WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


S

2 posters

descriptionS EmptySystem Security Malware12th June 2009, 8:11 pm

more_horiz
This morning I became infected with the System Security 2009 Malware, after looking around online for solutions I tried to install anti-malware by malewarebytes, and even in safe mode I am unable to run the exe file to install. AVG did not detect anything during its scan, and when trying to run any sort of anti spyware programs in normal windows I receive the usual "this file is infected" answer. I'm currently not at home, but I will post my log file when I get home in about 20 minutes. Any help with this issue is greatly appreciated.

descriptionS EmptyRe: S12th June 2009, 8:15 pm

more_horiz
Hello.
Does Hijack This work on your machine with this malware?

So far, I only know one tool that works and to get it right, you need to follow my advice step by step and not do anything else, otherwise it will mess up the results.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
S DXwU4
S VvYDg

descriptionS EmptyRe: S12th June 2009, 8:23 pm

more_horiz
Hijack this does work, and here are the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:22 PM, on 6/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Downloads\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fulldotfinds.com/pubac/ac.php?aid=158&sid=clean12
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - D:\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKLM\..\Run: [18115464] C:\Documents and Settings\All Users\Application Data\18115464\18115464.exe
O4 - HKLM\..\Run: [98125456] C:\Documents and Settings\All Users\Application Data\98125456\98125456.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\AVG\AVG8\avgtray.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222790272796
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6391 bytes

descriptionS EmptyRe: S12th June 2009, 8:27 pm

more_horiz
Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Viewpoint Manager (remove only)
  • Viewpoint Media Player
  • Viewpoint Toolbar

Next,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fulldotfinds.com/pubac/ac.php?aid=158&sid=clean12
    O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
    O4 - HKLM\..\Run: [18115464] C:\Documents and Settings\All Users\Application Data\18115464\18115464.exe
    O4 - HKLM\..\Run: [98125456] C:\Documents and Settings\All Users\Application Data\98125456\98125456.exeO20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
S DXwU4
S VvYDg

descriptionS EmptyRe: S12th June 2009, 8:34 pm

more_horiz
I only had one Viewpoint thing to uninstall on Add/Remove Programs, but I removed it. After fixing the items you suggested on HijackThis, I was still unable to install the malware removal program. Running HijackThis again gives the following log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:47 PM, on 6/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
D:\Downloads\hijackgpthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - D:\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\AVG\AVG8\avgtray.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222790272796
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 5819 bytes

descriptionS EmptyRe: S12th June 2009, 8:39 pm

more_horiz
Rename the MBAM installer, see if it will install after being renamed.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
S DXwU4
S VvYDg

descriptionS EmptyRe: S12th June 2009, 8:43 pm

more_horiz
No luck with that.

descriptionS EmptyRe: S12th June 2009, 8:47 pm

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    S CF_download_FF

    S CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    S Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    S Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
S DXwU4
S VvYDg

