pc antispyware 2010 + win32.crypto + possible others?

my dad was trying to install something a few nights ago and was having issues with it. he thought that my anti virus (free symantec stuff) was interfering with the install and uninstalled my anti virus program and my malwarebytes program. we apparently "caught" something when looking for solutions and i've been have issues ever since.

it started with the little fake icon (red circle with an X) in my tray that has a popup that reads "warning! your computer is infected! windows has detected spyware infection! it is recommended to use special anti-spyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you. click here to protect your computer from spyware!".

when looking for articles related to this rogue spyware, google will not open my links up. instead, another tab opens in firefox that is definitely not what i was looking for. i am, however, able to copy link location and go directly to. i spent last night and all of today trying to do everything. i am not able to install nearly any file downloaded... i've tried renaming the files, etc. malwarebytes goes through the install process, but will not finalize and therefore does not install. i got f-secure to install, but cannot get it to run a scan. i tried f-secures online scan... it finds files but fails to remove them. i got AVG to install, and it's what told me about the "win.32 crypto". but AVG tends to lock up when it sits too long. i even tried spyware doctor. it installed, but the anti virus files were skipped (imagine that!).

so, here i am now... my pc is so sick that it's starting to rub off on me (no sleep in the past 30 hours). a friend recommended that i boot outside of windows, but that's kinda hard when your burner is on the fritz. i'm really out of ideas and could really use some help. i've downloaded the HJT and made a log. and on a weird note, the red circle with X disappeared shortly after... but i know it's still in there somewhere, sneaky bastard.

thanks in advance for any help offered.

Last edited by JupiterGuns on 13th August 2009, 10:08 am; edited 1 time in total

completely forgot to mention... there is also audio running somewhere deep in my background. it sounds like channel surfing to me. ie: cooking shows, movies, porn, cnn-type news, etc. maybe that info will help, as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:56 AM, on 8/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\ih8.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\ih8run.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\fsus.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\ih8.exe
C:\Program Files\F-Secure Internet Security\FSAUA\program\ih8run.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\winlogon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Calorie Count Plus Toolbar - {A057A204-BACC-4D26-DFC4-6BAE8BAD3DC9} - C:\PROGRA~1\ccptb\ccptb.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [PC Antispyware 2010] "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\Administrator\Application Data\Macromedia\Common\0e9f004a1.dll""
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\0e9f004a1.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\0e9f004a1.dll"" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://irc.pugsandkellylive.com/Java/cfs31235.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238530611574
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238530603432
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O18 - Filter hijack: text/html - {fd5a6bff-c815-4424-8757-0ae28d62b13c} - C:\WINDOWS\system32\mst123.dll
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\ORSP Client\fsorsp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSAgentsrv Server (nt-dll) - NetGroup - Politecnico di Torino - (no file)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 13084 bytes

Last edited by JupiterGuns on 13th August 2009, 7:59 am; edited 1 time in total (Reason for editing : added issue and HJT log.)

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [PC Antispyware 2010] "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide
  O4 - HKLM\..\Run: [braviax] braviax.exe
  O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\Administrator\Application Data\Macromedia\Common\0e9f004a1.dll""
  O4 - HKCU\..\Run: [Monopod] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\b.exe
  O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
  O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\0e9f004a1.dll"" (User 'LOCAL SERVICE')
  O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\0e9f004a1.dll"" (User 'NETWORK SERVICE')
  O18 - Filter hijack: text/html - {fd5a6bff-c815-4424-8757-0ae28d62b13c} - C:\WINDOWS\system32\mst123.dll
  O20 - AppInit_DLLs: cru629.dat
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

deleted this post. i left the malwarebytes install screen open for nearly 15-20 minutes, but it did just start. i will post the log when completed.

i let malwarebytes go through the complete installation. the "updates" box was checked and i left it to do it's business. the setup closed and there has been no activity since. i double-click to open malwarebytes and it doesn't respond.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

as i mentioned in my original post... i have no cd-rom right now, so, i was not able to "insert xp professional cd" when prompted, but i went ahead and let combo-fix runs its course. here's the log:



