AV Security Suite and other issues

ok before I run that, the computer is running well. I have not had the JIT debugging popup occur since the reboot. I did remove the viewpoint thing but was unable to find "viewpoint components" only a thing called viewpoint updater which I destroyed. going to run combofix now.

ok. looking forward to your reply

ComboFix 10-06-30.03 - Sean Leahy 07/01/2010 1:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1176 [GMT -4:00]
Running from: c:\documents and settings\Sean Leahy\Desktop\commy.exe
Command switches used :: c:\documents and settings\Sean Leahy\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 05:12 . 2010-07-01 05:45 -------- d-----w- c:\program files\World of Warcraft
2010-07-01 05:06 . 2010-07-01 05:06 -------- d-----w- C:\_OTL
2010-07-01 05:02 . 2010-07-01 05:02 -------- d-----w- c:\program files\World of Warcraft.temp
2010-07-01 00:48 . 2010-07-01 00:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-01 00:26 . 2010-07-01 00:26 -------- d-----w- c:\program files\Defraggler
2010-06-30 22:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 22:46 . 2010-06-30 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 22:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\.file_store_32
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\program files\Google Video
2010-06-26 02:23 . 2010-06-30 22:31 188584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-17 04:28 . 2010-06-26 02:10 120 ----a-w- c:\windows\Ulelace.dat
2010-06-17 04:28 . 2010-06-26 02:10 0 ----a-w- c:\windows\Qkutubetoguma.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 05:33 . 2006-09-05 15:14 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2010-07-01 05:33 . 2006-09-03 04:21 57752 ----a-w- c:\windows\system32\Rpcnet.dll
2010-07-01 05:32 . 2009-02-16 00:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-01 05:09 . 2006-08-30 19:52 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-01 05:04 . 2006-08-26 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-01 02:49 . 2010-02-01 04:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-07-01 00:38 . 2006-08-26 12:19 -------- d-----w- c:\program files\Google
2010-07-01 00:25 . 2009-08-03 20:09 -------- d-----w- c:\program files\CCleaner
2010-06-30 05:41 . 2006-10-27 20:37 -------- d-----w- c:\program files\Warcraft III
2010-06-23 03:03 . 2009-08-20 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-22 01:18 . 2008-09-14 09:16 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\Skype
2010-06-22 00:46 . 2008-09-14 09:20 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\skypePM
2010-06-19 23:27 . 2006-10-26 01:05 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-19 23:27 . 2006-10-26 01:05 88 -csh--r- c:\windows\system32\195609FFE0.sys
2010-06-19 03:54 . 2006-10-27 20:42 91488 -c--a-w- c:\windows\War3Unin.dat
2010-06-18 04:38 . 2006-11-04 06:56 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\uTorrent
2010-06-11 22:04 . 2010-02-22 01:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-21 18:14 . 2010-01-23 06:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 22:17 . 2006-12-05 20:22 23954 ----a-w- c:\documents and settings\Sean Leahy\Application Data\wklnhst.dat
2010-05-04 17:20 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 09:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:40 . 2005-08-16 09:18 57752 ------w- c:\windows\system32\rpcnet.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-2 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-26 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2006-09-21 21:36 43520 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 13:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 03:23 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 16:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-03-06 20:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-08-12 21:13 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-24 02:43 1217872 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-04 17:32 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 -c----w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\firehousehoss23@yahoo.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Sean Leahy\\Local Settings\\Apps\\2.0\\HKN2TL5K.KMN\\HX6HWK9N.6KA\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizz
"6112:TCP"= 6112:TCP:blizz
"6881:TCP"= 6881:TCP:blizz
"6999:TCP"= 6999:TCP:blizz
"11804:TCP"= 11804:TCP:torrent
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/31/2009 3:47 AM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/23/2010 3:22 AM 112592]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/15/2009 8:58 PM 359624]
S3 skfilt;skfilt;c:\windows\system32\drivers\skfilt.sys --> c:\windows\system32\drivers\skfilt.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2005-08-16 00:12]

2010-07-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 03:23]

2010-07-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 02:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\autochk(3).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(4).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(5).exe:BAK 23040 bytes executable
c:\windows\system32\autochk(7).exe:BAK 23040 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(900)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-01 02:04:00
ComboFix-quarantined-files.txt 2010-07-01 06:03
ComboFix2.txt 2010-07-01 05:39

Pre-Run: 28,307,992,576 bytes free
Post-Run: 28,230,803,456 bytes free

- - End Of File - - 94CDCFD47B0823F5792A6CDE026C961B

Hi again.