descriptionS EmptyRe: S12th June 2009, 9:10 pm

more_horiz
ComboFix 09-06-12.02 - Administrator 06/12/2009 15:59.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.3043 [GMT -5]
Running from: d:\downloads\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\18115464
c:\documents and settings\All Users\Application Data\98125456
c:\windows\system32\drivers\SKYNETowfietlq.sys
c:\windows\system32\drivers\UACrwftjkcdppupxbl.sys
c:\windows\system32\UACbrkfxbquamucctr.log
c:\windows\system32\UACejedomyfavxviqm.dll
c:\windows\system32\UACmrqrvfuvgyrpyum.dll
c:\windows\system32\UACobrwkrwxwhkwbpv.dll
c:\windows\system32\UACqijkipxrwujosri.dat
c:\windows\system32\UACqlrslxytpmovqta.db
c:\windows\system32\UACudnvrdjvablhtpn.dll
c:\windows\system32\UACvfjpmavbwubwvpi.log
c:\windows\system32\UACvkcdmcfmoyoutpq.log
c:\windows\system32\UACxodulbonbgonevs.dll
c:\windows\system32\UACyyaerobqlhftgts.dll
c:\documents and settings\All Users\Application Data\18115464\18115464.exe
c:\documents and settings\All Users\Application Data\18115464\18115464.glu
c:\documents and settings\All Users\Application Data\18115464\pc18115464cnf
c:\documents and settings\All Users\Application Data\18115464\pc18115464ins
c:\documents and settings\All Users\Application Data\98125456\98125456.exe
c:\program files\Manson\liser.dll
c:\program files\Manson\liser.exe
C:\tj.vbs
c:\windows\system32\drivers\SKYNETowfietlq.sys
c:\windows\system32\drivers\UACrwftjkcdppupxbl.sys
c:\windows\system32\SKYNETlssjbbun.dll
c:\windows\system32\SKYNETmwbnreae.dat
c:\windows\system32\SKYNETuheinsrg.dll
c:\windows\system32\UACbrkfxbquamucctr.log
c:\windows\system32\UACejedomyfavxviqm.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmrqrvfuvgyrpyum.dll
c:\windows\system32\UACobrwkrwxwhkwbpv.dll
c:\windows\system32\UACqijkipxrwujosri.dat
c:\windows\system32\UACqlrslxytpmovqta.db
c:\windows\system32\UACudnvrdjvablhtpn.dll
c:\windows\system32\UACvfjpmavbwubwvpi.log
c:\windows\system32\UACvkcdmcfmoyoutpq.log
c:\windows\system32\UACxodulbonbgonevs.dll
c:\windows\system32\UACyyaerobqlhftgts.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_SKYNETtjuihaxg


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 17:12 . 2009-06-12 17:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-06-12 16:37 . 2009-06-12 21:00 -------- d-sh--r- c:\program files\Manson
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\iPod
2009-06-05 04:51 . 2009-06-05 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\Bonjour
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\QuickTime
2009-06-05 04:49 . 2009-05-29 18:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 04:46 . 2009-06-05 04:46 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-23 17:07 . 2009-05-23 17:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-20 03:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-05-20 03:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-05-20 03:08 . 2008-10-27 15:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2009-05-20 03:08 . 2008-07-30 11:20 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-05-20 03:08 . 2008-07-10 16:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-05-20 03:08 . 2008-07-10 16:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 20:41 . 2008-10-07 01:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-12 20:28 . 2008-09-30 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-12 17:28 . 2009-06-12 17:28 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-12 17:28 . 2009-06-12 17:28 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-12 17:28 . 2009-06-12 17:28 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\program files\AVG