ComboFix 09-08-10.06 - Administrator 08/14/2009 14:31.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1510 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-527237240-1957994488-839522115-1003
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\cujeteti._dl
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\fyza.db
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\havakyqyjy._dl
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\jabanupas.exe
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\jyqiv.bat
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\kiqapy.ban
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\lygosajyra.dll
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\nywa.inf
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\pyxy._sy
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\quloxu.db
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\safylubok.dll
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\soxer.sys
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\ybejir.bat
c:\program files\Common
c:\program files\Common\helper.sig
c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\recycler\S-1-5-21-1275210071-507921405-1957994488-500
c:\recycler\S-1-5-21-2212375132-2158911047-3434047591-500
c:\recycler\S-1-5-21-2766340467-1821611952-4103840309-500
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Fonts\._DIRTC___.ttf
c:\windows\Fonts\._MONBIJOUX.ttf
c:\windows\Fonts\._PEIXE___.ttf
c:\windows\Installer\110e261.msp
c:\windows\Installer\110f29d.msp
c:\windows\Installer\1122b68.msp
c:\windows\Installer\1123f15.msp
c:\windows\Installer\1186683.msp
c:\windows\Installer\11a961.msp
c:\windows\Installer\12bf71f.msp
c:\windows\Installer\1387b7f.msp
c:\windows\Installer\13da3a2.msp
c:\windows\Installer\1a9cc93d.msi
c:\windows\Installer\1e38b5.msp
c:\windows\Installer\231bf671.msi
c:\windows\Installer\25ae7c.msp
c:\windows\Installer\2620ac3.msp
c:\windows\Installer\2c181.msp
c:\windows\Installer\3148e.msp
c:\windows\Installer\36401.msp
c:\windows\Installer\37c368.msp
c:\windows\Installer\3895d.msp
c:\windows\Installer\41f26.msp
c:\windows\Installer\45e1b5.msp
c:\windows\Installer\4656a0.msp
c:\windows\Installer\46ac8a.msp
c:\windows\Installer\4a11a.msp
c:\windows\Installer\52a5c4.msp
c:\windows\Installer\593934.msp
c:\windows\Installer\59b369.msp
c:\windows\Installer\62007e3.msp
c:\windows\Installer\70fa3.msp
c:\windows\Installer\7884a5.msp
c:\windows\Installer\8165c.msp
c:\windows\Installer\8b8f9.msp
c:\windows\Installer\8c9d8b.msp
c:\windows\Installer\9e7686.msp
c:\windows\Installer\a6d804b.msi
c:\windows\Installer\c00c17.msp
c:\windows\Installer\c1b64a.msp
c:\windows\Installer\c46fd1.msp
c:\windows\Installer\c62ccb.msi
c:\windows\Installer\cd3bd8.msp
c:\windows\Installer\d00d3b.msp
c:\windows\Installer\d1de51.msp
c:\windows\Installer\d1febf.msp
c:\windows\Installer\d3dffc.msp
c:\windows\Installer\daaf63.msp
c:\windows\Installer\dee8f2.msp
c:\windows\Installer\e43b7d.msp
c:\windows\Installer\ec9bdd.msp
c:\windows\Installer\eccec1.msp
c:\windows\Installer\ef967.msp
c:\windows\Installer\f9ca9c6.msp
c:\windows\Installer\fb722d.msp
c:\windows\run.log
c:\windows\system32\_scui.cpl
c:\windows\system32\braviax.exe
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\cru629.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\SKYNETprjklyfw.sys
c:\windows\system32\drivers\UACxbqpulrmpf.sys
c:\windows\system32\msxml71.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SKYNETxvngsnvm.dll
c:\windows\system32\UACddapbaeulk.dll
c:\windows\system32\UACfpqbblxwpu.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmuruxeiqhy.dll
c:\windows\system32\UACwqwavgmyjx.dat
c:\windows\system32\WanPacket.dll
c:\windows\system32\wisdstr.exe
c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://opex
c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SKYNETesixrobr
-------\Legacy_UACd.sys
-------\Service_NPF
-------\Service_SKYNETesixrobr
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-13 21:07 . 2009-08-13 21:07 12349 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\lytukasagu.exe
2009-08-13 21:07 . 2009-08-13 21:07 16092 ----a-w- c:\windows\system32\iqijyqewet.exe
2009-08-13 21:07 . 2009-08-13 21:07 11911 ----a-w- c:\program files\Common Files\ypivivaryk.vbs
2009-08-13 21:07 . 2009-08-13 21:07 15174 ----a-w- c:\windows\hobumemona.vbs
2009-08-13 21:07 . 2009-08-13 21:07 11427 ----a-w- c:\windows\ugip.dll
2009-08-13 21:07 . 2009-08-13 21:07 13316 ----a-w- c:\documents and settings\Administrator\Application Data\vuki.pif
2009-08-13 21:07 . 2009-08-13 21:07 15831 ----a-w- c:\windows\cuviwi.exe
2009-08-13 21:07 . 2009-08-13 21:07 15794 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\mutevirace.bin
2009-08-13 21:07 . 2009-08-13 21:07 17743 ----a-w- c:\windows\colukos.dll
2009-08-13 20:12 . 2009-08-13 20:12 18770 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\ocywotydur.vbs
2009-08-13 20:12 . 2009-08-13 20:12 18343 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\arog.bin
2009-08-13 20:12 . 2009-08-13 20:12 18279 ----a-w- c:\windows\system32\ymyzycydiz.com
2009-08-13 20:12 . 2009-08-13 20:12 12645 ----a-w- c:\program files\Common Files\ixep.scr
2009-08-13 20:12 . 2009-08-13 20:12 11009 ----a-w- c:\windows\ropinuje.scr
2009-08-13 13:23 . 2009-08-13 13:23 12728 ----a-w- c:\windows\igejok.reg
2009-08-13 13:23 . 2009-08-13 13:23 18595 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\qima.com
2009-08-13 13:23 . 2009-08-13 13:23 18200 ----a-w- c:\windows\fojanazyni.com
2009-08-13 13:23 . 2009-08-13 13:23 16971 ----a-w- c:\windows\utici.scr
2009-08-13 13:23 . 2009-08-13 13:23 14119 ----a-w- c:\windows\system32\ofavuha.vbs
2009-08-13 13:23 . 2009-08-13 13:23 13807 ----a-w- c:\documents and settings\Administrator\Application Data\tidakij.dll
2009-08-13 09:11 . 2009-08-13 09:11 17343 ----a-w- c:\windows\yvah.dll
2009-08-13 09:11 . 2009-08-13 09:11 17256 ----a-w- c:\windows\yzum.sys
2009-08-13 09:11 . 2009-08-13 09:11 16921 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\cuxoni.sys
2009-08-13 09:11 . 2009-08-13 09:11 15351 ----a-w- c:\program files\Common Files\anysuwa.dll
2009-08-13 09:11 . 2009-08-13 09:11 15299 ----a-w- c:\windows\iboqazu.bat
2009-08-13 09:11 . 2009-08-13 09:11 15179 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\tusuhes.bat
2009-08-13 09:11 . 2009-08-13 09:11 14322 ----a-w- c:\documents and settings\Administrator\Application Data\kavorocesu.exe
2009-08-13 09:11 . 2009-08-13 09:11 13328 ----a-w- c:\windows\toqodup.bin
2009-08-13 09:11 . 2009-08-13 09:11 12385 ----a-w- c:\documents and settings\Administrator\Application Data\buqipo.pif
2009-08-13 09:11 . 2009-08-13 09:11 11787 ----a-w- c:\program files\Common Files\tuvi.scr
2009-08-13 05:05 . 2009-08-13 05:05 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2009-08-13 05:05 . 2009-08-13 05:05 -------- d-----w- c:\program files\Alex Feinman
2009-08-12 20:52 . 2009-08-12 20:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2009-08-12 07:22 . 2009-08-12 07:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-08-12 07:15 . 2009-08-12 07:15 26624 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-08-12 00:20 . 2009-08-12 00:20 19447 ----a-w- c:\windows\system32\zusolysuw.pif
2009-08-12 00:20 . 2009-08-12 00:20 18510 ----a-w- c:\windows\ditaxa.reg
2009-08-12 00:20 . 2009-08-12 00:20 17481 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\gamutubu.bat
2009-08-12 00:20 . 2009-08-12 00:20 16306 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\azyt.sys
2009-08-12 00:20 . 2009-08-12 00:20 15792 ----a-w- c:\windows\system32\jeqyfok.scr
2009-08-12 00:20 . 2009-08-12 00:20 15089 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\bezok.sys
2009-08-12 00:20 . 2009-08-12 00:20 14409 ----a-w- c:\windows\system32\iqaworezi.reg
2009-08-12 00:20 . 2009-08-12 00:20 13770 ----a-w- c:\documents and settings\Administrator\Application Data\hotamup.scr
2009-08-12 00:20 . 2009-08-12 00:20 11463 ----a-w- c:\documents and settings\Administrator\Application Data\miki.scr
2009-08-11 23:57 . 2009-08-11 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\F-Secure
2009-08-11 23:51 . 2009-08-11 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2009-08-11 23:46 . 2009-08-11 23:46 14648 ----a-w- c:\program files\Common Files\yfuzafa.pif
2009-08-11 23:46 . 2009-08-11 23:46 17050 ----a-w- c:\program files\Common Files\unomobul.bin
2009-08-11 23:46 . 2009-08-11 23:46 18460 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\ejogenydax.vbs
2009-08-11 23:46 . 2009-08-11 23:46 18265 ----a-w- c:\windows\lusylytod.dll
2009-08-11 23:46 . 2009-08-11 23:46 18793 ----a-w- c:\windows\utimomo.vbs
2009-08-11 23:46 . 2009-08-11 23:46 18098 ----a-w- c:\program files\Common Files\hukag.pif
2009-08-11 23:46 . 2009-08-11 23:46 18398 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rasamapu.bin
2009-08-11 23:46 . 2009-08-11 23:46 18991 ----a-w- c:\windows\owohoka.vbs
2009-08-11 23:43 . 2009-08-13 08:51 -------- d-----w- c:\program files\F-Secure Internet Security
2009-08-11 23:37 . 2009-08-11 23:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-08-11 23:36 . 2009-08-11 23:36 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-08-11 23:36 . 2009-08-11 23:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\CCPTB
2009-08-11 23:36 . 2009-08-11 23:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-11 23:21 . 2009-08-12 19:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\fssg
2009-08-11 23:18 . 2009-08-12 20:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\f-secure
2009-08-11 13:48 . 2009-08-11 13:48 -------- d-----w- c:\program files\AVG
2009-08-11 13:08 . 2009-08-11 13:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\MalwareRemovalBot
2009-08-07 05:05 . 2003-07-24 17:01 606720 ----a-w- c:\temp\SFDNWIN.exe
2009-08-07 05:05 . 2009-08-07 05:05 -------- d-----w- C:\Temp
2009-08-07 05:05 . 2008-01-24 10:37 2097152 ----a-w- c:\temp\autorun.bin
2009-08-07 01:15 . 2009-08-07 01:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\mjusbsp
2009-08-06 18:49 . 2008-04-14 05:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-06 18:49 . 2008-04-14 05:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-07-18 19:08 . 2009-07-18 19:08 2141 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-07-16 04:19 . 2009-07-16 08:30 -------- d-----w- c:\program files\Graboid
2009-07-16 02:49 . 2009-07-16 02:49 766 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{F1B58743-123D-4748-9FDD-F1FA0E463662}\_6FEFF9B68218417F98F549.exe
2009-07-16 02:49 . 2009-07-16 02:49 -------- d-----w- c:\program files\West Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 19:08 . 2008-12-09 21:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\.purple
2009-08-14 08:14 . 2009-05-10 18:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-13 21:07 . 2009-08-13 21:07 19656 ----a-w- c:\program files\Common Files\jemoqap.dl
2009-08-13 20:12 . 2009-08-13 20:12 18068 ----a-w- c:\program files\Common Files\awuv.ban
2009-08-13 20:12 . 2009-08-13 20:12 15706 ----a-w- c:\program files\Common Files\aceb.inf
2009-08-13 20:12 . 2009-08-13 20:12 12294 ----a-w- c:\program files\Common Files\ywenoqoc._dl
2009-08-13 20:12 . 2009-08-13 20:12 11620 ----a-w- c:\program files\Common Files\kicowuren.db
2009-08-13 13:23 . 2009-08-13 13:23 19431 ----a-w- c:\documents and settings\Administrator\Application Data\ebiqewa.bin
2009-08-13 13:23 . 2009-08-13 13:23 11103 ----a-w- c:\documents and settings\Administrator\Application Data\basuf.bin
2009-08-13 13:23 . 2009-08-13 13:23 14581 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\gusopu.bat
2009-08-13 09:11 . 2009-08-13 09:11 11978 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\foxizom.dll
2009-08-13 09:11 . 2009-08-13 09:11 10061 ----a-w- c:\program files\Common Files\wotohymazi.lib
2009-08-13 05:13 . 2009-02-28 17:37 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-12 00:20 . 2009-08-12 00:20 18267 ----a-w- c:\program files\Common Files\piga.ban
2009-08-11 23:46 . 2009-08-11 23:46 14577 ----a-w- c:\program files\Common Files\fejytado.inf
2009-08-11 23:36 . 2009-01-24 03:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2009-08-11 21:38 . 2008-12-25 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0
2009-08-11 12:50 . 2009-08-11 12:49 1234492 ----a-w- c:\windows\system32\xa.tmp
2009-08-06 20:03 . 2004-03-26 21:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-06 20:03 . 2004-03-26 17:38 -------- d-----w- c:\program files\Symantec
2009-08-06 20:03 . 2004-11-16 13:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-06 20:03 . 2004-03-26 17:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-07-16 08:30 . 2009-07-06 03:14 -------- d-----w- c:\program files\VideoLAN
2009-07-11 01:13 . 2009-07-11 01:13 2095 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-07-10 17:25 . 2009-07-10 17:25 1878984 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-07-08 08:01 . 2009-07-07 03:04 -------- d-----w- c:\program files\DivX
2009-07-07 17:01 . 2004-12-15 19:21 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-07-06 05:09 . 2009-07-06 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-07-06 04:17 . 2009-07-06 04:17 20480 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
2009-07-06 04:17 . 2009-07-06 04:17 18944 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
2009-07-06 04:17 . 2009-07-06 04:17 17408 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\auth.dll
2009-07-06 04:17 . 2009-07-06 04:17 8192 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
2009-07-06 04:17 . 2009-07-06 04:17 20480 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
2009-07-06 03:27 . 2009-07-06 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-07-06 03:17 . 2009-07-06 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\MozillaControl
2009-06-29 16:12 . 2004-01-21 22:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-11-15 22:41 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 13:06 . 2009-05-06 14:05 -------- d-----w- c:\program files\Coupons
2009-06-24 03:13 . 2009-06-24 02:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\ccptb
2009-06-24 02:50 . 2009-06-24 02:50 -------- d-----w- c:\program files\ccptb
2009-06-22 01:01 . 2009-06-22 01:01 1089 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2009-06-22 01:00 . 2009-06-22 00:59 -------- d-----w- c:\program files\Pidgin
2009-06-22 00:59 . 2008-12-09 21:43 -------- d-----w- c:\program files\Common Files\GTK
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 21:43 . 2006-08-30 22:44 180224 ----a-w- c:\windows\system32\VTTrayp.exe
2009-06-05 21:43 . 2006-08-31 18:17 1884160 ----a-w- c:\windows\system32\vticd.dll
2009-06-05 21:43 . 2006-08-31 18:06 264704 ----a-w- c:\windows\system32\drivers\vtmini.sys
2009-06-05 21:43 . 2006-08-03 19:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
2009-06-05 21:43 . 2006-06-20 16:21 327680 ----a-w- c:\windows\system32\VTInfo2.dll
2009-06-05 21:43 . 2006-05-22 19:49 593920 ----a-w- c:\windows\system32\VTovrlay.dll
2009-06-05 21:43 . 2006-08-31 18:06 3516032 ----a-w- c:\windows\system32\vtdisp.dll
2009-06-05 21:43 . 2006-08-25 18:47 651264 ----a-w- c:\windows\system32\VTDisply.dll
2009-06-05 21:43 . 2006-06-22 22:05 462848 ----a-w- c:\windows\system32\VTGamma2.dll
2009-06-05 21:43 . 2005-11-01 15:35 28672 ----a-w- c:\windows\system32\VModes.exe
2009-06-03 19:09 . 2004-03-26 15:20 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-25 05:24 . 2008-05-27 03:18 350208 ------w- c:\windows\system32\mssph.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-04 148888]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2008-10-14 182936]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-10-14 957024]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-03-01 577536]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2009-06-05 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2009-06-05 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-15 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IPV]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9998:TCP"= 9998:TCP
"443:TCP"= 443:TCP