Please go to VirSCAN.org

• Browse for the following file path for the "Suspicious files to scan" box on the top of the page:
  
  
  
  
  • c:\windows\Qkutubetoguma.bin
    
  • c:\windows\system32\autochk(3).exe
    
  • c:\windows\system32\autochk(4).exe
    
  • c:\windows\system32\autochk(5).exe
    
  • c:\windows\system32\autochk(7).exe
    
  
  
  
• Click on the Upload button
  
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  
• Paste the contents of the Clipboard in your next reply.
  

VirSCAN.org Scanned Report :
Scanned time : 2010/07/01 02:16:17 (EDT)
Scanner results: Scanners did not find malware!
File Name : autochk(3).exe
File Size : 588800 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : c39a8dc88f79e5b6bfa4b89fd31a0709
SHA1 : 9686390b98451574b7ed0e4aa5ec99675d6d9516
Online report : http://virscan.org/report/75366643470ad7f73a69ee03ec666612.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100701013121 2010-07-01 40.09 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 4.42 -
AntiVir 8.2.4.2 7.10.8.236 2010-06-30 0.40 -
Antiy 2.0.18 20100701.4813005 2010-07-01 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.02 -
Authentium 5.1.1 201006302128 2010-06-30 1.67 -
AVAST! 4.7.4 100630-1 2010-06-30 0.04 -
AVG 8.5.793 271.1.1/2974 2010-07-01 0.74 -
BitDefender 7.90123.6354843 7.32521 2010-07-01 5.63 -
ClamAV 0.96.1 11301 2010-07-01 0.24 -
Comodo 3.13.579 5271 2010-06-30 40.18 -
CP Secure 1.3.0.5 2010.07.01 2010-07-01 0.10 -
Dr.Web 5.0.2.3300 2010.07.01 2010-07-01 8.85 -
F-Prot 4.4.4.56 20100630 2010-06-30 1.32 -
F-Secure 7.02.73807 2010.07.01.02 2010-07-01 0.14 -
Fortinet 4.1.133 12.102 2010-06-30 40.09 -
GData 21.439/21.160 20100630 2010-06-30 40.09 -
ViRobot 20100630 2010.06.30 2010-06-30 40.09 -
Ikarus T3.1.01.84 2010.07.01.76173 2010-07-01 7.25 -
JiangMin 13.0.900 2010.06.30 2010-06-30 40.09 -
Kaspersky 5.5.10 2010.07.01 2010-07-01 0.08 -
KingSoft 2009.2.5.15 2010.7.1.12 2010-07-01 40.09 -
McAfee 5400.1158 6029 2010-06-30 17.20 -
Microsoft 1.5902 2010.07.01 2010-07-01 40.09 -
Norman 6.05.10 6.05.00 2010-06-30 6.01 -
Panda 9.05.01 2010.06.30 2010-06-30 40.09 -
Trend Micro 9.120-1004 7.277.00 2010-06-30 0.03 -
Quick Heal 10.00 2010.06.30 2010-06-30 40.09 -
Rising 20.0 22.54.02.04 2010-06-30 40.09 -
Sophos 3.09.0 4.55 2010-07-01 3.32 -
Sunbelt 3.9.2426.2 6524 2010-06-29 40.09 -
Symantec 1.3.0.24 20100630.004 2010-06-30 0.06 -
nProtect 20100629.01 8851204 2010-06-29 40.10 -
The Hacker 6.5.2.0 v00306 2010-06-29 40.09 -
VBA32 3.12.12.5 20100630.0947 2010-06-30 2.95 -
VirusBuster 4.5.11.10 10.126.111/20423882010-06-30 2.68 -