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 04:50 . 2008-09-30 17:47 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 04:49 . 2008-09-30 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-05 04:21 . 2008-09-30 17:48 -------- d-----w- c:\documents and settings\Admin\Application Data\Apple Computer
2009-05-29 18:36 . 2008-09-30 17:47 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 06:36 . 2009-06-10 11:28 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 06:36 . 2009-06-10 11:28 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 06:36 . 2009-06-10 11:28 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 06:36 . 2009-06-10 11:28 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 06:36 . 2009-06-10 11:28 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 06:36 . 2009-06-10 11:28 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 06:36 . 2009-06-10 11:28 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 06:36 . 2009-06-10 11:28 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-27 09:22 . 2009-04-27 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-04-26 17:38 . 2009-04-26 17:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-04-24 18:09 . 2009-04-24 18:09 -------- d-----w- c:\documents and settings\Admin\Application Data\Macrovision
2009-04-23 22:09 . 2009-04-23 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-03-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-20 16:54 . 2008-09-30 20:49 62378 ----a-w- c:\windows\War3Unin.dat
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-09-30 17:48 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-09-30 16:41 . 2008-09-30 16:41 15083520 ----a-w- c:\program files\spybotsd160.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 18:38 1004800 ----a-w- d:\avg\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-09-07 626688]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"SunJavaUpdateSched"="d:\java\jre6\bin\jusched.exe" [2009-02-12 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-29 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2009-05-30 292136]
"AVG8_TRAY"="d:\avg\AVG8\avgtray.exe" [2009-06-12 1948440]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - d:\logitech\SetPoint\SetPoint.exe [2008-9-30 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Warcraft III\\Listchecker\\pickup.listchecker.exe"=
"d:\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Red Alert3\\Data\\ra3_1.4.game"=
"d:\\Steam\\steamapps\\xxxxxxxxxxx@hotmail.com\\counter-strike source\\hl2.exe"=
"d:\\Hamachi\\hamachi.exe"=
"d:\\Ventrilo\\Ventrilo.exe"=
"d:\\Red Alert3\\Data\\ra3_1.5.game"=
"d:\\Red Alert3\\Data\\ra3_1.6.game"=
"d:\\Steam\\Steam.exe"=
"d:\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"d:\\Steam\\steamapps\\xxxxxxxxxxxxx@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"d:\\Gunbound\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"d:\\Steam\\steamapps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\insurgency\\hl2.exe"=
"d:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"d:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"d:\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Steam\\steamapps\\common\\battlestations pacific - demo\\bspdemo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"d:\\AVG\\AVG8\\avgam.exe"=
"d:\\AVG\\AVG8\\avgdiag.exe"=
"d:\\AVG\\AVG8\\avgdiagex.exe"=
"d:\\AVG\\AVG8\\avgupd.exe"=
"d:\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [6/12/2009 12:28 PM 12552]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/12/2009 12:28 PM 108552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/12/2009 12:28 PM 327688]
S2 avg8wd;AVG8 WatchDog;d:\avg\AVG8\avgwdsvc.exe [6/12/2009 12:28 PM 298776]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Launch LCDMon - c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe


.

descriptionS EmptyRe: S12th June 2009, 9:11 pm

more_horiz
Here's the rest: it was too big to put all in one message.


------- Supplementary Scan -------
.
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 16:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8FD8A5D7-9511-025F-16B31A5B051F5A4D}\{7F4BC209-0230-7A50-936F3704F4AD01D8}\{4F172B6C-B722-D8DB-046FD06C67D2EAC6}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A8A45CF7-6BE6-B2C1-72491EAB2E9A6B2B}\{B617CAED-A840-2A11-665EBDF0B9E06934}\{20694653-0A9D-BD70-6F24016076B199C3}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DF771B98-AC91-34D8-F0EE49DCFFD7BEDE}\{02C90D3B-A401-D38F-0F8BFA977E327E75}\{1704AFF6-6AA2-2F70-F8B468ED602E6063}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9F9DEBB-68B5-F470-73ABBBDFE6B7698C}\{2DE0854A-58E2-477C-18CA38B62B72F56E}\{B78F9583-EE49-B075-5FB6B2640AC6C572}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FCCB8240-DCE2-E75D-AC14FD41A6B697E0}\{CCBBBFAF-D782-4243-9A223EC5C9E9D74B}\{381F6F0A-6948-72AB-150979187EC28E60}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1172)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2009-06-12 16:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 21:05

Pre-Run: 4,207,284,224 bytes free
Post-Run: 4,562,391,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

244 --- E O F --- 2009-06-11 08:01

descriptionS EmptyRe: S12th June 2009, 9:19 pm

more_horiz
Now open a new notepad file.
Input this into the notepad file:

Driver::
Viewpoint Manager Service

Folder::
c:\program files\Manson
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8FD8A5D7-9511-025F-16B31A5B051F5A4D}\{7F4BC209-0230-7A50-936F3704F4AD01D8}\{4F172B6C-B722-D8DB-046FD06C67D2EAC6}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A8A45CF7-6BE6-B2C1-72491EAB2E9A6B2B}\{B617CAED-A840-2A11-665EBDF0B9E06934}\{20694653-0A9D-BD70-6F24016076B199C3}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DF771B98-AC91-34D8-F0EE49DCFFD7BEDE}\{02C90D3B-A401-D38F-0F8BFA977E327E75}\{1704AFF6-6AA2-2F70-F8B468ED602E6063}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DF771B98-AC91-34D8-F0EE49DCFFD7BEDE}\{02C90D3B-A401-D38F-0F8BFA977E327E75}\{1704AFF6-6AA2-2F70-F8B468ED602E6063}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FCCB8240-DCE2-E75D-AC14FD41A6B697E0}\{CCBBBFAF-D782-4243-9A223EC5C9E9D74B}\{381F6F0A-6948-72AB-150979187EC28E60}*]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
S Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
S DXwU4
S VvYDg

descriptionS EmptyRe: S12th June 2009, 9:30 pm

more_horiz
ComboFix 09-06-12.02 - Administrator 06/12/2009 16:23.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.3039 [GMT -5:00]
Running from: d:\downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Manson