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [8/12/2009 2:15 AM 26624]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [10/15/2008 10:24 AM 11264]
S2 IPV;IPv6-Help Service; [x]
S2 nt-dll;MSAgentsrv Server; [x]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [3/25/2004 5:24 PM 281856]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys --> c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [?]
S3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [9/16/2006 6:23 PM 47360]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [11/17/2004 3:38 PM 37708]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [?]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys --> c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-BO1HelperStartUp - c:\progra~1\BUTTER~1\BO1HEL~1.EXE
Notify-AtiExtEvent - (no file)
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: ChatSpace Full Java Client 3.1.0.235 - hxxp://irc.pugsandkellylive.com/Java/cfs31235.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\t591ljdz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 14:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
c:\program files\F-Secure Internet Security\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\F-Secure Internet Security\Common\FCH32.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\F-Secure Internet Security\Common\FAMEH32.EXE
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\program files\F-Secure Internet Security\FSGUI\fsguidll.exe
c:\program files\F-Secure Internet Security\FSAUA\program\fsaua.exe
c:\windows\system32\msiexec.exe
c:\program files\F-Secure Internet Security\FSAUA\program\fsus.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-08-14 14:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-14 19:52

Pre-Run: 139,859,079,168 bytes free
Post-Run: 141,165,158,400 bytes free

403 --- E O F --- 2009-07-29 17:01

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
IPV
nt-dll

File::
c:\documents and settings\Administrator\Local Settings\Application Data\lytukasagu.exe
c:\windows\system32\iqijyqewet.exe
c:\program files\Common Files\ypivivaryk.vbs
c:\windows\hobumemona.vbs
c:\windows\ugip.dll
c:\documents and settings\Administrator\Application Data\vuki.pif
c:\windows\cuviwi.exe
c:\documents and settings\Administrator\Local Settings\Application Data\mutevirace.bin
c:\windows\colukos.dll
c:\documents and settings\Administrator\Local Settings\Application Data\ocywotydur.vbs
c:\documents and settings\Administrator\Local Settings\Application Data\arog.bin
c:\windows\system32\ymyzycydiz.com
c:\program files\Common Files\ixep.scr
c:\windows\ropinuje.scr
c:\windows\igejok.reg
c:\documents and settings\Administrator\Local Settings\Application Data\qima.com
c:\windows\fojanazyni.com
c:\windows\utici.scr
c:\windows\system32\ofavuha.vbs
c:\documents and settings\Administrator\Application Data\tidakij.dll
c:\windows\yvah.dll
c:\windows\yzum.sys
c:\documents and settings\Administrator\Local Settings\Application Data\cuxoni.sys
c:\program files\Common Files\anysuwa.dll
c:\windows\iboqazu.bat
c:\documents and settings\Administrator\Local Settings\Application Data\tusuhes.bat
c:\documents and settings\Administrator\Application Data\kavorocesu.exe
c:\windows\toqodup.bin
c:\documents and settings\Administrator\Application Data\buqipo.pif
c:\program files\Common Files\tuvi.scr
c:\windows\system32\zusolysuw.pif
c:\windows\ditaxa.reg
c:\documents and settings\Administrator\Local Settings\Application Data\gamutubu.bat
c:\documents and settings\Administrator\Local Settings\Application Data\azyt.sys
c:\windows\system32\jeqyfok.scr
c:\documents and settings\Administrator\Local Settings\Application Data\bezok.sys
c:\windows\system32\iqaworezi.reg
c:\documents and settings\Administrator\Application Data\hotamup.scr
c:\documents and settings\Administrator\Application Data\miki.scr
c:\program files\Common Files\yfuzafa.pif
c:\program files\Common Files\unomobul.bin
c:\documents and settings\Administrator\Local Settings\Application Data\ejogenydax.vbs
c:\windows\lusylytod.dll
c:\windows\utimomo.vbs
c:\program files\Common Files\hukag.pif
c:\documents and settings\Administrator\Local Settings\Application Data\rasamapu.bin
c:\windows\owohoka.vbs
c:\temp\autorun.bin
c:\program files\Common Files\jemoqap.dl
c:\program files\Common Files\awuv.ban
c:\program files\Common Files\aceb.inf
c:\program files\Common Files\ywenoqoc._dl
c:\program files\Common Files\kicowuren.db
c:\documents and settings\Administrator\Application Data\ebiqewa.bin
c:\documents and settings\Administrator\Application Data\basuf.bin
c:\docume~1\ALLUSE~1\APPLIC~1\gusopu.bat
c:\docume~1\ALLUSE~1\APPLIC~1\foxizom.dll
c:\program files\Common Files\wotohymazi.lib
c:\program files\Common Files\piga.ban
c:\program files\Common Files\fejytado.inf
c:\windows\system32\xa.tmp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Last edited by Belahzur on 15th August 2009, 1:59 am; edited 1 time in total

.