VirSCAN.org Scanned Report :
Scanned time : 2010/07/01 02:32:05 (EDT)
Scanner results: Scanners did not find malware!
File Name : autochk(4).exe
File Size : 588800 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : c39a8dc88f79e5b6bfa4b89fd31a0709
SHA1 : 9686390b98451574b7ed0e4aa5ec99675d6d9516
Online report : http://virscan.org/report/30ff96a8d1a9ca0cdf89d680d495415f.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100701013121 2010-07-01 40.18 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 40.09 -
AntiVir 8.2.4.2 7.10.8.236 2010-06-30 0.28 -
Antiy 2.0.18 20100701.4813005 2010-07-01 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.00 -
Authentium 5.1.1 201006302128 2010-06-30 1.31 -
AVAST! 4.7.4 100630-1 2010-06-30 0.04 -
AVG 8.5.793 271.1.1/2974 2010-07-01 0.25 -
BitDefender 7.90123.6354843 7.32521 2010-07-01 3.83 -
ClamAV 0.96.1 11301 2010-07-01 0.01 -
Comodo 3.13.579 5271 2010-06-30 40.09 -
CP Secure 1.3.0.5 2010.07.01 2010-07-01 0.11 -
Dr.Web 5.0.2.3300 2010.07.01 2010-07-01 8.75 -
F-Prot 4.4.4.56 20100630 2010-06-30 1.32 -
F-Secure 7.02.73807 2010.07.01.02 2010-07-01 10.80 -
Fortinet 4.1.133 12.102 2010-06-30 40.09 -
GData 21.439/21.160 20100630 2010-06-30 40.09 -
ViRobot 20100630 2010.06.30 2010-06-30 40.09 -
Ikarus T3.1.01.84 2010.07.01.76173 2010-07-01 6.95 -
JiangMin 13.0.900 2010.07.01 2010-07-01 40.09 -
Kaspersky 5.5.10 2010.07.01 2010-07-01 0.09 -
KingSoft 2009.2.5.15 2010.7.1.12 2010-07-01 40.09 -
McAfee 5400.1158 6029 2010-06-30 17.08 -
Microsoft 1.5902 2010.07.01 2010-07-01 40.09 -
Norman 6.05.10 6.05.00 2010-06-30 6.01 -
Panda 9.05.01 2010.06.30 2010-06-30 40.09 -
Trend Micro 9.120-1004 7.277.00 2010-06-30 0.03 -
Quick Heal 10.00 2010.06.30 2010-06-30 40.09 -
Rising 20.0 22.54.02.04 2010-06-30 40.09 -
Sophos 3.09.0 4.55 2010-07-01 3.41 -
Sunbelt 3.9.2426.2 6524 2010-06-29 40.09 -
Symantec 1.3.0.24 20100630.004 2010-06-30 0.07 -
nProtect 20100629.01 8851204 2010-06-29 40.10 -
The Hacker 6.5.2.0 v00306 2010-06-29 40.09 -
VBA32 3.12.12.5 20100630.0947 2010-06-30 3.20 -
VirusBuster 4.5.11.10 10.126.111/20423882010-06-30 2.72 -

Ill have to do the other 2 tomorrow I really need to get to bed I have work in the morning(I am on the East Coast). Thanks for all your help thusfar. The computer is running great but I will run those tests tomorrow evening when I get home from work.

I'm on the East Coast too .

It's likely the only one that will come up as malicious is the .bin file but we'll see. Looking forward to your reply.

Got an email notification that you had posted again. First off I'm at work posting from my blackberry so I can't run the tests until I get back home. I tried to run the .bin first and it wasn't working. Ill try again tonight when I get home.

Ok. Looking forward to it.