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 17:12 . 2009-06-12 17:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\iPod
2009-06-05 04:51 . 2009-06-05 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\Bonjour
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\QuickTime
2009-06-05 04:49 . 2009-05-29 18:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 04:46 . 2009-06-05 04:46 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-23 17:07 . 2009-05-23 17:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-20 03:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-05-20 03:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-05-20 03:08 . 2008-10-27 15:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2009-05-20 03:08 . 2008-07-30 11:20 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-05-20 03:08 . 2008-07-10 16:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-05-20 03:08 . 2008-07-10 16:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 20:41 . 2008-10-07 01:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-12 17:28 . 2009-06-12 17:28 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-12 17:28 . 2009-06-12 17:28 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-12 17:28 . 2009-06-12 17:28 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\program files\AVG
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 04:50 . 2008-09-30 17:47 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 04:49 . 2008-09-30 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-05 04:21 . 2008-09-30 17:48 -------- d-----w- c:\documents and settings\Admin\Application Data\Apple Computer
2009-05-29 18:36 . 2008-09-30 17:47 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 06:36 . 2009-06-10 11:28 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 06:36 . 2009-06-10 11:28 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 06:36 . 2009-06-10 11:28 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 06:36 . 2009-06-10 11:28 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 06:36 . 2009-06-10 11:28 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 06:36 . 2009-06-10 11:28 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 06:36 . 2009-06-10 11:28 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 06:36 . 2009-06-10 11:28 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-27 09:22 . 2009-04-27 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-04-26 17:38 . 2009-04-26 17:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-04-24 18:09 . 2009-04-24 18:09 -------- d-----w- c:\documents and settings\Admin\Application Data\Macrovision
2009-04-23 22:09 . 2009-04-23 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-03-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-20 16:54 . 2008-09-30 20:49 62378 ----a-w- c:\windows\War3Unin.dat
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-09-30 17:48 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-09-30 16:41 . 2008-09-30 16:41 15083520 ----a-w- c:\program files\spybotsd160.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 18:38 1004800 ----a-w- d:\avg\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-09-07 626688]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"SunJavaUpdateSched"="d:\java\jre6\bin\jusched.exe" [2009-02-12 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-29 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2009-05-30 292136]
"AVG8_TRAY"="d:\avg\AVG8\avgtray.exe" [2009-06-12 1948440]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - d:\logitech\SetPoint\SetPoint.exe [2008-9-30 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Warcraft III\\Listchecker\\pickup.listchecker.exe"=
"d:\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Red Alert3\\Data\\ra3_1.4.game"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\counter-strike source\\hl2.exe"=
"d:\\Hamachi\\hamachi.exe"=
"d:\\Ventrilo\\Ventrilo.exe"=
"d:\\Red Alert3\\Data\\ra3_1.5.game"=
"d:\\Red Alert3\\Data\\ra3_1.6.game"=
"d:\\Steam\\Steam.exe"=
"d:\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"d:\\Gunbound\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"d:\\Steam\\steamapps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\insurgency\\hl2.exe"=
"d:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"d:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"d:\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Steam\\steamapps\\common\\battlestations pacific - demo\\bspdemo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"d:\\AVG\\AVG8\\avgam.exe"=
"d:\\AVG\\AVG8\\avgdiag.exe"=
"d:\\AVG\\AVG8\\avgdiagex.exe"=
"d:\\AVG\\AVG8\\avgupd.exe"=
"d:\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [6/12/2009 12:28 PM 12552]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/12/2009 12:28 PM 108552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/12/2009 12:28 PM 327688]
S2 avg8wd;AVG8 WatchDog;d:\avg\AVG8\avgwdsvc.exe [6/12/2009 12:28 PM 298776]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 16:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9F9DEBB-68B5-F470-73ABBBDFE6B7698C}\{2DE0854A-58E2-477C-18CA38B62B72F56E}\{B78F9583-EE49-B075-5FB6B2640AC6C572}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
------------------------ Other Running Processes ------------------------
.
d:\lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2009-06-12 16:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 21:28
ComboFix2.txt 2009-06-12 21:05