What does mean?
A dot?

sorry. i couldn't delete the post, so, i left a dot. sorry. log time:

ComboFix 09-08-10.06 - Administrator 08/14/2009 16:07.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1472 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPV
-------\Legacy_NT-DLL
-------\Service_IPV
-------\Service_nt-dll


((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-14 20:23 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 20:23 . 2009-08-14 20:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 20:23 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-13 21:07 . 2009-08-13 21:07 12349 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\lytukasagu.exe
2009-08-13 21:07 . 2009-08-13 21:07 16092 ----a-w- c:\windows\system32\iqijyqewet.exe
2009-08-13 21:07 . 2009-08-13 21:07 11911 ----a-w- c:\program files\Common Files\ypivivaryk.vbs
2009-08-13 21:07 . 2009-08-13 21:07 15174 ----a-w- c:\windows\hobumemona.vbs
2009-08-13 21:07 . 2009-08-13 21:07 11427 ----a-w- c:\windows\ugip.dll
2009-08-13 21:07 . 2009-08-13 21:07 13316 ----a-w- c:\documents and settings\Administrator\Application Data\vuki.pif
2009-08-13 21:07 . 2009-08-13 21:07 15831 ----a-w- c:\windows\cuviwi.exe
2009-08-13 21:07 . 2009-08-13 21:07 15794 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\mutevirace.bin
2009-08-13 21:07 . 2009-08-13 21:07 17743 ----a-w- c:\windows\colukos.dll
2009-08-13 20:12 . 2009-08-13 20:12 18770 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\ocywotydur.vbs
2009-08-13 20:12 . 2009-08-13 20:12 18343 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\arog.bin
2009-08-13 20:12 . 2009-08-13 20:12 18279 ----a-w- c:\windows\system32\ymyzycydiz.com
2009-08-13 20:12 . 2009-08-13 20:12 12645 ----a-w- c:\program files\Common Files\ixep.scr
2009-08-13 20:12 . 2009-08-13 20:12 11009 ----a-w- c:\windows\ropinuje.scr
2009-08-13 13:23 . 2009-08-13 13:23 12728 ----a-w- c:\windows\igejok.reg
2009-08-13 13:23 . 2009-08-13 13:23 18595 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\qima.com
2009-08-13 13:23 . 2009-08-13 13:23 18200 ----a-w- c:\windows\fojanazyni.com
2009-08-13 13:23 . 2009-08-13 13:23 16971 ----a-w- c:\windows\utici.scr
2009-08-13 13:23 . 2009-08-13 13:23 14119 ----a-w- c:\windows\system32\ofavuha.vbs
2009-08-13 13:23 . 2009-08-13 13:23 13807 ----a-w- c:\documents and settings\Administrator\Application Data\tidakij.dll
2009-08-13 09:11 . 2009-08-13 09:11 17343 ----a-w- c:\windows\yvah.dll
2009-08-13 09:11 . 2009-08-13 09:11 17256 ----a-w- c:\windows\yzum.sys
2009-08-13 09:11 . 2009-08-13 09:11 16921 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\cuxoni.sys
2009-08-13 09:11 . 2009-08-13 09:11 15351 ----a-w- c:\program files\Common Files\anysuwa.dll
2009-08-13 09:11 . 2009-08-13 09:11 15299 ----a-w- c:\windows\iboqazu.bat
2009-08-13 09:11 . 2009-08-13 09:11 15179 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\tusuhes.bat
2009-08-13 09:11 . 2009-08-13 09:11 14322 ----a-w- c:\documents and settings\Administrator\Application Data\kavorocesu.exe
2009-08-13 09:11 . 2009-08-13 09:11 13328 ----a-w- c:\windows\toqodup.bin
2009-08-13 09:11 . 2009-08-13 09:11 12385 ----a-w- c:\documents and settings\Administrator\Application Data\buqipo.pif
2009-08-13 09:11 . 2009-08-13 09:11 11787 ----a-w- c:\program files\Common Files\tuvi.scr
2009-08-13 05:05 . 2009-08-13 05:05 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2009-08-13 05:05 . 2009-08-13 05:05 -------- d-----w- c:\program files\Alex Feinman
2009-08-12 20:52 . 2009-08-12 20:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2009-08-12 07:22 . 2009-08-12 07:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-08-12 07:15 . 2009-08-12 07:15 26624 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-08-12 00:20 . 2009-08-12 00:20 19447 ----a-w- c:\windows\system32\zusolysuw.pif
2009-08-12 00:20 . 2009-08-12 00:20 18510 ----a-w- c:\windows\ditaxa.reg
2009-08-12 00:20 . 2009-08-12 00:20 17481 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\gamutubu.bat
2009-08-12 00:20 . 2009-08-12 00:20 16306 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\azyt.sys
2009-08-12 00:20 . 2009-08-12 00:20 15792 ----a-w- c:\windows\system32\jeqyfok.scr
2009-08-12 00:20 . 2009-08-12 00:20 15089 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\bezok.sys
2009-08-12 00:20 . 2009-08-12 00:20 14409 ----a-w- c:\windows\system32\iqaworezi.reg
2009-08-12 00:20 . 2009-08-12 00:20 13770 ----a-w- c:\documents and settings\Administrator\Application Data\hotamup.scr
2009-08-12 00:20 . 2009-08-12 00:20 11463 ----a-w- c:\documents and settings\Administrator\Application Data\miki.scr
2009-08-11 23:57 . 2009-08-11 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\F-Secure
2009-08-11 23:51 . 2009-08-11 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2009-08-11 23:46 . 2009-08-11 23:46 14648 ----a-w- c:\program files\Common Files\yfuzafa.pif
2009-08-11 23:46 . 2009-08-11 23:46 17050 ----a-w- c:\program files\Common Files\unomobul.bin
2009-08-11 23:46 . 2009-08-11 23:46 18460 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\ejogenydax.vbs
2009-08-11 23:46 . 2009-08-11 23:46 18265 ----a-w- c:\windows\lusylytod.dll
2009-08-11 23:46 . 2009-08-11 23:46 18793 ----a-w- c:\windows\utimomo.vbs
2009-08-11 23:46 . 2009-08-11 23:46 18098 ----a-w- c:\program files\Common Files\hukag.pif
2009-08-11 23:46 . 2009-08-11 23:46 18398 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rasamapu.bin
2009-08-11 23:46 . 2009-08-11 23:46 18991 ----a-w- c:\windows\owohoka.vbs
2009-08-11 23:43 . 2009-08-13 08:51 -------- d-----w- c:\program files\F-Secure Internet Security
2009-08-11 23:37 . 2009-08-11 23:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-08-11 23:36 . 2009-08-11 23:36 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-08-11 23:36 . 2009-08-11 23:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\CCPTB
2009-08-11 23:36 . 2009-08-11 23:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-11 23:21 . 2009-08-12 19:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\fssg
2009-08-11 23:18 . 2009-08-12 20:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\f-secure
2009-08-11 13:48 . 2009-08-11 13:48 -------- d-----w- c:\program files\AVG
2009-08-07 05:05 . 2003-07-24 17:01 606720 ----a-w- c:\temp\SFDNWIN.exe
2009-08-07 05:05 . 2009-08-07 05:05 -------- d-----w- C:\Temp
2009-08-07 05:05 . 2008-01-24 10:37 2097152 ----a-w- c:\temp\autorun.bin
2009-08-07 01:15 . 2009-08-07 01:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\mjusbsp
2009-08-06 18:49 . 2008-04-14 05:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-06 18:49 . 2008-04-14 05:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-07-18 19:08 . 2009-07-18 19:08 2141 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-07-16 04:19 . 2009-07-16 08:30 -------- d-----w- c:\program files\Graboid
2009-07-16 02:49 . 2009-07-16 02:49 766 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{F1B58743-123D-4748-9FDD-F1FA0E463662}\_6FEFF9B68218417F98F549.exe
2009-07-16 02:49 . 2009-07-16 02:49 -------- d-----w- c:\program files\West Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 21:04 . 2008-12-09 21:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\.purple
2009-08-14 08:14 . 2009-05-10 18:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-13 21:07 . 2009-08-13 21:07 19656 ----a-w- c:\program files\Common Files\jemoqap.dl
2009-08-13 20:12 . 2009-08-13 20:12 18068 ----a-w- c:\program files\Common Files\awuv.ban
2009-08-13 20:12 . 2009-08-13 20:12 15706 ----a-w- c:\program files\Common Files\aceb.inf
2009-08-13 20:12 . 2009-08-13 20:12 12294 ----a-w- c:\program files\Common Files\ywenoqoc._dl
2009-08-13 20:12 . 2009-08-13 20:12 11620 ----a-w- c:\program files\Common Files\kicowuren.db
2009-08-13 13:23 . 2009-08-13 13:23 19431 ----a-w- c:\documents and settings\Administrator\Application Data\ebiqewa.bin
2009-08-13 13:23 . 2009-08-13 13:23 11103 ----a-w- c:\documents and settings\Administrator\Application Data\basuf.bin
2009-08-13 13:23 . 2009-08-13 13:23 14581 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\gusopu.bat
2009-08-13 09:11 . 2009-08-13 09:11 11978 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\foxizom.dll
2009-08-13 09:11 . 2009-08-13 09:11 10061 ----a-w- c:\program files\Common Files\wotohymazi.lib
2009-08-13 05:13 . 2009-02-28 17:37 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-12 00:20 . 2009-08-12 00:20 18267 ----a-w- c:\program files\Common Files\piga.ban
2009-08-11 23:46 . 2009-08-11 23:46 14577 ----a-w- c:\program files\Common Files\fejytado.inf
2009-08-11 23:36 . 2009-01-24 03:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2009-08-11 21:38 . 2008-12-25 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0
2009-08-06 20:03 . 2004-03-26 21:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-06 20:03 . 2004-03-26 17:38 -------- d-----w- c:\program files\Symantec
2009-08-06 20:03 . 2004-11-16 13:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-06 20:03 . 2004-03-26 17:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-07-16 08:30 . 2009-07-06 03:14 -------- d-----w- c:\program files\VideoLAN
2009-07-11 01:13 . 2009-07-11 01:13 2095 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-07-10 17:25 . 2009-07-10 17:25 1878984 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-07-08 08:01 . 2009-07-07 03:04 -------- d-----w- c:\program files\DivX
2009-07-07 17:01 . 2004-12-15 19:21 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-07-06 05:09 . 2009-07-06 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-07-06 04:17 . 2009-07-06 04:17 20480 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
2009-07-06 04:17 . 2009-07-06 04:17 18944 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
2009-07-06 04:17 . 2009-07-06 04:17 17408 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\auth.dll
2009-07-06 04:17 . 2009-07-06 04:17 8192 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
2009-07-06 04:17 . 2009-07-06 04:17 20480 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
2009-07-06 03:27 . 2009-07-06 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-07-06 03:17 . 2009-07-06 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\MozillaControl
2009-06-29 16:12 . 2004-01-21 22:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-11-15 22:41 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 13:06 . 2009-05-06 14:05 -------- d-----w- c:\program files\Coupons
2009-06-24 03:13 . 2009-06-24 02:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\ccptb
2009-06-24 02:50 . 2009-06-24 02:50 -------- d-----w- c:\program files\ccptb
2009-06-22 01:01 . 2009-06-22 01:01 1089 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2009-06-22 01:00 . 2009-06-22 00:59 -------- d-----w- c:\program files\Pidgin
2009-06-22 00:59 . 2008-12-09 21:43 -------- d-----w- c:\program files\Common Files\GTK
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 21:43 . 2006-08-30 22:44 180224 ----a-w- c:\windows\system32\VTTrayp.exe
2009-06-05 21:43 . 2006-08-31 18:17 1884160 ----a-w- c:\windows\system32\vticd.dll
2009-06-05 21:43 . 2006-08-31 18:06 264704 ----a-w- c:\windows\system32\drivers\vtmini.sys
2009-06-05 21:43 . 2006-08-03 19:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
2009-06-05 21:43 . 2006-06-20 16:21 327680 ----a-w- c:\windows\system32\VTInfo2.dll
2009-06-05 21:43 . 2006-05-22 19:49 593920 ----a-w- c:\windows\system32\VTovrlay.dll
2009-06-05 21:43 . 2006-08-31 18:06 3516032 ----a-w- c:\windows\system32\vtdisp.dll
2009-06-05 21:43 . 2006-08-25 18:47 651264 ----a-w- c:\windows\system32\VTDisply.dll
2009-06-05 21:43 . 2006-06-22 22:05 462848 ----a-w- c:\windows\system32\VTGamma2.dll
2009-06-05 21:43 . 2005-11-01 15:35 28672 ----a-w- c:\windows\system32\VModes.exe
2009-06-03 19:09 . 2004-03-26 15:20 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-25 05:24 . 2008-05-27 03:18 350208 ------w- c:\windows\system32\mssph.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-14_19.47.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-14 21:16 . 2009-08-14 21:16 16384 c:\windows\temp\Perflib_Perfdata_730.dat
+ 2009-08-14 21:14 . 2009-08-14 21:14 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-14 19:42 . 2009-08-14 19:42 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-14 19:42 . 2009-08-14 19:42 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-14 21:14 . 2009-08-14 21:14 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-14 19:42 . 2009-08-14 19:42 196608 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-14 21:14 . 2009-08-14 21:14 196608 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-14 21:14 . 2009-08-14 21:14 249856 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-14 19:42 . 2009-08-14 19:42 249856 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-14 21:14 . 2009-08-14 21:14 249856 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-14 19:42 . 2009-08-14 19:42 249856 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-14 19:42 . 2009-08-14 19:42 4534272 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
+ 2009-08-14 21:14 . 2009-08-14 21:14 4534272 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-04 148888]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2008-10-14 182936]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-10-14 957024]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-03-01 577536]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2009-06-05 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2009-06-05 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-15 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9998:TCP"= 9998:TCP
"443:TCP"= 443:TCP