VirSCAN.org Scanned Report :
Scanned time : 2010/07/01 21:57:43 (EDT)
Scanner results: Scanners did not find malware!
File Name : autochk(5).exe
File Size : 588800 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : e0dad023702958e400a6573323db02a4
SHA1 : 49c49c666931080d5184153a237a899a81ece237
Online report : http://virscan.org/report/cce4a919a7b3c7837d522660974c35fe.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100702040342 2010-07-02 5.24 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 1.16 -
AntiVir 8.2.4.2 7.10.8.241 2010-07-01 0.29 -
Antiy 2.0.18 20100701.4813005 2010-07-01 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201007012201 2010-07-01 1.38 -
AVAST! 4.7.4 100701-1 2010-07-01 0.04 -
AVG 8.5.793 271.1.1/2976 2010-07-02 0.25 -
BitDefender 7.90123.6359071 7.32533 2010-07-02 3.99 -
ClamAV 0.96.1 11304 2010-07-02 0.23 -
Comodo 3.13.579 5282 2010-07-01 0.96 -
CP Secure 1.3.0.5 2010.07.02 2010-07-02 0.10 -
Dr.Web 5.0.2.3300 2010.07.02 2010-07-02 8.77 -
F-Prot 4.4.4.56 20100701 2010-07-01 1.31 -
F-Secure 7.02.73807 2010.07.01.07 2010-07-01 6.75 -
Fortinet 4.1.133 12.106 2010-07-01 0.20 -
GData 21.446/21.162 20100702 2010-07-02 13.68 -
ViRobot 20100701 2010.07.01 2010-07-01 0.49 -
Ikarus T3.1.01.84 2010.07.01.76178 2010-07-01 7.10 -
JiangMin 13.0.900 2010.07.01 2010-07-01 2.38 -
Kaspersky 5.5.10 2010.07.01 2010-07-01 0.08 -
KingSoft 2009.2.5.15 2010.7.1.17 2010-07-01 1.18 -
McAfee 5400.1158 6030 2010-07-01 18.38 -
Microsoft 1.5902 2010.07.01 2010-07-01 7.14 -
Norman 6.05.10 6.05.00 2010-07-01 6.03 -
Panda 9.05.01 2010.06.30 2010-06-30 2.89 -
Trend Micro 9.120-1004 7.278.19 2010-07-01 0.03 -
Quick Heal 10.00 2010.06.30 2010-06-30 1.91 -
Rising 20.0 22.54.03.05 2010-07-01 1.31 -
Sophos 3.09.0 4.55 2010-07-02 3.53 -
Sunbelt 3.9.2426.2 6533 2010-07-01 17.44 -
Symantec 1.3.0.24 20100630.004 2010-06-30 0.00 -
nProtect 20100701.01 8871763 2010-07-01 8.29 -
The Hacker 6.5.2.1 v00307 2010-07-01 0.43 -
VBA32 3.12.12.5 20100701.0827 2010-07-01 5.31 -
VirusBuster 4.5.11.10 10.126.113/20435502010-07-01 2.71 -

VirSCAN.org Scanned Report :
Scanned time : 2010/07/01 22:00:44 (EDT)
Scanner results: Scanners did not find malware!
File Name : autochk(7).exe
File Size : 588800 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : f42425e955b88da6b04a5fca4ca5bca2
SHA1 : a20a93a769d5905299dea477ed7b15f952848736
Online report : http://virscan.org/report/742e83fb0e9d0846395386a19fb3e7c9.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.13 20100702040342 2010-07-02 15.12 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 2.46 -
AntiVir 8.2.4.2 7.10.8.241 2010-07-01 0.28 -
Antiy 2.0.18 20100701.4813005 2010-07-01 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201007012201 2010-07-01 1.33 -
AVAST! 4.7.4 100701-1 2010-07-01 0.04 -
AVG 8.5.793 271.1.1/2976 2010-07-02 0.26 -
BitDefender 7.90123.6359448 7.32535 2010-07-02 3.91 -
ClamAV 0.96.1 11304 2010-07-02 0.24 -
Comodo 3.13.579 5282 2010-07-01 2.11 -
CP Secure 1.3.0.5 2010.07.02 2010-07-02 0.10 -
Dr.Web 5.0.2.3300 2010.07.02 2010-07-02 8.78 -
F-Prot 4.4.4.56 20100701 2010-07-01 1.43 -
F-Secure 7.02.73807 2010.07.01.07 2010-07-01 0.16 -
Fortinet 4.1.133 12.106 2010-07-01 0.35 -
GData 21.446/21.162 20100702 2010-07-02 11.50 -
ViRobot 20100701 2010.07.01 2010-07-01 0.54 -
Ikarus T3.1.01.84 2010.07.01.76178 2010-07-01 7.10 -
JiangMin 13.0.900 2010.07.01 2010-07-01 2.78 -
Kaspersky 5.5.10 2010.07.01 2010-07-01 0.08 -
KingSoft 2009.2.5.15 2010.7.1.17 2010-07-01 2.01 -
McAfee 5400.1158 6030 2010-07-01 16.79 -
Microsoft 1.5902 2010.07.01 2010-07-01 8.63 -
Norman 6.05.10 6.05.00 2010-07-01 6.01 -
Panda 9.05.01 2010.06.30 2010-06-30 3.58 -
Trend Micro 9.120-1004 7.278.19 2010-07-01 0.03 -
Quick Heal 10.00 2010.06.30 2010-06-30 2.07 -
Rising 20.0 22.54.03.05 2010-07-01 1.74 -
Sophos 3.09.0 4.55 2010-07-02 3.96 -
Sunbelt 3.9.2426.2 6533 2010-07-01 19.26 -
Symantec 1.3.0.24 20100630.004 2010-06-30 0.00 -
nProtect 20100701.01 8871763 2010-07-01 12.62 -
The Hacker 6.5.2.1 v00307 2010-07-01 0.79 -
VBA32 3.12.12.5 20100701.0827 2010-07-01 3.19 -
VirusBuster 4.5.11.10 10.126.113/20435502010-07-01 3.40 -

