mode* (tap F8 just before Windows starts to load and select Safe Mode from the list).
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Please paste the contents of the Report.txt back on the forum in your next reply.

Please plug drive H: into your system if it is an external drive.

Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\WINDOWS\SYSTEM32\c0c2a076
C:\955.bat
C:\Documents and Settings\chevy\1359.bat
C:\Documents and Settings\chevy\4742.bat
C:\421.bat
C:\Documents and Settings\chevy\3480.bat
C:\WINDOWS\SYSTEM32\tuvWmJdb.dll
C:\356.bat
C:\WINDOWS\SYSTEM32\WEKTCJlm.tmp
C:\WINDOWS\SYSTEM32\BIRsAJlm.tmp
C:\WINDOWS\SYSTEM32\eiytiugwtrfxaxske.exe
C:\WINDOWS\SYSTEM32\dcftwsccwjivny.dll
C:\Documents and Settings\chevy\Incomplete\T-3545425-boats hoes.mp3
C:\Documents and Settings\chevy\Incomplete\T-3545425-true sound basshunter.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-boats hoes.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-nex episode snoop dog.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-Skee Lo -i wish.mp3
C:\Documents and Settings\chevy\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\Antivirus_Protection_Setup.exe
C:\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3
C:\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3
C:\WINDOWS\SYSTEM32\filekiller.dll
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-anthum 2.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day stayin up.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-souljah boy hardcore.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3566386-06 Track 6 (hardcore).wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam@2008-03-17T22;12;06.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-5745425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-1932750-Wicked Remix.wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle@2008-06-19T06;11;20.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-nizlopi.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-souljah boy hardcore.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3566386-06 Track 6 (hardcore).wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3 
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3

Folder::
C:\Program Files\Antivirus Protection
C:\WINDOWS\Y2hldnk
C:\WINDOWS\SYSTEM32\wp
C:\WINDOWS\SYSTEM32\RES
C:\WINDOWS\SYSTEM32\np5
C:\WINDOWS\SYSTEM32\mC02
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18a44c72-d267-d443-1461-db8338bae54e}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"{88263159-d7ea-a00a-302d-778d20c39157}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.









Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.

The name of the following file has not been completely displayed, presumably due to this forum's language filter.  Please locate and delete it (the **** will correspond to a swear word):
C:\Documents and Settings\chevy\Incomplete\*T-3545425-we dont give ****.mp3*

Please click on *Start -> Run*.  Type the following command and click *OK*:
*notepad C:\WINDOWS\winstart.bat*

This should popup a Notepad document showing the contents of winstart.bat.  Please post the contents in your next reply.

Please post:
The SDFix report
The ComboFix log
The contents of winstart.bat
A new HijackThis log
An update on how your system is running


----------



## nobbly niblets

Is this file worth a look at?

C:\WINDOWS\SYSTEM32\DRIVERS\_003269_.tmp.dll


----------



## MBGraphics

Ok, here is the log from SDFix:



*SDFix: Version 1.228 *
Run by chevy on Tue 09/23/2008 at 04:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\chevy\Desktop\SDFix

*Checking Services *:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


*Checking Files *: 

Trojan Files Found:

C:\WINDOWS\system32\eiytiugwtrfxaxske.exe - Deleted





Removing Temp Files

*ADS Check *:



*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 16:23:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services *:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

*Remaining Files *:


File Backups: - C:\DOCUME~1\chevy\Desktop\SDFix\backups\backups.zip

*Files with Hidden Attributes *:


*Finished!*


----------



## MBGraphics

Here is the ComboFix Log:


ComboFix 08-09-20.05 - chevy 2008-09-23 16:34:48.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2387 [GMT -7:00]
Running from: G:\ComboFix.exe
Command switches used :: C:\Documents and Settings\chevy\Desktop\CFScript.txt
 * Created a new restore point
 * Resident AV is active


*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((   Files Created from 2008-08-23 to 2008-09-23  )))))))))))))))))))))))))))))))
.