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [8/12/2009 2:15 AM 26624]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [10/15/2008 10:24 AM 11264]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [3/25/2004 5:24 PM 281856]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys --> c:\program files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [?]
S3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [9/16/2006 6:23 PM 47360]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [11/17/2004 3:38 PM 37708]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [?]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys --> c:\program files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.

------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: ChatSpace Full Java Client 3.1.0.235 - hxxp://irc.pugsandkellylive.com/Java/cfs31235.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\t591ljdz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 16:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\program files\F-Secure Internet Security\Common\FSMA32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\F-Secure Internet Security\Common\FSMB32.EXE
c:\program files\F-Secure Internet Security\Common\FCH32.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\program files\F-Secure Internet Security\Common\FAMEH32.EXE
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\wscntfy.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\F-Secure Internet Security\FSGUI\fsguidll.exe
c:\program files\F-Secure Internet Security\FSAUA\program\fsaua.exe
c:\windows\system32\msiexec.exe
c:\program files\F-Secure Internet Security\FSAUA\program\fsus.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-08-14 16:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-14 21:25
ComboFix2.txt 2009-08-14 19:52

Pre-Run: 141,153,304,576 bytes free
Post-Run: 141,098,856,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

305 --- E O F --- 2009-07-29 17:01

looks like everything is all cleared up... THANK YOU SOOOOOO MUCH! is there anything else i need to do (other than reinstall some new anti-virus)? also, in the midst of trying several anti virus program... f-secure is loading in my system tray, but does not exist in add/remove programs. there's still a folder with items for it, but i even trying the uninstall exe from there does not work. i've even tried reinstalling to overwrite files and then uninstall... no go. how would i go about getting rid of the remnants of this program?

------------------------------------------------------

Malwarebytes' Anti-Malware 1.40
Database version: 2626
Windows 5.1.2600 Service Pack 3

8/15/2009 3:56:23 PM
mbam-log-2009-08-15 (15-56-23).txt

Scan type: Quick Scan
Objects scanned: 89384
Time elapsed: 13 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Can you post a new Combofix log please?

Will do, i'm running the scan right now...

I should mention that i ran the malwarebytes sofware again but this time i did the full scan (took two hours), and this time it found an additional 68 infected files. I rebooted as requeste by the software, but the computer is still locking the desktop. I'll post the log in a couple of minutes.
Thanks,