when I try to upload c:\windows\Qkutubetoguma.bin it says error cannot upload file!

Ok. Let's remove it as myself and a colleague of mine are quite certain it's malicious.

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the Code box below into it:
  

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  

• Referring to the picture above, drag CFScript into ComboFix.exe
  When finished, it shall produce a log for you at C:\ComboFix.txt
  Please post the contents of the log in your next reply.
  

ComboFix 10-06-30.03 - Sean Leahy 07/01/2010 22:29:43.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1544 [GMT -4:00]
Running from: c:\documents and settings\Sean Leahy\Desktop\commy.exe
Command switches used :: c:\documents and settings\Sean Leahy\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-06-02 to 2010-07-02 )))))))))))))))))))))))))))))))
.

2010-07-01 05:12 . 2010-07-02 02:04 -------- d-----w- c:\program files\World of Warcraft
2010-07-01 05:06 . 2010-07-01 05:06 -------- d-----w- C:\_OTL
2010-07-01 05:02 . 2010-07-01 05:02 -------- d-----w- c:\program files\World of Warcraft.temp
2010-07-01 00:48 . 2010-07-01 00:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-01 00:26 . 2010-07-01 00:26 -------- d-----w- c:\program files\Defraggler
2010-06-30 22:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 22:46 . 2010-06-30 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 22:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-30 22:34 . 2010-06-30 22:34 -------- d-----w- c:\windows\.file_store_32
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-30 22:33 . 2010-06-30 22:33 -------- d-----w- c:\program files\Google Video
2010-06-26 02:23 . 2010-06-30 22:31 188584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-17 04:28 . 2010-06-26 02:10 120 ----a-w- c:\windows\Ulelace.dat
2010-06-17 04:28 . 2010-06-26 02:10 0 ----a-w- c:\windows\Qkutubetoguma.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 01:44 . 2006-09-05 15:14 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2010-07-02 01:44 . 2006-09-03 04:21 57752 ----a-w- c:\windows\system32\Rpcnet.dll
2010-07-02 01:43 . 2009-02-16 00:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-01 05:09 . 2006-08-30 19:52 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-01 05:04 . 2006-08-26 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-01 02:49 . 2010-02-01 04:33 -------- d-----w- c:\program files\Heroes of Newerth
2010-07-01 00:38 . 2006-08-26 12:19 -------- d-----w- c:\program files\Google
2010-07-01 00:25 . 2009-08-03 20:09 -------- d-----w- c:\program files\CCleaner
2010-06-30 05:41 . 2006-10-27 20:37 -------- d-----w- c:\program files\Warcraft III
2010-06-23 03:03 . 2009-08-20 00:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-22 01:18 . 2008-09-14 09:16 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\Skype
2010-06-22 00:46 . 2008-09-14 09:20 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\skypePM
2010-06-19 23:27 . 2006-10-26 01:05 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-19 23:27 . 2006-10-26 01:05 88 -csh--r- c:\windows\system32\195609FFE0.sys
2010-06-19 03:54 . 2006-10-27 20:42 91488 -c--a-w- c:\windows\War3Unin.dat
2010-06-18 04:38 . 2006-11-04 06:56 -------- d-----w- c:\documents and settings\Sean Leahy\Application Data\uTorrent
2010-06-11 22:04 . 2010-02-22 01:23 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-21 18:14 . 2010-01-23 06:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 22:17 . 2006-12-05 20:22 23954 ----a-w- c:\documents and settings\Sean Leahy\Application Data\wklnhst.dat
2010-05-04 17:20 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-08-16 09:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 09:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:40 . 2005-08-16 09:18 57752 ------w- c:\windows\system32\rpcnet.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-07-01_06.01.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-02 01:43 . 2010-07-02 01:43 16384 c:\windows\Temp\Perflib_Perfdata_4d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-2 0]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-26 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Sean Leahy^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Sean Leahy\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2006-09-21 21:36 43520 ----a-w- c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 13:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 03:23 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 16:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-03-06 20:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-08-12 21:13 21741864 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-24 02:43 1217872 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-04 17:32 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2006-02-16 14:20 1118208 -c----w- c:\program files\Creative\VoiceCenter\AndreaVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\firehousehoss23@yahoo.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Sean Leahy\\Local Settings\\Apps\\2.0\\HKN2TL5K.KMN\\HX6HWK9N.6KA\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:blizz
"6112:TCP"= 6112:TCP:blizz
"6881:TCP"= 6881:TCP:blizz
"6999:TCP"= 6999:TCP:blizz
"11804:TCP"= 11804:TCP:torrent
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/31/2009 3:47 AM 207792]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [1/23/2010 3:22 AM 112592]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/15/2009 8:58 PM 359624]
S3 skfilt;skfilt;c:\windows\system32\drivers\skfilt.sys --> c:\windows\system32\drivers\skfilt.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-06-17 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2005-08-16 00:12]