2008-09-23 16:05 . 2008-09-23 16:05	577,536	--a------	C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-09-23 16:03 . 2008-09-23 16:03	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-09-23 15:47 . 2008-09-22 01:35	<DIR>	d--------	C:\SDFix
2008-09-20 15:03 . 2008-09-20 15:03	65	--a------	C:\WINDOWS\SYSTEM32\c0c2a076
2008-09-20 14:43 . 2008-09-20 14:43	355	--a------	C:\955.bat
2008-09-20 13:13 . 2008-09-20 13:13	71	--a------	C:\Documents and Settings\chevy\1359.bat
2008-09-20 12:35 . 2008-09-20 12:35	71	--a------	C:\Documents and Settings\chevy\4742.bat
2008-09-20 12:26 . 2008-09-20 12:26	355	--a------	C:\421.bat
2008-09-19 16:57 . 2008-09-19 16:57	71	--a------	C:\Documents and Settings\chevy\3480.bat
2008-09-19 16:01 . 2008-09-19 16:01	34,816	--a------	C:\WINDOWS\SYSTEM32\tuvWmJdb.dll
2008-09-19 16:01 . 2008-09-19 16:01	355	--a------	C:\356.bat
2008-09-17 19:49 . 2008-09-17 19:49	1,001,023	--ahs----	C:\WINDOWS\SYSTEM32\WEKTCJlm.tmp
2008-09-17 19:02 . 2008-09-17 19:02	(2)	-rahs-ot-	C:\WINDOWS\winstart.bat
2008-09-17 19:00 . 2008-09-17 19:49	<DIR>	d--------	C:\Program Files\UnHackMe
2008-09-17 16:37 . 2008-09-17 16:37	121	--ahs----	C:\WINDOWS\SYSTEM32\BIRsAJlm.tmp
2008-09-17 16:02 . 2008-09-17 16:02	147,456	--a------	C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-09-17 15:59 . 2008-09-17 18:23	<DIR>	d--hs----	C:\WINDOWS\Y2hldnk
2008-09-17 15:58 . 2008-09-17 18:20	<DIR>	d--------	C:\WINDOWS\SYSTEM32\wp
2008-09-17 15:58 . 2008-09-17 15:58	<DIR>	d--------	C:\WINDOWS\SYSTEM32\RES
2008-09-17 15:58 . 2008-09-17 18:21	<DIR>	d--------	C:\WINDOWS\SYSTEM32\np5
2008-09-17 15:58 . 2008-09-17 15:58	<DIR>	d--------	C:\WINDOWS\SYSTEM32\mC02
2008-09-17 15:58 . 2008-09-17 15:58	<DIR>	d--------	C:\Temp\mtc2
2008-09-17 15:58 . 2008-09-20 18:02	<DIR>	d--------	C:\Temp
2008-09-05 17:28 . 2008-09-05 17:28	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-08-29 05:11 . 2008-08-29 05:11	166,400	--a------	C:\WINDOWS\SYSTEM32\dcftwsccwjivny.dll
2008-08-27 14:03 . 2008-08-27 14:03	42,320	--a------	C:\WINDOWS\SYSTEM32\xfcodec.dll
2008-08-27 13:35 . 2007-02-28 02:08	2,147,840	--a------	C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-08-26 23:08 . 2008-08-26 23:08	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Fugazo
2008-08-26 23:07 . 2008-08-26 23:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\scripting
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\en
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\bits
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\l2schemas
2008-08-26 19:45 . 2004-08-10 03:00	71,040	---------	C:\WINDOWS\SYSTEM32\DRIVERS\_003269_.tmp.dll
2008-08-26 19:07 . 2008-04-13 17:11	2,843,136	--a------	C:\WINDOWS\SYSTEM32\SET961.tmp
2008-08-26 18:46 . 2008-08-28 09:43	<DIR>	d--------	C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-23 19:59 . 2008-08-23 19:59	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Winferno

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 19:36	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Xfire
2008-09-20 23:54	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 03:41	---------	d-s---w	C:\Program Files\Xfire
2008-09-19 01:02	---------	d-----w	C:\Documents and Settings\chevy\Application Data\ZoomBrowser EX
2008-09-18 03:00	---------	d-----w	C:\Program Files\LimeWire
2008-09-17 22:57	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Azureus
2008-09-16 03:35	139,128	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-16 03:35	111,928	----a-w	C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2008-09-06 00:54	---------	d-----w	C:\Program Files\Canon
2008-09-06 00:26	---------	d-----w	C:\Program Files\Common Files\Canon
2008-08-27 21:12	---------	d-----w	C:\Program Files\Ascentive
2008-08-27 05:59	---------	d-----w	C:\Documents and Settings\chevy\Application Data\gtk-2.0
2008-08-27 03:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-24 03:07	---------	d-----w	C:\Program Files\Bonjour
2008-08-24 03:03	---------	d-----w	C:\Program Files\Speeditup Free
2008-08-24 03:02	---------	d-----w	C:\Program Files\MySpace
2008-08-21 05:06	---------	d-----w	C:\Program Files\Free Offers from Freeze.com
2008-08-21 05:06	---------	d-----w	C:\Program Files\AWS
2008-08-21 05:06	---------	d-----w	C:\Documents and Settings\chevy\Application Data\WeatherBug
2008-08-20 07:49	---------	d-----w	C:\Program Files\Flickr Uploadr
2008-08-20 01:02	---------	d-----w	C:\Program Files\HD Tune
2008-08-13 21:58	---------	d-----w	C:\Documents and Settings\chevy\Application Data\BearShare
2008-08-12 05:50	---------	d-----w	C:\Program Files\BearShare Applications
2008-08-12 02:23	32,778	----a-w	C:\WINDOWS\Fonts\thematrix.zip
2008-08-12 02:07	81,312	----a-w	C:\WINDOWS\Fonts\fontz_1120_miltownmatrix.zip
2008-08-11 05:03	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Flickr
2008-08-09 23:09	---------	d-----w	C:\Program Files\GIMP-2.0
2008-08-04 22:27	---------	d-----w	C:\Program Files\UltraMon
2008-08-04 22:27	---------	d-----w	C:\Program Files\Common Files\Realtime Soft
2008-08-04 22:27	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Realtime Soft
2008-08-04 22:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-08-04 22:15	---------	d-----w	C:\Program Files\Common Files\Stardock
2008-07-23 08:17	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-07-19 05:10	94,920	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 05:10	94,920	----a-w	C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 05:10	53,448	----a-w	C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 05:10	53,448	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 05:10	45,768	----a-w	C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 05:10	36,552	----a-w	C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 05:10	36,552	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 05:09	563,912	----a-w	C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 05:09	563,912	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 05:09	325,832	----a-w	C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 05:09	325,832	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 05:09	205,000	----a-w	C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 05:09	205,000	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 05:09	1,811,656	----a-w	C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 05:09	1,811,656	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-07 20:32	253,952	----a-w	C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32	253,952	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-25 01:12	295,936	----a-w	C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 17:57	3,592,192	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-24 16:23	74,240	----a-w	C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23	74,240	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2008-06-23 09:20	70,656	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20	625,664	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20	13,824	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-25 17:58	22,328	----a-w	C:\Documents and Settings\chevy\Application Data\PnkBstrK.sys
2007-10-06 21:22	1,066,496	-csha-w	C:\Program Files\ehthumbs.db
2005-08-06 06:54	211,952	----a-w	C:\Program Files\new.sc3
2005-08-06 03:55	164,538	-c--a-w	C:\Program Files\new city.sc3
2005-07-29 22:52	56,192	----a-w	C:\Program Files\New City69.sc3
2005-07-07 23:07	251	----a-w	C:\Program Files\wt3d.ini
2003-05-27 03:08	8,964,958	----a-w	C:\Documents and Settings\chevy\SCXE26Setup.exe
2003-05-05 22:59	436,224	----a-w	C:\Documents and Settings\chevy\SCXEDirectoryFix.exe
2003-04-19 22:34	467,968	----a-w	C:\Documents and Settings\chevy\SCXEUpd.exe
.

------- Sigcheck -------

2005-03-01 17:36  2056832  d8aba3eab509627e707a3b14f00fbb6b	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 09:12  2059392  ba4b97c00a437c1cc3da365d93ee1e9d	C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 02:15  2059392  4d3dbdccbf97f5ba1e74f322b155c3ba	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-03 20:59  2015232  fb142b7007ca2eea76966c6c5cc12150	C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34  2015232  3cd941e472ddf3534e53038535719771	C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 05:55  2015744  bbb2322eb14ad9ad55b1024ffd4d88bf	C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 01:38  2057600  515d30e2c90a3665a2739309334c9283	C:\WINDOWS\Driver Cache\I386\ntkrnlpa.exe
2008-04-13 11:31  2065792  109f8e3e3c82e337bb71b6bc9b895d61	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-02-28 01:38  2027520  54a8b9806027049f8b19f1274a63c7b4	C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2007-02-28 01:38  2015744  a58ac1c6199ef34228abee7fc057ae09	C:\WINDOWS\SYSTEM32\VITrans\ntkrnlpa.exe

2005-03-01 18:04  2179456  28187802b7c368c0d3aef7d4c382aabb	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 09:51  2182016  cef243f6defd20be4adde26c7ecacb54	C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 02:55  2182144  5a5c8db4aa962c714c8371fbdf189fc9	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-03 21:18  2148352  626309040459c3915997ef98ec1c8d40	C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:57  2135552  48b3e89af7074cee0314a3e0c7faffdb	C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 07:15  2136064  8318ed54797f3e513fd5817a1d4bbd18	C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 02:10  2180352  582a8dbaa58c3b1f176eb2817daee77c	C:\WINDOWS\Driver Cache\I386\ntoskrnl.exe
2008-04-13 12:27  2188928  0c89243c7c3ee199b96fcc16990e0679	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-02-28 02:08  2147840  5fb20cabc9a81baaabbe63f30ffc5284	C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2007-02-28 02:08  2136064  1220faf071dea8653ee21de7dcda8bfd	C:\WINDOWS\SYSTEM32\VITrans\ntoskrnl.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-17 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 90112]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-04 187496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"{88263159-d7ea-a00a-302d-778d20c39157}"="C:\WINDOWS\system32\dcftwsccwjivny.dll" [2008-08-29 166400]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 5361464]
"CTHelper"="CTHELPER.EXE" [2004-03-11 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]

C:\Documents and Settings\chevy\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe [2006-12-14 214520]
PowerReg Scheduler V3.exe [2005-08-09 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [2008-08-04 29310]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xwvexa.dll gxnotq.dll dfhnhc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer for HDD Camcorder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageMixer for HDD Camcorder.lnk
backup=C:\WINDOWS\pss\ImageMixer for HDD Camcorder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^chevy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\chevy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^chevy^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\chevy\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 03:00 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 14:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 C:\WINDOWS\EHOME\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 17:24 50760 C:\Program Files\Common Files\AOL\1154645544\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2002-05-29 01:23 258118 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
--a------ 2004-09-20 02:27 65536 C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-06-28 21:51 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2007-07-19 22:54 5361464 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 04:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
--a------ 2007-11-19 14:01 163840 C:\Program Files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
--a------ 2007-11-20 14:51 524288 C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
--a------ 2007-11-26 20:27 593920 C:\Program Files\ViStart\ViStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 20280]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S1 agp4400;agp4400;C:\WINDOWS\system32\drivers\agp4400.sys [ ]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 16:42:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
Completion time: 2008-09-23 16:48:05
ComboFix-quarantined-files.txt  2008-09-23 23:46:44
ComboFix2.txt  2008-09-21 01:43:26
ComboFix3.txt  2008-02-14 23:15:33
ComboFix4.txt  2008-02-14 02:37:11

Pre-Run: 179,494,264,832 bytes free
Post-Run: 179,457,556,480 bytes free

277	--- E O F ---	2008-09-10 22:01:21


----------



## MBGraphics

And the HiJack This Log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:51:39 PM, on 9/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.freewebs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{88263159-d7ea-a00a-302d-778d20c39157}] "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\system32\dcftwsccwjivny.dll" DllStub
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] "C:\Program Files\Rainlendar2\Rainlendar2.exe"
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136011116468
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O20 - AppInit_DLLs: xwvexa.dll gxnotq.dll dfhnhc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 11912 bytes


----------



## ceewi1

It seems that the CFScript file has been unsuccessful.  I've attached it to this post.  Please save it to your Desktop and drag it into ComboFix as before, then post the log generated.

Also, please click on *Start -> Run*.  Type the following command and click *OK*:
*notepad C:\WINDOWS\winstart.bat*

This should popup a Notepad document showing the contents of winstart.bat.  Please post the contents in your next reply.