ComboFix 09-08-10.06 - Administrator 08/15/2009 20:05.6.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1082 [GMT -5:00]
Running from: c:\documents and settings\Administrator.EC29D2D7ECFE48B\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-16 00:12 . 2009-08-16 00:12 -------- d-----w- c:\documents and settings\Administrator.EC29D2D7ECFE48B\Application Data\Malwarebytes
2009-08-15 18:45 . 2009-08-15 18:45 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-15 18:45 . 2009-08-15 18:45 -------- d-----w- c:\program files\MSBuild
2009-08-15 18:45 . 2009-08-15 18:45 -------- d-----w- c:\program files\Reference Assemblies
2009-08-15 18:44 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-15 18:44 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-15 18:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-15 18:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-15 18:44 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-15 18:44 . 2009-08-15 18:44 -------- d-----w- C:\37e52f2c1fcccf9c75135f8db3c99ad6
2009-08-15 18:44 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-15 18:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-15 18:43 . 2009-08-15 18:59 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-15 00:00 . 2009-08-15 00:00 -------- d--h--w- c:\windows\$hf_mig$
2009-08-14 03:31 . 2009-08-14 03:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-08-14 03:09 . 2009-08-14 03:09 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-14 02:43 . 2009-08-14 02:42 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-14 02:33 . 2009-08-14 02:33 -------- d-----w- c:\program files\NortonInstaller
2009-08-14 01:14 . 2009-08-14 01:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Uniblue
2009-08-14 00:56 . 2009-08-14 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-14 00:52 . 2009-08-14 00:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-14 00:51 . 2005-06-14 19:42 12328 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 03:37 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 03:01 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 03:01 . 2009-08-16 00:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 03:01 . 2009-08-12 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 03:01 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 02:08 . 2009-08-12 02:08 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-12 01:59 . 2008-10-29 01:23 425984 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-08-12 01:59 . 2008-10-29 00:40 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-08-12 01:59 . 2008-10-29 00:40 3107788 ----a-w- c:\windows\system32\ativvaxx.dat
2009-08-12 01:59 . 2008-10-29 00:40 3107788 ----a-w- c:\windows\system32\ativva5x.dat
2009-08-12 01:59 . 2008-10-29 00:19 44032 ----a-w- c:\windows\system32\atiadlxx.dll
2009-08-12 01:59 . 2008-10-29 00:18 253952 ----a-w- c:\windows\system32\atiok3x2.dll
2009-08-12 01:59 . 2008-10-29 00:25 48640 ----a-w- c:\windows\system32\amdpcom32.dll
2009-08-12 01:46 . 2009-08-12 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Cached Installations
2009-08-12 01:40 . 2009-08-12 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-08-12 01:36 . 2009-08-12 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-08-12 01:34 . 2009-08-12 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-08-12 01:24 . 2009-08-12 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Spyware
2009-08-12 01:23 . 2009-08-12 01:46 -------- d-----w- c:\program files\ParetoLogic
2009-08-12 01:23 . 2009-08-12 01:36 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-11 04:29 . 2009-08-11 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-08-11 04:29 . 2009-08-12 01:58 -------- d-----w- c:\program files\RegCure
2009-08-11 03:39 . 2009-08-11 15:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-08-10 02:41 . 2009-08-10 02:54 -------- d-----w- c:\program files\Uniblue
2009-08-09 20:00 . 2009-08-09 20:00 -------- d--h--w- c:\windows\PIF
2009-08-09 00:48 . 2009-08-09 00:48 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-08 21:06 . 2009-08-08 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-08-08 21:06 . 2009-08-14 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-08 21:06 . 2009-08-14 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-08 21:04 . 2009-08-08 21:04 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-08 19:57 . 2009-08-08 19:57 18076 ----a-w- c:\program files\Common Files\jesefacyzo.vbs
2009-08-08 19:13 . 2009-08-08 19:13 12960 ----a-w- c:\program files\Common Files\icozax.vbs
2009-08-08 19:09 . 2009-08-08 19:09 18169 ----a-w- c:\program files\Common Files\yqyheqewaq.bin
2009-08-08 19:09 . 2009-08-08 19:09 15153 ----a-w- c:\program files\Common Files\newokupi.dat
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll
2009-07-17 16:51 . 2009-07-17 16:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 00:44 . 2005-06-13 19:00 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-14 03:14 . 2005-06-14 19:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-14 02:43 . 2005-10-27 00:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-12 03:42 . 2005-06-14 18:58 -------- d-----w- c:\program files\Java
2009-08-12 03:38 . 2008-12-06 13:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-12 01:39 . 2005-12-05 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-08-11 04:00 . 2008-12-02 03:02 20480 ----a-w- c:\windows\rmlluf32.dll
2009-08-09 00:49 . 2008-12-06 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-09 00:48 . 2008-12-06 04:50 -------- d-----w- c:\program files\NOS
2009-08-08 19:57 . 2009-08-08 19:57 18419 ----a-w- c:\program files\Common Files\amunax.ban
2009-08-08 19:57 . 2009-08-08 19:57 15388 ----a-w- c:\program files\Common Files\ifuk.dl
2009-08-08 19:18 . 2005-12-05 00:04 -------- d-----w- c:\program files\Real
2009-08-08 19:18 . 2005-12-05 00:04 -------- d-----w- c:\program files\Common Files\Real
2009-08-08 19:13 . 2009-08-08 19:13 10092 ----a-w- c:\program files\Common Files\xivi._sy
2009-08-08 18:45 . 2009-08-08 18:45 13751 ----a-w- c:\program files\Common Files\ofigym.db
2009-08-05 09:01 . 2005-06-13 19:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-06-13 19:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 21:21 . 2005-06-14 19:48 -------- d-----w- c:\program files\Google
2009-07-15 21:18 . 2009-07-15 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-14 04:43 . 2005-06-13 19:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-07 02:27 . 2009-07-07 02:27 -------- d-----w- c:\program files\MSECache
2009-07-03 17:09 . 2005-06-13 19:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-20 17:28 . 2009-06-20 17:28 -------- d-----w- c:\program files\iTunes
2009-06-20 17:28 . 2006-07-20 02:49 -------- d-----w- c:\program files\iPod
2009-06-20 17:28 . 2007-08-16 01:35 -------- d-----w- c:\program files\Common Files\Apple
2009-06-20 17:25 . 2009-03-22 15:40 -------- d-----w- c:\program files\QuickTime
2009-06-20 17:16 . 2009-06-20 17:16 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-16 14:36 . 2005-06-13 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-06-13 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-06-13 19:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2005-06-13 19:11 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-06-13 19:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-06-13 19:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 16:42 . 2009-06-20 17:20 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 16:42 . 2009-06-20 17:20 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2005-06-13 19:00 1291264 ----a-w- c:\windows\system32\quartz.dll
1997-06-23 09:00 . 1997-06-23 09:00 123664 --sha-w- c:\windows\system32\Msjint35.dll
1997-06-23 18:06 . 1997-06-23 18:06 24848 --sha-w- c:\windows\system32\Msjter35.dll
1997-06-23 18:06 . 1997-06-23 18:06 252176 --sha-w- c:\windows\system32\Msrd2x35.dll
1997-06-23 18:06 . 1997-06-23 18:06 287504 --sha-w- c:\windows\system32\Msxbse35.dll
.

Last edited by chugaz77 on 16th August 2009, 1:52 am; edited 2 times in total

------- Sigcheck -------

[-] 2008-04-14 00:12 1033728 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe


c:\windows\system32\appmgmts.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2009-08-15_19.29.17 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]
"Pure Networks Port Magic"="c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe" [2005-03-21 99480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 149280]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-04-28 260896]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"HostManager"="c:\program files\Common Files\AOL\1171131538\ee\AOLSoftware.exe" [2006-09-26 50736]
"SsAAD.exe"="c:\progra~1\sony\SONICS~1\SsAAD.exe" [2005-01-25 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-10-08 88363]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-11-29 2748928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-12-4 156784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SpySubtract.lnk - c:\program files\InterMute\SpySubtract\SpySub.exe [2005-10-26 1187840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
"midi2"=evolusbn.dll
"midi3"=evolusbn.dll
"midi4"=evolusbn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 6:47 AM 98304]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 5:40 AM 118784]
S2 UnoInstallerService;Uno Installer;c:\program files\M-Audio Uno\UnoInst.exe [12/6/2008 6:44 PM 106496]
S3 atinysxx;ATI USB 2.0 TV Audio Crossbar;c:\windows\system32\drivers\atinysxx.sys [7/23/2006 2:01 PM 79360]
S3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;c:\windows\system32\drivers\atinyvxx.sys [7/23/2006 2:01 PM 174592]
S3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;c:\windows\system32\drivers\atinyuxx.sys [7/23/2006 2:01 PM 64512]
S3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;c:\windows\system32\drivers\ATIUTD.sys [7/23/2006 2:01 PM 38912]
S3 EVOLUSB;%EVOL_USB_SvcDesc%;c:\windows\system32\drivers\evolusb.sys [12/6/2008 6:44 PM 21984]
S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [12/16/2008 5:22 PM 79649]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;c:\windows\system32\drivers\atinyttx.sys [7/23/2006 2:01 PM 13824]
.
Contents of the 'Scheduled Tasks' folder

2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:34]

2009-08-15 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]

2009-08-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-02 21:18]

2009-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 21:19]

2009-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 21:19]

2009-08-12 c:\windows\Tasks\ParetoLogic Anti-Spyware.job
- c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe [2009-08-05 14:58]

2009-08-12 c:\windows\Tasks\ParetoLogic Privacy Controls_{8ADF83AE-86ED-11DE-AB8C-00038A000015}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:29]

2009-08-15 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2009-08-12 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]

2009-08-12 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2009-08-05 18:39]

2009-08-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-15 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-08-12 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-16 20:11
ComboFix-quarantined-files.txt 2009-08-16 01:11
ComboFix2.txt 2009-08-15 23:45
ComboFix3.txt 2009-08-15 19:30
ComboFix4.txt 2009-08-15 01:18
ComboFix5.txt 2009-08-16 01:04

Pre-Run: 61,449,240,576 bytes free
Post-Run: 61,531,062,272 bytes free

245 --- E O F --- 2009-08-15 18:53

Last edited by chugaz77 on 16th August 2009, 1:53 am; edited 2 times in total

ComboFix 09-08-10.06 - Administrator 08/15/2009 18:36.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1495 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-07-15 to 2009-08-15 )))))))))))))))))))))))))))))))
.

2009-08-15 11:34 . 2009-08-15 11:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo
2009-08-14 23:06 . 2009-08-14 23:06 -------- d-----w- c:\program files\Pidgin
2009-08-14 20:23 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 20:23 . 2009-08-14 20:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-14 20:23 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-13 21:07 . 2009-08-13 21:07 12349 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\lytukasagu.exe
2009-08-13 21:07 . 2009-08-13 21:07 16092 ----a-w- c:\windows\system32\iqijyqewet.exe
2009-08-13 21:07 . 2009-08-13 21:07 11911 ----a-w- c:\program files\Common Files\ypivivaryk.vbs
2009-08-13 21:07 . 2009-08-13 21:07 15174 ----a-w- c:\windows\hobumemona.vbs
2009-08-13 21:07 . 2009-08-13 21:07 11427 ----a-w- c:\windows\ugip.dll
2009-08-13 21:07 . 2009-08-13 21:07 13316 ----a-w- c:\documents and settings\Administrator\Application Data\vuki.pif
2009-08-13 21:07 . 2009-08-13 21:07 15831 ----a-w- c:\windows\cuviwi.exe
2009-08-13 21:07 . 2009-08-13 21:07 15794 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\mutevirace.bin
2009-08-13 21:07 . 2009-08-13 21:07 17743 ----a-w- c:\windows\colukos.dll
2009-08-13 20:12 . 2009-08-13 20:12 18770 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\ocywotydur.vbs
2009-08-13 20:12 . 2009-08-13 20:12 18343 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\arog.bin
2009-08-13 20:12 . 2009-08-13 20:12 18279 ----a-w- c:\windows\system32\ymyzycydiz.com
2009-08-13 20:12 . 2009-08-13 20:12 12645 ----a-w- c:\program files\Common Files\ixep.scr
2009-08-13 20:12 . 2009-08-13 20:12 11009 ----a-w- c:\windows\ropinuje.scr
2009-08-13 13:23 . 2009-08-13 13:23 12728 ----a-w- c:\windows\igejok.reg
2009-08-13 13:23 . 2009-08-13 13:23 18595 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\qima.com
2009-08-13 13:23 . 2009-08-13 13:23 18200 ----a-w- c:\windows\fojanazyni.com
2009-08-13 13:23 . 2009-08-13 13:23 16971 ----a-w- c:\windows\utici.scr
2009-08-13 13:23 . 2009-08-13 13:23 14119 ----a-w- c:\windows\system32\ofavuha.vbs
2009-08-13 13:23 . 2009-08-13 13:23 13807 ----a-w- c:\documents and settings\Administrator\Application Data\tidakij.dll
2009-08-13 09:11 . 2009-08-13 09:11 17343 ----a-w- c:\windows\yvah.dll
2009-08-13 09:11 . 2009-08-13 09:11 17256 ----a-w- c:\windows\yzum.sys
2009-08-13 09:11 . 2009-08-13 09:11 16921 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\cuxoni.sys
2009-08-13 09:11 . 2009-08-13 09:11 15351 ----a-w- c:\program files\Common Files\anysuwa.dll
2009-08-13 09:11 . 2009-08-13 09:11 15299 ----a-w- c:\windows\iboqazu.bat
2009-08-13 09:11 . 2009-08-13 09:11 15179 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\tusuhes.bat
2009-08-13 09:11 . 2009-08-13 09:11 14322 ----a-w- c:\documents and settings\Administrator\Application Data\kavorocesu.exe
2009-08-13 09:11 . 2009-08-13 09:11 13328 ----a-w- c:\windows\toqodup.bin
2009-08-13 09:11 . 2009-08-13 09:11 12385 ----a-w- c:\documents and settings\Administrator\Application Data\buqipo.pif
2009-08-13 09:11 . 2009-08-13 09:11 11787 ----a-w- c:\program files\Common Files\tuvi.scr
2009-08-13 05:05 . 2009-08-13 05:05 3638 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
2009-08-13 05:05 . 2009-08-13 05:05 -------- d-----w- c:\program files\Alex Feinman
2009-08-12 20:52 . 2009-08-12 20:52 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Kaspersky Lab Setup Files
2009-08-12 07:22 . 2009-08-12 07:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Help
2009-08-12 07:15 . 2009-08-12 07:15 26624 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-08-12 00:20 . 2009-08-12 00:20 19447 ----a-w- c:\windows\system32\zusolysuw.pif
2009-08-12 00:20 . 2009-08-12 00:20 18510 ----a-w- c:\windows\ditaxa.reg
2009-08-12 00:20 . 2009-08-12 00:20 17481 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\gamutubu.bat
2009-08-12 00:20 . 2009-08-12 00:20 16306 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\azyt.sys
2009-08-12 00:20 . 2009-08-12 00:20 15792 ----a-w- c:\windows\system32\jeqyfok.scr
2009-08-12 00:20 . 2009-08-12 00:20 15089 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\bezok.sys
2009-08-12 00:20 . 2009-08-12 00:20 14409 ----a-w- c:\windows\system32\iqaworezi.reg
2009-08-12 00:20 . 2009-08-12 00:20 13770 ----a-w- c:\documents and settings\Administrator\Application Data\hotamup.scr
2009-08-12 00:20 . 2009-08-12 00:20 11463 ----a-w- c:\documents and settings\Administrator\Application Data\miki.scr
2009-08-11 23:57 . 2009-08-11 23:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\F-Secure
2009-08-11 23:51 . 2009-08-11 23:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\F-Secure
2009-08-11 23:46 . 2009-08-11 23:46 14648 ----a-w- c:\program files\Common Files\yfuzafa.pif
2009-08-11 23:46 . 2009-08-11 23:46 17050 ----a-w- c:\program files\Common Files\unomobul.bin
2009-08-11 23:46 . 2009-08-11 23:46 18460 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\ejogenydax.vbs
2009-08-11 23:46 . 2009-08-11 23:46 18265 ----a-w- c:\windows\lusylytod.dll
2009-08-11 23:46 . 2009-08-11 23:46 18793 ----a-w- c:\windows\utimomo.vbs
2009-08-11 23:46 . 2009-08-11 23:46 18098 ----a-w- c:\program files\Common Files\hukag.pif
2009-08-11 23:46 . 2009-08-11 23:46 18398 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rasamapu.bin
2009-08-11 23:46 . 2009-08-11 23:46 18991 ----a-w- c:\windows\owohoka.vbs
2009-08-11 23:43 . 2009-08-14 23:26 -------- d-----w- c:\program files\F-Secure Internet Security
2009-08-11 23:37 . 2009-08-11 23:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-08-11 23:36 . 2009-08-11 23:36 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-08-11 23:36 . 2009-08-11 23:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\CCPTB
2009-08-11 23:36 . 2009-08-11 23:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-11 23:21 . 2009-08-14 23:09 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\fssg
2009-08-11 23:18 . 2009-08-12 20:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\f-secure
2009-08-11 13:48 . 2009-08-11 13:48 -------- d-----w- c:\program files\AVG
2009-08-07 05:05 . 2003-07-24 17:01 606720 ----a-w- c:\temp\SFDNWIN.exe
2009-08-07 05:05 . 2009-08-07 05:05 -------- d-----w- C:\Temp
2009-08-07 05:05 . 2008-01-24 10:37 2097152 ----a-w- c:\temp\autorun.bin
2009-08-07 01:15 . 2009-08-07 01:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\mjusbsp
2009-08-06 18:49 . 2008-04-14 05:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-08-06 18:49 . 2008-04-14 05:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-07-18 19:08 . 2009-07-18 19:08 2141 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-15 23:35 . 2008-12-09 21:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\.purple
2009-08-15 11:32 . 2009-01-10 02:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Yahoo!
2009-08-15 11:32 . 2009-01-10 02:40 -------- d-----w- c:\program files\Yahoo!
2009-08-14 08:14 . 2009-05-10 18:04 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-13 21:07 . 2009-08-13 21:07 19656 ----a-w- c:\program files\Common Files\jemoqap.dl
2009-08-13 20:12 . 2009-08-13 20:12 18068 ----a-w- c:\program files\Common Files\awuv.ban
2009-08-13 20:12 . 2009-08-13 20:12 15706 ----a-w- c:\program files\Common Files\aceb.inf
2009-08-13 20:12 . 2009-08-13 20:12 12294 ----a-w- c:\program files\Common Files\ywenoqoc._dl
2009-08-13 20:12 . 2009-08-13 20:12 11620 ----a-w- c:\program files\Common Files\kicowuren.db
2009-08-13 13:23 . 2009-08-13 13:23 19431 ----a-w- c:\documents and settings\Administrator\Application Data\ebiqewa.bin
2009-08-13 13:23 . 2009-08-13 13:23 11103 ----a-w- c:\documents and settings\Administrator\Application Data\basuf.bin
2009-08-13 13:23 . 2009-08-13 13:23 14581 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\gusopu.bat
2009-08-13 09:11 . 2009-08-13 09:11 11978 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\foxizom.dll
2009-08-13 09:11 . 2009-08-13 09:11 10061 ----a-w- c:\program files\Common Files\wotohymazi.lib
2009-08-13 05:13 . 2009-02-28 17:37 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-08-12 00:20 . 2009-08-12 00:20 18267 ----a-w- c:\program files\Common Files\piga.ban
2009-08-11 23:46 . 2009-08-11 23:46 14577 ----a-w- c:\program files\Common Files\fejytado.inf
2009-08-11 23:36 . 2009-01-24 03:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2009-08-11 21:38 . 2008-12-25 14:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0
2009-08-06 20:03 . 2004-03-26 21:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-06 20:03 . 2004-03-26 17:38 -------- d-----w- c:\program files\Symantec
2009-08-06 20:03 . 2004-11-16 13:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-06 20:03 . 2004-03-26 17:38 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-07-16 08:30 . 2009-07-06 03:14 -------- d-----w- c:\program files\VideoLAN
2009-07-16 08:30 . 2009-07-16 04:19 -------- d-----w- c:\program files\Graboid
2009-07-16 02:49 . 2009-07-16 02:49 766 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{F1B58743-123D-4748-9FDD-F1FA0E463662}\_6FEFF9B68218417F98F549.exe
2009-07-16 02:49 . 2009-07-16 02:49 -------- d-----w- c:\program files\West Corporation
2009-07-11 01:13 . 2009-07-11 01:13 2095 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-07-10 17:25 . 2009-07-10 17:25 1878984 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-07-08 08:01 . 2009-07-07 03:04 -------- d-----w- c:\program files\DivX
2009-07-07 17:01 . 2004-12-15 19:21 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-07-06 05:09 . 2009-07-06 04:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-07-06 04:17 . 2009-07-06 04:17 20480 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
2009-07-06 04:17 . 2009-07-06 04:17 18944 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
2009-07-06 04:17 . 2009-07-06 04:17 17408 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\components\auth.dll
2009-07-06 04:17 . 2009-07-06 04:17 8192 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
2009-07-06 04:17 . 2009-07-06 04:17 20480 ----a-w- c:\documents and settings\Administrator\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
2009-07-06 03:27 . 2009-07-06 03:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-07-06 03:17 . 2009-07-06 03:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\MozillaControl
2009-06-29 16:12 . 2004-01-21 22:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-11-15 22:41 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-26 13:06 . 2009-05-06 14:05 -------- d-----w- c:\program files\Coupons
2009-06-24 03:13 . 2009-06-24 02:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\ccptb
2009-06-24 02:50 . 2009-06-24 02:50 -------- d-----w- c:\program files\ccptb
2009-06-22 01:01 . 2009-06-22 01:01 1089 ----a-w- c:\documents and settings\Administrator\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2009-06-22 00:59 . 2008-12-09 21:43 -------- d-----w- c:\program files\Common Files\GTK
2009-06-16 14:36 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-05 21:43 . 2006-08-30 22:44 180224 ----a-w- c:\windows\system32\VTTrayp.exe
2009-06-05 21:43 . 2006-08-31 18:17 1884160 ----a-w- c:\windows\system32\vticd.dll
2009-06-05 21:43 . 2006-08-31 18:06 264704 ----a-w- c:\windows\system32\drivers\vtmini.sys
2009-06-05 21:43 . 2006-08-03 19:53 53248 ----a-w- c:\windows\system32\VTTimer.exe
2009-06-05 21:43 . 2006-06-20 16:21 327680 ----a-w- c:\windows\system32\VTInfo2.dll
2009-06-05 21:43 . 2006-05-22 19:49 593920 ----a-w- c:\windows\system32\VTovrlay.dll
2009-06-05 21:43 . 2006-08-31 18:06 3516032 ----a-w- c:\windows\system32\vtdisp.dll
2009-06-05 21:43 . 2006-08-25 18:47 651264 ----a-w- c:\windows\system32\VTDisply.dll
2009-06-05 21:43 . 2006-06-22 22:05 462848 ----a-w- c:\windows\system32\VTGamma2.dll
2009-06-05 21:43 . 2005-11-01 15:35 28672 ----a-w- c:\windows\system32\VModes.exe
2009-06-03 19:09 . 2004-03-26 15:20 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-25 05:24 . 2008-05-27 03:18 350208 ------w- c:\windows\system32\mssph.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-14_19.47.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-15 21:51 . 2009-08-15 21:51 16384 c:\windows\temp\Perflib_Perfdata_a8.dat
+ 2008-12-05 05:53 . 2009-08-15 11:33 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-08-14 19:42 . 2009-08-14 19:42 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-14 21:14 . 2009-08-14 21:14 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-14 21:14 . 2009-08-14 21:14 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2009-08-14 19:42 . 2009-08-14 19:42 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe
+ 2009-08-14 21:14 . 2009-08-14 21:14 196608 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-14 19:42 . 2009-08-14 19:42 196608 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-14 21:14 . 2009-08-14 21:14 249856 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-14 19:42 . 2009-08-14 19:42 249856 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-14 19:42 . 2009-08-14 19:42 249856 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-14 21:14 . 2009-08-14 21:14 249856 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-14 21:14 . 2009-08-14 21:14 4534272 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
- 2009-08-14 19:42 . 2009-08-14 19:42 4534272 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-04 148888]
"F-Secure Manager"="c:\program files\F-Secure Internet Security\Common\FSM32.EXE" [2008-10-14 182936]
"F-Secure TNB"="c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe" [2008-10-14 957024]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-10-06 741376]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-03-01 577536]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2009-06-05 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2009-06-05 180224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-15 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9998:TCP"= 9998:TCP
"443:TCP"= 443:TCP

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [8/12/2009 2:15 AM 26624]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [10/15/2008 10:24 AM 11264]
S3 ati2mpaa;ati2mpaa;c:\windows\system32\drivers\ati2mpaa.sys [3/25/2004 5:24 PM 281856]
S3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [9/16/2006 6:23 PM 47360]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [11/17/2004 3:38 PM 37708]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: ChatSpace Full Java Client 3.1.0.235 - hxxp://irc.pugsandkellylive.com/Java/cfs31235.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\t591ljdz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-15 18:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-15 18:54
ComboFix-quarantined-files.txt 2009-08-15 23:54
ComboFix2.txt 2009-08-14 21:25
ComboFix3.txt 2009-08-14 19:52

Pre-Run: 133,807,702,016 bytes free
Post-Run: 133,769,105,408 bytes free

286 --- E O F --- 2009-07-29 17:01

Hello.

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\documents and settings\Administrator\Local Settings\Application Data\lytukasagu.exe
  c:\windows\system32\iqijyqewet.exe
  c:\program files\Common Files\ypivivaryk.vbs
  c:\windows\hobumemona.vbs
  c:\windows\ugip.dll
  c:\documents and settings\Administrator\Application Data\vuki.pif
  c:\windows\cuviwi.exe
  c:\documents and settings\Administrator\Local Settings\Application Data\mutevirace.bin
  c:\windows\colukos.dll
  c:\documents and settings\Administrator\Local Settings\Application Data\ocywotydur.vbs
  c:\documents and settings\Administrator\Local Settings\Application Data\arog.bin
  c:\windows\system32\ymyzycydiz.com
  c:\program files\Common Files\ixep.scr
  c:\windows\ropinuje.scr
  c:\windows\igejok.reg
  c:\documents and settings\Administrator\Local Settings\Application Data\qima.com
  c:\windows\fojanazyni.com
  c:\windows\utici.scr
  c:\windows\system32\ofavuha.vbs
  c:\documents and settings\Administrator\Application Data\tidakij.dll
  c:\windows\yvah.dll
  c:\windows\yzum.sys
  c:\documents and settings\Administrator\Local Settings\Application Data\cuxoni.sys
  c:\program files\Common Files\anysuwa.dll
  c:\windows\iboqazu.bat
  c:\documents and settings\Administrator\Local Settings\Application Data\tusuhes.bat
  c:\documents and settings\Administrator\Application Data\kavorocesu.exe
  c:\windows\toqodup.bin
  c:\documents and settings\Administrator\Application Data\buqipo.pif
  c:\program files\Common Files\tuvi.scr
  c:\windows\system32\zusolysuw.pif
  c:\windows\ditaxa.reg
  c:\documents and settings\Administrator\Local Settings\Application Data\gamutubu.bat
  c:\documents and settings\Administrator\Local Settings\Application Data\azyt.sys
  c:\windows\system32\jeqyfok.scr
  c:\documents and settings\Administrator\Local Settings\Application Data\bezok.sys
  c:\windows\system32\iqaworezi.reg
  c:\documents and settings\Administrator\Application Data\hotamup.scr
  c:\documents and settings\Administrator\Application Data\miki.scr
  c:\program files\Common Files\yfuzafa.pif
  c:\program files\Common Files\unomobul.bin
  c:\documents and settings\Administrator\Local Settings\Application Data\ejogenydax.vbs
  c:\windows\lusylytod.dll
  c:\windows\utimomo.vbs
  c:\program files\Common Files\hukag.pif
  c:\documents and settings\Administrator\Local Settings\Application Data\rasamapu.bin
  c:\windows\owohoka.vbs
  c:\temp\autorun.bin
  c:\program files\Common Files\jemoqap.dl
  c:\program files\Common Files\awuv.ban
  c:\program files\Common Files\aceb.inf
  c:\program files\Common Files\ywenoqoc._dl
  c:\program files\Common Files\kicowuren.db
  c:\documents and settings\Administrator\Application Data\ebiqewa.bin
  c:\documents and settings\Administrator\Application Data\basuf.bin
  c:\docume~1\ALLUSE~1\APPLIC~1\gusopu.bat
  c:\docume~1\ALLUSE~1\APPLIC~1\foxizom.dll
  c:\program files\Common Files\wotohymazi.lib
  c:\program files\Common Files\piga.ban
  c:\program files\Common Files\fejytado.inf
  c:\windows\system32\xa.tmp
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.