Pre-Run: 4,573,454,336 bytes free
Post-Run: 4,564,738,048 bytes free

180 --- E O F --- 2009-06-11 08:01

descriptionS EmptyRe: S12th June 2009, 9:30 pm

more_horiz
ComboFix 09-06-12.02 - Administrator 06/12/2009 16:23.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.3039 [GMT -5:00]
Running from: d:\downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Manson

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 17:12 . 2009-06-12 17:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\iPod
2009-06-05 04:51 . 2009-06-05 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\Bonjour
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\QuickTime
2009-06-05 04:49 . 2009-05-29 18:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 04:46 . 2009-06-05 04:46 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-23 17:07 . 2009-05-23 17:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-20 03:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-05-20 03:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-05-20 03:08 . 2008-10-27 15:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2009-05-20 03:08 . 2008-07-30 11:20 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-05-20 03:08 . 2008-07-10 16:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-05-20 03:08 . 2008-07-10 16:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 20:41 . 2008-10-07 01:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-12 17:28 . 2009-06-12 17:28 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-12 17:28 . 2009-06-12 17:28 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-12 17:28 . 2009-06-12 17:28 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\program files\AVG
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 04:50 . 2008-09-30 17:47 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 04:49 . 2008-09-30 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-05 04:21 . 2008-09-30 17:48 -------- d-----w- c:\documents and settings\Admin\Application Data\Apple Computer
2009-05-29 18:36 . 2008-09-30 17:47 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 06:36 . 2009-06-10 11:28 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 06:36 . 2009-06-10 11:28 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 06:36 . 2009-06-10 11:28 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 06:36 . 2009-06-10 11:28 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 06:36 . 2009-06-10 11:28 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 06:36 . 2009-06-10 11:28 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 06:36 . 2009-06-10 11:28 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 06:36 . 2009-06-10 11:28 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-27 09:22 . 2009-04-27 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-04-26 17:38 . 2009-04-26 17:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-04-24 18:09 . 2009-04-24 18:09 -------- d-----w- c:\documents and settings\Admin\Application Data\Macrovision
2009-04-23 22:09 . 2009-04-23 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-03-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-20 16:54 . 2008-09-30 20:49 62378 ----a-w- c:\windows\War3Unin.dat
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-09-30 17:48 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-09-30 16:41 . 2008-09-30 16:41 15083520 ----a-w- c:\program files\spybotsd160.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 18:38 1004800 ----a-w- d:\avg\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-09-07 626688]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"SunJavaUpdateSched"="d:\java\jre6\bin\jusched.exe" [2009-02-12 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-29 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2009-05-30 292136]
"AVG8_TRAY"="d:\avg\AVG8\avgtray.exe" [2009-06-12 1948440]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - d:\logitech\SetPoint\SetPoint.exe [2008-9-30 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Warcraft III\\Listchecker\\pickup.listchecker.exe"=
"d:\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Red Alert3\\Data\\ra3_1.4.game"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\counter-strike source\\hl2.exe"=
"d:\\Hamachi\\hamachi.exe"=
"d:\\Ventrilo\\Ventrilo.exe"=
"d:\\Red Alert3\\Data\\ra3_1.5.game"=
"d:\\Red Alert3\\Data\\ra3_1.6.game"=
"d:\\Steam\\Steam.exe"=
"d:\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"d:\\Gunbound\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"d:\\Steam\\steamapps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\insurgency\\hl2.exe"=
"d:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"d:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"d:\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Steam\\steamapps\\common\\battlestations pacific - demo\\bspdemo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"d:\\AVG\\AVG8\\avgam.exe"=
"d:\\AVG\\AVG8\\avgdiag.exe"=
"d:\\AVG\\AVG8\\avgdiagex.exe"=
"d:\\AVG\\AVG8\\avgupd.exe"=
"d:\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [6/12/2009 12:28 PM 12552]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/12/2009 12:28 PM 108552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/12/2009 12:28 PM 327688]
S2 avg8wd;AVG8 WatchDog;d:\avg\AVG8\avgwdsvc.exe [6/12/2009 12:28 PM 298776]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 16:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9F9DEBB-68B5-F470-73ABBBDFE6B7698C}\{2DE0854A-58E2-477C-18CA38B62B72F56E}\{B78F9583-EE49-B075-5FB6B2640AC6C572}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
------------------------ Other Running Processes ------------------------
.
d:\lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2009-06-12 16:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 21:28
ComboFix2.txt 2009-06-12 21:05