----------



## MBGraphics

Ok, here is the ComboFix log:

ComboFix 08-09-20.05 - chevy 2008-09-23 18:19:34.5 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2328 [GMT -7:00]
Running from: G:\ComboFix.exe
Command switches used :: C:\Documents and Settings\chevy\Desktop\CFScript.txt
 * Created a new restore point
 * Resident AV is active


*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\356.bat
C:\421.bat
C:\955.bat
C:\Documents and Settings\chevy\1359.bat
C:\Documents and Settings\chevy\3480.bat
C:\Documents and Settings\chevy\4742.bat
C:\Documents and Settings\chevy\Incomplete\T-3545425-boats hoes.mp3
C:\Documents and Settings\chevy\Incomplete\T-3545425-true sound basshunter.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-boats hoes.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-nex episode snoop dog.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-Skee Lo -i wish.mp3
C:\Documents and Settings\chevy\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\Antivirus_Protection_Setup.exe
C:\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3
C:\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3
C:\WINDOWS\SYSTEM32\BIRsAJlm.tmp
C:\WINDOWS\SYSTEM32\c0c2a076
C:\WINDOWS\SYSTEM32\dcftwsccwjivny.dll
C:\WINDOWS\SYSTEM32\eiytiugwtrfxaxske.exe
C:\WINDOWS\SYSTEM32\filekiller.dll
C:\WINDOWS\SYSTEM32\tuvWmJdb.dll
C:\WINDOWS\SYSTEM32\WEKTCJlm.tmp
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-anthum 2.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day stayin up.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-souljah boy hardcore.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3566386-06 Track 6 (hardcore).wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam@2008-03-17T22;12;06.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-5745425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-1932750-Wicked Remix.wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle@2008-06-19T06;11;20.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-nizlopi.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-souljah boy hardcore.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3566386-06 Track 6 (hardcore).wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\356.bat
C:\421.bat
C:\955.bat
C:\Documents and Settings\chevy\1359.bat
C:\Documents and Settings\chevy\3480.bat
C:\Documents and Settings\chevy\4742.bat
C:\Documents and Settings\chevy\Cookies\chevy@ad.yieldmanager[2].txt
C:\Documents and Settings\chevy\Cookies\chevy@trafficmp[2].txt
C:\Documents and Settings\chevy\Incomplete\T-3545425-boats hoes.mp3
C:\Documents and Settings\chevy\Incomplete\T-3545425-true sound basshunter.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-boats hoes.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-nex episode snoop dog.mp3
C:\Documents and Settings\chevy\Incomplete\T-5745425-Skee Lo -i wish.mp3
C:\Documents and Settings\chevy\Local Settings\Application Data\Opera\Opera\profile\cache4\temporary_download\Antivirus_Protection_Setup.exe
C:\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3
C:\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3
C:\Temp
C:\Temp\mtc2\h5v.log
C:\WINDOWS\SYSTEM32\BIRsAJlm.tmp
C:\WINDOWS\SYSTEM32\c0c2a076
C:\WINDOWS\SYSTEM32\dcftwsccwjivny.dll
C:\WINDOWS\SYSTEM32\filekiller.dll
C:\WINDOWS\SYSTEM32\mC02
C:\WINDOWS\SYSTEM32\mC02\mC022328.exe
C:\WINDOWS\SYSTEM32\np5
C:\WINDOWS\SYSTEM32\RES
C:\WINDOWS\SYSTEM32\RES\comec130t.exe
C:\WINDOWS\SYSTEM32\tuvWmJdb.dll
C:\WINDOWS\SYSTEM32\WEKTCJlm.tmp
C:\WINDOWS\SYSTEM32\wp
C:\WINDOWS\Y2hldnk
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-anthum 2.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day stayin up.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-sleepin all day.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3545425-souljah boy hardcore.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-3566386-06 Track 6 (hardcore).wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-460090-solja boy harcore version cute girl has orgasm on webcam@2008-03-17T22;12;06.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\Preview-T-5745425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-1932750-Wicked Remix.wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-full throttle@2008-06-19T06;11;20.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-nizlopi.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3545425-souljah boy hardcore.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-3566386-06 Track 6 (hardcore).wma
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Incomplete\T-460090-solja boy harcore version cute girl has orgasm on webcam.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\eminem - Sing for the Moment.mp3
H:\Memeo\chevy's Backup\C_\Documents and Settings\chevy\Shared\souljah boy hardcore cute girl has orgasm on webcam.mp3

.
(((((((((((((((((((((((((   Files Created from 2008-08-24 to 2008-09-24  )))))))))))))))))))))))))))))))
.

2008-09-23 16:05 . 2008-09-23 16:05	577,536	--a------	C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-09-23 16:03 . 2008-09-23 16:03	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-09-23 15:47 . 2008-09-22 01:35	<DIR>	d--------	C:\SDFix
2008-09-17 19:02 . 2008-09-17 19:02	(2)	-rahs-ot-	C:\WINDOWS\winstart.bat
2008-09-17 19:00 . 2008-09-17 19:49	<DIR>	d--------	C:\Program Files\UnHackMe
2008-09-17 16:02 . 2008-09-17 16:02	147,456	--a------	C:\WINDOWS\SYSTEM32\vbzip10.dll
2008-09-05 17:28 . 2008-09-05 17:28	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-08-27 14:03 . 2008-08-27 14:03	42,320	--a------	C:\WINDOWS\SYSTEM32\xfcodec.dll
2008-08-27 13:35 . 2007-02-28 02:08	2,147,840	--a------	C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-08-26 23:08 . 2008-08-26 23:08	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Fugazo
2008-08-26 23:07 . 2008-08-26 23:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Trymedia
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\scripting
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\en
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\SYSTEM32\bits
2008-08-26 19:50 . 2008-08-27 13:48	<DIR>	d--------	C:\WINDOWS\l2schemas
2008-08-26 19:45 . 2004-08-10 03:00	71,040	---------	C:\WINDOWS\SYSTEM32\DRIVERS\_003269_.tmp.dll
2008-08-26 19:07 . 2008-04-13 17:11	2,843,136	--a------	C:\WINDOWS\SYSTEM32\SET961.tmp
2008-08-26 18:46 . 2008-08-28 09:43	<DIR>	d--------	C:\WINDOWS\SYSTEM32\CatRoot_bak

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-21 19:36	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Xfire
2008-09-20 23:54	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 03:41	---------	d-s---w	C:\Program Files\Xfire
2008-09-19 01:02	---------	d-----w	C:\Documents and Settings\chevy\Application Data\ZoomBrowser EX
2008-09-18 03:00	---------	d-----w	C:\Program Files\LimeWire
2008-09-17 22:57	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Azureus
2008-09-16 03:35	139,128	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-09-16 03:35	111,928	----a-w	C:\WINDOWS\SYSTEM32\PnkBstrB.exe
2008-09-06 00:54	---------	d-----w	C:\Program Files\Canon
2008-09-06 00:26	---------	d-----w	C:\Program Files\Common Files\Canon
2008-08-27 21:12	---------	d-----w	C:\Program Files\Ascentive
2008-08-27 05:59	---------	d-----w	C:\Documents and Settings\chevy\Application Data\gtk-2.0
2008-08-27 03:10	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-08-24 03:07	---------	d-----w	C:\Program Files\Bonjour
2008-08-24 03:03	---------	d-----w	C:\Program Files\Speeditup Free
2008-08-24 03:02	---------	d-----w	C:\Program Files\MySpace
2008-08-24 02:59	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Winferno
2008-08-21 05:06	---------	d-----w	C:\Program Files\Free Offers from Freeze.com
2008-08-21 05:06	---------	d-----w	C:\Program Files\AWS
2008-08-21 05:06	---------	d-----w	C:\Documents and Settings\chevy\Application Data\WeatherBug
2008-08-20 07:49	---------	d-----w	C:\Program Files\Flickr Uploadr
2008-08-20 01:02	---------	d-----w	C:\Program Files\HD Tune
2008-08-13 21:58	---------	d-----w	C:\Documents and Settings\chevy\Application Data\BearShare
2008-08-12 05:50	---------	d-----w	C:\Program Files\BearShare Applications
2008-08-12 02:23	32,778	----a-w	C:\WINDOWS\Fonts\thematrix.zip
2008-08-12 02:07	81,312	----a-w	C:\WINDOWS\Fonts\fontz_1120_miltownmatrix.zip
2008-08-11 05:03	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Flickr
2008-08-09 23:09	---------	d-----w	C:\Program Files\GIMP-2.0
2008-08-04 22:27	---------	d-----w	C:\Program Files\UltraMon
2008-08-04 22:27	---------	d-----w	C:\Program Files\Common Files\Realtime Soft
2008-08-04 22:27	---------	d-----w	C:\Documents and Settings\chevy\Application Data\Realtime Soft
2008-08-04 22:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-08-04 22:15	---------	d-----w	C:\Program Files\Common Files\Stardock
2008-07-19 05:10	94,920	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 05:10	94,920	----a-w	C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 05:10	53,448	----a-w	C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 05:10	53,448	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 05:10	45,768	----a-w	C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 05:10	36,552	----a-w	C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 05:10	36,552	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wups.dll
2008-07-19 05:09	563,912	----a-w	C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 05:09	563,912	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 05:09	325,832	----a-w	C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 05:09	325,832	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 05:09	205,000	----a-w	C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 05:09	205,000	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 05:09	1,811,656	----a-w	C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 05:09	1,811,656	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-07 20:32	253,952	----a-w	C:\WINDOWS\SYSTEM32\es.dll
2008-07-07 20:32	253,952	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\es.dll
2008-06-25 01:12	295,936	----a-w	C:\WINDOWS\SYSTEM32\wmpeffects.dll
2008-06-24 17:57	3,592,192	------w	C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-06-24 16:23	74,240	----a-w	C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-24 16:23	74,240	----a-w	C:\WINDOWS\SYSTEM32\DLLCACHE\mscms.dll
2007-12-25 17:58	22,328	----a-w	C:\Documents and Settings\chevy\Application Data\PnkBstrK.sys
2007-10-06 21:22	1,066,496	-csha-w	C:\Program Files\ehthumbs.db
2005-08-06 06:54	211,952	----a-w	C:\Program Files\new.sc3
2005-08-06 03:55	164,538	-c--a-w	C:\Program Files\new city.sc3
2005-07-29 22:52	56,192	----a-w	C:\Program Files\New City69.sc3
2005-07-07 23:07	251	----a-w	C:\Program Files\wt3d.ini
2003-05-27 03:08	8,964,958	----a-w	C:\Documents and Settings\chevy\SCXE26Setup.exe
2003-05-05 22:59	436,224	----a-w	C:\Documents and Settings\chevy\SCXEDirectoryFix.exe
2003-04-19 22:34	467,968	----a-w	C:\Documents and Settings\chevy\SCXEUpd.exe
.

------- Sigcheck -------

2005-03-01 17:36  2056832  d8aba3eab509627e707a3b14f00fbb6b	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 09:12  2059392  ba4b97c00a437c1cc3da365d93ee1e9d	C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 02:15  2059392  4d3dbdccbf97f5ba1e74f322b155c3ba	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-03 20:59  2015232  fb142b7007ca2eea76966c6c5cc12150	C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-01 17:34  2015232  3cd941e472ddf3534e53038535719771	C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 05:55  2015744  bbb2322eb14ad9ad55b1024ffd4d88bf	C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 01:38  2057600  515d30e2c90a3665a2739309334c9283	C:\WINDOWS\Driver Cache\I386\ntkrnlpa.exe
2008-04-13 11:31  2065792  109f8e3e3c82e337bb71b6bc9b895d61	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-02-28 01:38  2027520  54a8b9806027049f8b19f1274a63c7b4	C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2007-02-28 01:38  2015744  a58ac1c6199ef34228abee7fc057ae09	C:\WINDOWS\SYSTEM32\VITrans\ntkrnlpa.exe

2005-03-01 18:04  2179456  28187802b7c368c0d3aef7d4c382aabb	C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 09:51  2182016  cef243f6defd20be4adde26c7ecacb54	C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 02:55  2182144  5a5c8db4aa962c714c8371fbdf189fc9	C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-03 21:18  2148352  626309040459c3915997ef98ec1c8d40	C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-01 17:57  2135552  48b3e89af7074cee0314a3e0c7faffdb	C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 07:15  2136064  8318ed54797f3e513fd5817a1d4bbd18	C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 02:10  2180352  582a8dbaa58c3b1f176eb2817daee77c	C:\WINDOWS\Driver Cache\I386\ntoskrnl.exe
2008-04-13 12:27  2188928  0c89243c7c3ee199b96fcc16990e0679	C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-02-28 02:08  2147840  5fb20cabc9a81baaabbe63f30ffc5284	C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2007-02-28 02:08  2136064  1220faf071dea8653ee21de7dcda8bfd	C:\WINDOWS\SYSTEM32\VITrans\ntoskrnl.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-17 45056]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-10 90112]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 407032]
"StxTrayMenu"="C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-04 187496]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 202544]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-19 5361464]
"CTHelper"="CTHELPER.EXE" [2004-03-11 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]

C:\Documents and Settings\chevy\Start Menu\Programs\Startup\
AutoBackup Launcher.lnk - C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe [2006-12-14 214520]
PowerReg Scheduler V3.exe [2005-08-09 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
UltraMon.lnk - C:\WINDOWS\Installer\{AF0FA6D7-96F3-468A-ABB7-28BE006EA8E9}\IcoUltraMon.ico [2008-08-04 29310]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= IR41_32.DLL
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer for HDD Camcorder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ImageMixer for HDD Camcorder.lnk
backup=C:\WINDOWS\pss\ImageMixer for HDD Camcorder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup=C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^chevy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\chevy\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^chevy^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\chevy\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 03:00 15360 C:\WINDOWS\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 10:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 14:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 14:56 64512 C:\WINDOWS\EHOME\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 17:24 50760 C:\Program Files\Common Files\AOL\1154645544\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
--------- 2002-05-29 01:23 258118 C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
--a------ 2004-09-20 02:27 65536 C:\Program Files\LClock\LClock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-06-28 21:51 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2007-07-19 22:54 5361464 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 04:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb]
--a------ 2007-11-19 14:01 163840 C:\Program Files\ViOrb\ViOrb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]
--a------ 2007-11-20 14:51 524288 C:\Program Files\Vista Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart]
--a------ 2007-11-26 20:27 593920 C:\Program Files\ViStart\ViStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS [2007-07-19 20280]
R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 3584]
S1 agp4400;agp4400;C:\WINDOWS\system32\drivers\agp4400.sys [ ]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 18:29:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


**************************************************************************
.
Completion time: 2008-09-23 18:34:13
ComboFix-quarantined-files.txt  2008-09-24 01:32:59
ComboFix2.txt  2008-09-23 23:48:07
ComboFix3.txt  2008-09-21 01:43:26
ComboFix4.txt  2008-02-14 23:15:33
ComboFix5.txt  2008-09-24 01:18:41

Pre-Run: 179,333,509,120 bytes free
Post-Run: 179,293,990,912 bytes free

345	--- E O F ---	2008-09-10 22:01:21


----------



## MBGraphics

when i put in this command: notepad C:\WINDOWS\winstart.bat
into the RUN, just a blank notepad pops up.


----------



## cohen

Just a tip, clear out your incomplete folder for either limewire or frostwire.

It is located here - C:\Documents and Settings\chevy\Incomplete


----------



## ceewi1

That's fine, if the file is empty there is no problem.  It looks like ComboFix has done its job this time, just a couple more things I'd like to check.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:
*
C:\WINDOWS\SYSTEM32\DRIVERS\_003269_.tmp.dll*

Then click Send File.  Allow the file to be scanned, and then please copy and paste the results here for me to see.

Please repeat the process for the following file:

*C:\WINDOWS\SYSTEM32\SET961.tmp*

If that scanner is busy, please use this one: http://virusscan.jotti.org

Please also post a new HijackThis log and an update on how your system is running now.


----------



## MBGraphics

C:\WINDOWS\SYSTEM32\DRIVERS\_003269_.tmp.dll
Results:	0/36

C:\WINDOWS\SYSTEM32\SET961.tmp
Results:	0/36


And the HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:30 PM, on 9/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Memeo\AutoBackup\MemeoService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackup.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Xfire\Xfire.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.freewebs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
O4 - HKLM\..\Run: [UserFaultCheck] C:\WINDOWS\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] "C:\Program Files\Rainlendar2\Rainlendar2.exe"
O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Memeo\AutoBackup\MemeoLauncher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: UltraMon.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136011116468
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

--
End of file - 11794 bytes




The computer is running *MUCH* better now

Thank you all for the help!


----------



## ceewi1

OK, still one more malicious entry, although it's likely that the infection behind it has already been removed.

Please download *FixWareout*.

Save it to your desktop and run it. Click Next, then Install, make sure *Run fixit* is checked and click Finish.
The fix will begin; follow the prompts.  You will be asked to reboot your computer; please do so.  Your system may take longer than usual to load; this is normal.

Please post the text that will open (report.txt) in your next reply.

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries (where still present):
*
[*]R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
[*]O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
[*]O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
*

Optionally, you may also check the following entry:

*O4 - Startup: PowerReg Scheduler V3.exe*
_This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it_
Please close all open windows except for HijackThis and choose *Fix checked*

Please post a new HijackThis log along with the FixWareout report


----------