2010-07-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 03:23]

2010-07-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\Sean Leahy\Application Data\Mozilla\Firefox\Profiles\jiyiout7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\mslbui.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-01 22:37:12
ComboFix-quarantined-files.txt 2010-07-02 02:37
ComboFix2.txt 2010-07-01 06:04
ComboFix3.txt 2010-07-01 05:39

Pre-Run: 4,184,166,400 bytes free
Post-Run: 4,168,400,896 bytes free

- - End Of File - - 1A4CC87C37CABF98578842D9C48C4F55

hi again,

How are things running now? An update would be appreciated

Things seem to be running great I have not had an issue since last night. I have not run any virus scans today to look for anything but I can if you want. No hijacking no JIT debugger popups nothing.

Ok. Let's just make sure everything is gone:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

EDIT: 1,000 posts

i cant open internet explorer it says error and wants me to send an error report

Ok try this one:

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases

Click on My Computer under Scan.

Once the scan is complete, it will display the results. Click on View Scan Report.

You will see a list of infected items there. Click on Save Report As....

Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Please post this log in your next reply.

running the kaspersky scan. going to bed ill leave it on and post before wrok in the morning cause it seems to be taking a while. comp is running great ill post in the morning.

Ok. Kaspersky usually takes quite a while so it might not be done when you get up in the morning. I look forward to seeing the log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, July 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, July 02, 2010 00:04:19
Records in database: 4259650
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 95255
Threats found: 4
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 02:51:34


File name / Threat / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\i8042prt.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP879\A0327717.exe Infected: Trojan.Win32.FraudPack.aygx 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP887\A0331154.DLL Infected: Trojan-Spy.Win32.Brospa.aa 1
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP889\A0331467.sys Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.


headed to work

All that looks fine. The infections will be removed when we do cleanup. How are things running now?

things are running great still. Just got home from work. whats next

If there are no more issues:

Congratulations!! Your PC is all clean!

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /u

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

Cleaning

Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

ATF Cleaner
CCleaner

Defragmenting Your Hard Disk

Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
right-click My Computer, choose Manage, Storage, Disk Defragmenter.

In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

Repeat for multiple partitions/hard disks.

System Restore Cleanup Instructions

If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
You can find instructions on how to disable and re-enable system restore here:

Windows ME System Restore Guide

Windows XP System Restore Guide

Reading Tip:
Computer Health
Keep Your System Updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update

Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many security exploits on websites are directed to users of Internet Explorer and Firefox.

If you use Firefox, try the No-script Add On - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft Article to learn how to backup. Follow This Article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
Bleeping Computer

Avoid P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Prevent A Re-infection

1. Winpatrol

Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features Here

You can get a Free Copy of Winpatrol or use the Plus Version for more features.

You can read Win Patrol FAQ if you run into problems.

2. Hosts File

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
MVPS Hosts File
Blue Tack’s Hosts File
Blue Tack’s Hosts Manager

3. Spybot Search and Destroy

Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from here.

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

4. SiteHound Toolbar

SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

====

Stand Up and Be Counted ---> Malware Complaints<--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
============================================================
See this page for more info about malware and prevention.
Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site.
Before the thread is archived, do you have any more questions?

Happy surfing and stay clean!