Pre-Run: 4,573,454,336 bytes free
Post-Run: 4,564,738,048 bytes free

180 --- E O F --- 2009-06-11 08:01

descriptionS EmptyRe: S12th June 2009, 9:31 pm

more_horiz
ComboFix 09-06-12.02 - Administrator 06/12/2009 16:23.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.3039 [GMT -5:00]
Running from: d:\downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Manson

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 17:12 . 2009-06-12 17:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\iPod
2009-06-05 04:51 . 2009-06-05 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\Bonjour
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\QuickTime
2009-06-05 04:49 . 2009-05-29 18:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 04:46 . 2009-06-05 04:46 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-23 17:07 . 2009-05-23 17:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-20 03:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-05-20 03:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-05-20 03:08 . 2008-10-27 15:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2009-05-20 03:08 . 2008-07-30 11:20 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-05-20 03:08 . 2008-07-10 16:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-05-20 03:08 . 2008-07-10 16:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 20:41 . 2008-10-07 01:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-12 17:28 . 2009-06-12 17:28 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-12 17:28 . 2009-06-12 17:28 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-12 17:28 . 2009-06-12 17:28 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\program files\AVG
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 04:50 . 2008-09-30 17:47 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 04:49 . 2008-09-30 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-05 04:21 . 2008-09-30 17:48 -------- d-----w- c:\documents and settings\Admin\Application Data\Apple Computer
2009-05-29 18:36 . 2008-09-30 17:47 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 06:36 . 2009-06-10 11:28 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 06:36 . 2009-06-10 11:28 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 06:36 . 2009-06-10 11:28 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 06:36 . 2009-06-10 11:28 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 06:36 . 2009-06-10 11:28 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 06:36 . 2009-06-10 11:28 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 06:36 . 2009-06-10 11:28 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 06:36 . 2009-06-10 11:28 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-27 09:22 . 2009-04-27 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-04-26 17:38 . 2009-04-26 17:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-04-24 18:09 . 2009-04-24 18:09 -------- d-----w- c:\documents and settings\Admin\Application Data\Macrovision
2009-04-23 22:09 . 2009-04-23 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-03-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-20 16:54 . 2008-09-30 20:49 62378 ----a-w- c:\windows\War3Unin.dat
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-09-30 17:48 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-09-30 16:41 . 2008-09-30 16:41 15083520 ----a-w- c:\program files\spybotsd160.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 18:38 1004800 ----a-w- d:\avg\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-09-07 626688]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"SunJavaUpdateSched"="d:\java\jre6\bin\jusched.exe" [2009-02-12 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-29 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2009-05-30 292136]
"AVG8_TRAY"="d:\avg\AVG8\avgtray.exe" [2009-06-12 1948440]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - d:\logitech\SetPoint\SetPoint.exe [2008-9-30 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Warcraft III\\Listchecker\\pickup.listchecker.exe"=
"d:\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Red Alert3\\Data\\ra3_1.4.game"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\counter-strike source\\hl2.exe"=
"d:\\Hamachi\\hamachi.exe"=
"d:\\Ventrilo\\Ventrilo.exe"=
"d:\\Red Alert3\\Data\\ra3_1.5.game"=
"d:\\Red Alert3\\Data\\ra3_1.6.game"=
"d:\\Steam\\Steam.exe"=
"d:\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"d:\\Gunbound\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"d:\\Steam\\steamapps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\insurgency\\hl2.exe"=
"d:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"d:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"d:\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Steam\\steamapps\\common\\battlestations pacific - demo\\bspdemo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"d:\\AVG\\AVG8\\avgam.exe"=
"d:\\AVG\\AVG8\\avgdiag.exe"=
"d:\\AVG\\AVG8\\avgdiagex.exe"=
"d:\\AVG\\AVG8\\avgupd.exe"=
"d:\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [6/12/2009 12:28 PM 12552]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/12/2009 12:28 PM 108552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/12/2009 12:28 PM 327688]
S2 avg8wd;AVG8 WatchDog;d:\avg\AVG8\avgwdsvc.exe [6/12/2009 12:28 PM 298776]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 16:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9F9DEBB-68B5-F470-73ABBBDFE6B7698C}\{2DE0854A-58E2-477C-18CA38B62B72F56E}\{B78F9583-EE49-B075-5FB6B2640AC6C572}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
------------------------ Other Running Processes ------------------------
.
d:\lavasoft\Ad-Aware\aawservice.exe
.
**************************************************************************
.
Completion time: 2009-06-12 16:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-12 21:28
ComboFix2.txt 2009-06-12 21:05

Pre-Run: 4,573,454,336 bytes free
Post-Run: 4,564,738,048 bytes free

180 --- E O F --- 2009-06-11 08:01

descriptionS EmptyRe: S12th June 2009, 9:32 pm

more_horiz
Errr, sorry about the triple post, I keep getting some strange errors about connection lost or no post mode selected.

descriptionS EmptyRe: S12th June 2009, 9:33 pm

more_horiz
Hello.
Made a slight copy/paste error in my last script, so we need to do another CFScript, then that should do it.

Now open a new notepad file.
Input this into the notepad file:

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9F9DEBB-68B5-F470-73ABBBDFE6B7698C}\{2DE0854A-58E2-477C-18CA38B62B72F56E}\{B78F9583-EE49-B075-5FB6B2640AC6C572}*]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
S Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
S DXwU4
S VvYDg

descriptionS EmptyRe: S12th June 2009, 9:39 pm

more_horiz
ComboFix 09-06-12.02 - Administrator 06/12/2009 16:36.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.3043 [GMT -5:00]
Running from: d:\downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-12 20:32 . 2009-06-12 20:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-06-12 18:54 . 2009-06-12 18:54 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-06-12 17:28 . 2009-06-12 17:28 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-12 17:28 . 2009-06-12 17:28 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-12 17:28 . 2009-06-12 17:28 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\program files\AVG
2009-06-12 17:28 . 2009-06-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-12 17:12 . 2009-06-12 17:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\iPod
2009-06-05 04:51 . 2009-06-05 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\Bonjour
2009-06-05 04:51 . 2009-06-05 04:51 -------- d-----w- c:\program files\QuickTime
2009-06-05 04:49 . 2009-05-29 18:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 04:46 . 2009-06-05 04:46 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-23 17:07 . 2009-05-23 17:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-20 03:08 . 2008-10-10 09:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-05-20 03:08 . 2008-10-10 09:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-05-20 03:08 . 2008-10-27 15:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2009-05-20 03:08 . 2008-07-30 11:20 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-05-20 03:08 . 2008-07-10 16:01 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-05-20 03:08 . 2008-07-10 16:00 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 20:41 . 2008-10-07 01:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-05 04:50 . 2008-09-30 17:47 -------- d-----w- c:\program files\Common Files\Apple
2009-06-05 04:49 . 2008-09-30 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-05 04:21 . 2008-09-30 17:48 -------- d-----w- c:\documents and settings\Admin\Application Data\Apple Computer
2009-05-29 18:36 . 2008-09-30 17:47 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-19 06:36 . 2009-06-10 11:28 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 06:36 . 2009-06-10 11:28 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 06:36 . 2009-06-10 11:28 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 06:36 . 2009-06-10 11:28 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 06:36 . 2009-06-10 11:28 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 06:36 . 2009-06-10 11:28 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 06:36 . 2009-06-10 11:28 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 06:36 . 2009-06-10 11:28 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-27 09:22 . 2009-04-27 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-04-26 17:38 . 2009-04-26 17:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-04-24 18:09 . 2009-04-24 18:09 -------- d-----w- c:\documents and settings\Admin\Application Data\Macrovision
2009-04-23 22:09 . 2009-04-23 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2003-03-31 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-20 16:54 . 2008-09-30 20:49 62378 ----a-w- c:\windows\War3Unin.dat
2009-03-19 21:32 . 2009-03-19 21:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-09-30 17:48 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-09-30 16:41 . 2008-09-30 16:41 15083520 ----a-w- c:\program files\spybotsd160.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 18:38 1004800 ----a-w- d:\avg\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
"CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-09-07 626688]
"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"SunJavaUpdateSched"="d:\java\jre6\bin\jusched.exe" [2009-02-12 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-29 185872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2009-05-30 292136]
"AVG8_TRAY"="d:\avg\AVG8\avgtray.exe" [2009-06-12 1948440]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - d:\logitech\SetPoint\SetPoint.exe [2008-9-30 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-12 17:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Warcraft III\\Listchecker\\pickup.listchecker.exe"=
"d:\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Red Alert3\\Data\\ra3_1.4.game"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\counter-strike source\\hl2.exe"=
"d:\\Hamachi\\hamachi.exe"=
"d:\\Ventrilo\\Ventrilo.exe"=
"d:\\Red Alert3\\Data\\ra3_1.5.game"=
"d:\\Red Alert3\\Data\\ra3_1.6.game"=
"d:\\Steam\\Steam.exe"=
"d:\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"d:\\Gunbound\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"d:\\Steam\\steamapps\\common\\tom clancy's h.a.w.x - demo\\HAWX.exe"=
"d:\\Steam\\steamapps\\ledzeppelin16@hotmail.com\\insurgency\\hl2.exe"=
"d:\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"d:\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"d:\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"d:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"d:\\Steam\\steamapps\\common\\battlestations pacific - demo\\bspdemo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"d:\\AVG\\AVG8\\avgam.exe"=
"d:\\AVG\\AVG8\\avgdiag.exe"=
"d:\\AVG\\AVG8\\avgdiagex.exe"=
"d:\\AVG\\AVG8\\avgupd.exe"=
"d:\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [6/12/2009 12:28 PM 12552]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/12/2009 12:28 PM 108552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/12/2009 12:28 PM 327688]
S2 avg8wd;AVG8 WatchDog;d:\avg\AVG8\avgwdsvc.exe [6/12/2009 12:28 PM 298776]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 4:10 PM 32512]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 16:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1676)
c:\windows\system32\msi.dll
.
Completion time: 2009-06-12 16:38
ComboFix-quarantined-files.txt 2009-06-12 21:38
ComboFix2.txt 2009-06-12 21:28
ComboFix3.txt 2009-06-12 21:05

Pre-Run: 4,570,218,496 bytes free
Post-Run: 4,560,666,624 bytes free

168 --- E O F --- 2009-06-11 08:01

descriptionS EmptyRe: S12th June 2009, 9:41 pm

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

S CF_Cleanup

This will also reset your restore points.

How is the machine running now?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
S DXwU4
S VvYDg

descriptionS EmptyRe: S12th June 2009, 9:44 pm

more_horiz
I've been running in safemode....do I need to run the malware software that you told me to download or should I be ok to run Windows normally?

descriptionS EmptyRe: S12th June 2009, 9:45 pm

more_horiz
Boot back to normal mode now. Everything should be stable now, the rootkits are gone, the system security is gone.

Run an MBAM scan anyway, make sure you have the latest database.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
S DXwU4
S VvYDg

descriptionS EmptyRe: S

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum