Backdoor.Tidserv!inf Problems.

This thing has been bugging me for a while now, malbyteware removes it, or seems to, and then it comes back, even though I had system restore off when I did my biggest cleaning. I am not sure what you guys need to help me, but anything you can do would be greatly appreciated. In Norton, the log shows that the infected files were two temp files, 165 and 169, I deleted both just today, and am doing another scan.

Last edited by Anjohl on 25th November 2008, 2:48 pm; edited 1 time in total

Hello, welcome to GeekPolice.

Please read this topic and follow the instructions there. Then post a HijackThis log.

A Tech Staff will be assisting you later on.

Last edited by Doctor Inferno on 26th November 2008, 2:51 am; edited 1 time in total

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:21 AM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\WINDOWS\system32\ZuneWlanCfgSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zune\Zune.exe
C:\Program Files\Common Files\Symantec Shared\SecurityHistory\mcui32.exe
C:\PROGRA~1\Symantec\Norton AntiVirus\navw32.exe
C:\Documents and Settings\Jason\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdfct.exe] C:\WINDOWS\system32\kdfct.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'John')
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User 'John')
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'John')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.houston.c-mar.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab55579.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {916C95B3-55DA-43F7-A88F-32D37770306A} (prjOCFTools.OCFTools) - http://www.rogershelp.com/ocf/prjOCFTools.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O16 - DPF: {E68C89AA-554F-43F3-8D5E-9B36D873081B} (prjOCFTools.OCFTools) - http://www.rogershelp.com/ocf/prjOCFTools.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by128fd.bay128.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 13544 bytes

Hello. Execute this.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdfct.exe] C:\WINDOWS\system32\kdfct.exe
  O24 - Desktop Component 0: Privacy Protection - (no file)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Delete this file bold:
C:\WINDOWS\system32\kdfct.exe

Since you already have MBAM on your system, we'll start there.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log with a fresh copy of HijackThis log.

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 3

11/25/2008 3:41:19 PM
mbam-log-2008-11-25 (15-41-19).txt

Scan type: Quick Scan
Objects scanned: 66036
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:54 PM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\WINDOWS\system32\ZuneWlanCfgSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Zune\Zune.exe
C:\Program Files\Steam\Steam.exe
c:\program files\steam\steamapps\anjohl\the ship single player\ship.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Jason\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'John')
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User 'John')
O4 - HKUS\S-1-5-21-329068152-789336058-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'John')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {203C12EA-EF5A-4989-BD68-5844A877A9AF} (prjOCFTools.OCFTools) - http://ocf.rogershelp.com/prjOCFTools.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.houston.c-mar.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {339234B4-4E14-4280-B8B4-8BAE5AF99063} (Chess Object) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab55579.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {916C95B3-55DA-43F7-A88F-32D37770306A} (prjOCFTools.OCFTools) - http://www.rogershelp.com/ocf/prjOCFTools.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab70018.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O16 - DPF: {E68C89AA-554F-43F3-8D5E-9B36D873081B} (prjOCFTools.OCFTools) - http://www.rogershelp.com/ocf/prjOCFTools.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by128fd.bay128.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 13511 bytes

I see the DNS hijacker went away, but the Privacy Protection 024 item didn't.

• Download combofix from here, use the top links - combofix.exe
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 08-11-26.01 - Jason 2008-11-25 17:03:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.534 [GMT -3.5:30]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Jason\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Jason\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\documents and settings\NetworkService\Application Data\twain_32
c:\documents and settings\NetworkService\Application Data\twain_32\user.ds
c:\windows\Downloaded Program Files\Quarantine
c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 15:22 . 2008-11-25 15:24 d-------- C:\Hellgate London Demo Setup
2008-11-19 12:43 . 2008-11-19 12:43 d-------- c:\program files\CDisplay
2008-11-19 09:34 . 2008-11-25 15:31 d-------- c:\windows\LastGood
2008-11-18 00:30 . 2008-11-18 00:37 d-------- c:\program files\Soulseek
2008-11-13 01:38 . 2008-11-13 01:38 d-------- c:\documents and settings\All Users\Application Data\CCP
2008-11-12 05:13 . 2008-09-04 13:45 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 05:13 . 2008-10-24 07:51 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 23:29 . 2008-11-11 23:29 d-------- c:\windows\WinRAR
2008-11-11 23:27 . 2008-11-12 02:22 d-------- c:\program files\a-squared Free
2008-11-11 23:11 . 2008-11-11 23:11 0 --a------ c:\windows\ativpsrm.bin
2008-11-11 23:08 . 2008-11-11 23:08 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-11 23:01 . 2008-11-11 23:18 d-------- c:\program files\Uniblue
2008-11-11 22:52 . 2008-11-11 23:18 d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2008-11-11 22:47 . 2008-11-11 22:49 1,631 --a------ c:\windows\ATICIM.INI
2008-11-11 22:39 . 2008-11-11 22:39 d-------- c:\documents and settings\Jason\Application Data\ATI
2008-11-11 22:36 . 2008-11-11 22:36 d-------- C:\ATI
2008-11-10 12:23 . 2008-11-10 12:23 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 . 2008-11-10 12:23 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\documents and settings\Jason\Application Data\Malwarebytes
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-03 19:32 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 19:32 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-03 00:19 . 2008-11-03 00:19 d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-02 23:20 . 2008-11-02 23:20 d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2008-11-02 23:16 . 2008-02-17 22:31 d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-02 23:16 . 2008-11-02 23:16 d-------- c:\documents and settings\Administrator
2008-11-01 01:24 . 2007-10-12 14:14 3,734,536 --a------ c:\windows\system32\d3dx9_36.dll
2008-11-01 01:24 . 2007-10-12 14:14 1,374,232 --a------ c:\windows\system32\D3DCompiler_36.dll
2008-11-01 01:24 . 2007-07-19 17:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-01 01:24 . 2007-10-02 08:56 444,776 --a------ c:\windows\system32\d3dx10_36.dll
2008-11-01 01:24 . 2007-07-19 17:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-01 01:24 . 2007-10-22 02:39 267,272 --a------ c:\windows\system32\xactengine2_10.dll
2008-11-01 01:24 . 2007-07-19 23:57 267,112 --a------ c:\windows\system32\xactengine2_9.dll
2008-10-30 20:42 . 2008-10-30 20:42 d-------- c:\documents and settings\Mary\Application Data\Ahead
2008-10-30 20:41 . 2008-10-30 20:41 664 --a------ c:\windows\system32\d3d9caps.dat
2008-10-27 20:22 . 2008-10-27 20:23 d-------- c:\program files\Juice

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 20:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-26 20:35 --------- d-----w c:\documents and settings\Jason\Application Data\uTorrent
2008-11-25 17:53 --------- d-----w c:\program files\Steam
2008-11-19 10:46 --------- d-----w c:\program files\Zune
2008-11-13 05:40 --------- d-----w c:\documents and settings\Jason\Application Data\GetRightToGo
2008-11-12 04:09 --------- d-----w c:\documents and settings\Jason\Application Data\LimeWire
2008-11-12 04:08 --------- d-----w c:\documents and settings\Jason\Application Data\Apple Computer
2008-11-12 02:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 02:21 --------- d-----w c:\program files\ATI Technologies
2008-11-12 02:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 19:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-10 15:39 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 15:39 70,656 ----a-w c:\windows\system32\ZuneIPTransport.dll
2008-11-10 15:39 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll
2008-11-10 15:39 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll
2008-11-10 15:39 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 15:39 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll
2008-11-10 15:39 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll
2008-11-02 04:28 --------- d-----w c:\program files\Rogers
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 21:38 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-20 13:55 --------- d-----w c:\documents and settings\John\Application Data\Uniblue
2008-10-16 17:43 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 17:43 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 17:42 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 17:42 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 17:39 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 17:39 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 17:36 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 17:36 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-10 20:01 --------- d-----w c:\documents and settings\Ryan\Application Data\Yahoo!
2008-10-09 02:12 --------- d-----w c:\program files\uTorrent
2008-10-05 05:06 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-10-05 05:06 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-10-05 05:05 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-10-05 04:35 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-10-05 04:35 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-10-03 18:04 625,032 ----a-w c:\windows\system32\SymNeti.dll
2008-10-03 18:04 242,056 ----a-w c:\windows\system32\SymRedir.dll
2008-10-03 17:44 39,984 ----a-w c:\windows\system32\drivers\symids.sys
2008-10-03 17:44 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
2008-10-03 17:44 35,120 ----a-w c:\windows\system32\drivers\symndis.sys
2008-10-03 17:44 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
2008-10-03 17:44 187,952 ----a-w c:\windows\system32\drivers\symtdi.sys
2008-10-03 17:44 146,096 ----a-w c:\windows\system32\drivers\symfw.sys
2008-10-03 17:44 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
2008-10-03 17:44 10,804 ----a-w c:\windows\system32\drivers\SymRedir.cat
2008-10-03 17:44 1,358 ----a-w c:\windows\system32\drivers\SymRedir.inf
2008-09-30 20:13 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 00:20 --------- d-----w c:\program files\Messenger Plus! Live
2008-09-29 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-09-27 18:56 --------- d-----w c:\program files\Split Join Convert Video
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2008-09-24 00:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 18:49 581,192 ----a-w c:\windows\system32\WinUSBCoInstaller.dll
2008-08-27 18:49 1,302,600 ----a-w c:\windows\system32\WUDFUpdate_01007.dll
2008-08-27 18:48 1,112,288 ----a-w c:\windows\system32\WdfCoInstaller01007.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-05-06 11:59 30,142 -c--a-w c:\documents and settings\John\Application Data\wklnhst.dat
2008-03-04 02:32 424 ----a-w c:\documents and settings\Mary\Application Data\wklnhst.dat
2007-10-16 22:31 59,600 ----a-w c:\documents and settings\Mary\Application Data\GDIPFONTCACHEV1.DAT
2006-12-21 01:12 544 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat
2006-07-06 03:45 889 -csha-w c:\windows\system32\mmf(2)(2)(2).sys
2006-07-06 00:58 889 -csha-w c:\windows\system32\mmf(2)(2)(3).sys
2006-07-06 00:58 889 -csha-w c:\windows\system32\mmf(2)(2)(4).sys
2006-07-05 03:05 889 -csha-w c:\windows\system32\mmf(2)(2).sys
2006-07-06 03:54 889 -csha-w c:\windows\system32\mmf(2)(3)(2).sys
2006-06-24 21:40 889 -csha-w c:\windows\system32\mmf(2)(3).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(2)(4).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(2)(5).sys
2006-07-06 03:54 889 -csha-w c:\windows\system32\mmf(2)(6).sys
2007-01-22 20:13 889 -csha-w c:\windows\system32\mmf(2)(7).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(3)(2).sys
2006-07-06 01:04 889 -csha-w c:\windows\system32\mmf(3)(3).sys
2006-07-06 10:55 889 -csha-w c:\windows\system32\mmf(3)(4).sys
2006-07-06 01:04 889 -csha-w c:\windows\system32\mmf(4)(2).sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 335872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\progra~1\Symantec\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2008-05-16 2733416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\system32\CTASIO.DLL]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16881:TCP"= 16881:TCP:BitTorrent
"16881:UDP"= 16881:UDP:Torrent
"80:TCP"= 80:TCP:MSN games port
"1863:TCP"= 1863:TCP:MSN Port 2

R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-10-10 2560]
R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-03 170640]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [2008-05-16 140648]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [2008-04-22 163840]
R2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-11-03 15504]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-11 27904]

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Jason.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2008-11-25 c:\windows\Tasks\Norton Security Online - Run Full System Scan - Jason.job
- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 05:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF}
IE: {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - -

c:\windows\system32\usbaptest.dll - O16 -: {040F4385-8DAD-4306-94BF-B8291D841FAE}
hxxp://www.nintendowifi.com/troubleshooting/usbaptest.cab
c:\windows\Downloaded Program Files\usbaptest.inf

c:\windows\Downloaded Program Files\sysreqlab3.dll - c:\windows\Downloaded Program Files\sysreqlab_srl.dll
O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
c:\windows\Downloaded Program Files\sysreqlab.osd

c:\windows\system32\capicom.dll - c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\prjOCFTools.ocx
O16 -: {916C95B3-55DA-43F7-A88F-32D37770306A}
hxxp://www.rogershelp.com/ocf/prjOCFTools.CAB
c:\windows\Downloaded Program Files\prjOCFTools.INF

c:\windows\system32\capicom.dll - c:\windows\system32\MSINET.OCX
c:\windows\system32\msvbvm60.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\asycfilt.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\comcat.dll
c:\windows\Downloaded Program Files\CONFLICT.2\prjOCFTools.ocx
O16 -: {E68C89AA-554F-43F3-8D5E-9B36D873081B}
hxxp://www.rogershelp.com/ocf/prjOCFTools.CAB
c:\windows\Downloaded Program Files\CONFLICT.2\prjOCFTools.INF
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 17:05:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-26 17:06:39
ComboFix-quarantined-files.txt 2008-11-26 20:36:36

Pre-Run: 120,865,566,720 bytes free
Post-Run: 121,224,257,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

286 --- E O F --- 2008-11-12 23:24:02

Nearly there, this CFScript should do it.

Now open a new notepad file.
Input this into the notepad file:

Driver::
Ndisprot

File::
c:\windows\system32\drivers\ndisprot.sys
c:\windows\ativpsrm.bin

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

ComboFix 08-11-26.01 - Jason 2008-11-26 18:46:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.535 [GMT -3.5:30]
Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jason\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\ativpsrm.bin
c:\windows\system32\drivers\ndisprot.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ativpsrm.bin
c:\windows\system32\drivers\ndisprot.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISPROT
-------\Service_Ndisprot


((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-25 15:22 . 2008-11-25 15:24 d-------- C:\Hellgate London Demo Setup
2008-11-19 12:43 . 2008-11-19 12:43 d-------- c:\program files\CDisplay
2008-11-18 00:30 . 2008-11-18 00:37 d-------- c:\program files\Soulseek
2008-11-13 01:38 . 2008-11-13 01:38 d-------- c:\documents and settings\All Users\Application Data\CCP
2008-11-12 05:13 . 2008-09-04 13:45 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 05:13 . 2008-10-24 07:51 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 23:29 . 2008-11-11 23:29 d-------- c:\windows\WinRAR
2008-11-11 23:27 . 2008-11-12 02:22 d-------- c:\program files\a-squared Free
2008-11-11 23:01 . 2008-11-11 23:18 d-------- c:\program files\Uniblue
2008-11-11 22:52 . 2008-11-11 23:18 d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2008-11-11 22:47 . 2008-11-11 22:49 1,631 --a------ c:\windows\ATICIM.INI
2008-11-11 22:39 . 2008-11-11 22:39 d-------- c:\documents and settings\Jason\Application Data\ATI
2008-11-11 22:36 . 2008-11-11 22:36 d-------- C:\ATI
2008-11-10 12:23 . 2008-11-10 12:23 243,840 --a------ c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 . 2008-11-10 12:23 60,032 --a------ c:\windows\system32\ZuneBusEnum.exe
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\documents and settings\Jason\Application Data\Malwarebytes
2008-11-03 19:32 . 2008-11-03 19:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-03 19:32 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 19:32 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-03 00:19 . 2008-11-03 00:19 d-------- c:\documents and settings\Administrator\Application Data\Lavasoft
2008-11-02 23:20 . 2008-11-02 23:20 d-------- c:\documents and settings\Administrator\Application Data\Yahoo!
2008-11-02 23:16 . 2008-02-17 22:31 d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2008-11-02 23:16 . 2008-11-02 23:16 d-------- c:\documents and settings\Administrator
2008-11-01 01:24 . 2007-10-12 14:14 3,734,536 --a------ c:\windows\system32\d3dx9_36.dll
2008-11-01 01:24 . 2007-10-12 14:14 1,374,232 --a------ c:\windows\system32\D3DCompiler_36.dll
2008-11-01 01:24 . 2007-07-19 17:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-11-01 01:24 . 2007-10-02 08:56 444,776 --a------ c:\windows\system32\d3dx10_36.dll
2008-11-01 01:24 . 2007-07-19 17:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-11-01 01:24 . 2007-10-22 02:39 267,272 --a------ c:\windows\system32\xactengine2_10.dll
2008-11-01 01:24 . 2007-07-19 23:57 267,112 --a------ c:\windows\system32\xactengine2_9.dll
2008-10-30 20:42 . 2008-10-30 20:42 d-------- c:\documents and settings\Mary\Application Data\Ahead
2008-10-30 20:41 . 2008-10-30 20:41 664 --a------ c:\windows\system32\d3d9caps.dat
2008-10-27 20:22 . 2008-10-27 20:23 d-------- c:\program files\Juice

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 22:19 --------- d-----w c:\documents and settings\Jason\Application Data\uTorrent
2008-11-26 21:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-25 17:53 --------- d-----w c:\program files\Steam
2008-11-19 10:46 --------- d-----w c:\program files\Zune
2008-11-13 05:40 --------- d-----w c:\documents and settings\Jason\Application Data\GetRightToGo
2008-11-12 04:09 --------- d-----w c:\documents and settings\Jason\Application Data\LimeWire
2008-11-12 04:08 --------- d-----w c:\documents and settings\Jason\Application Data\Apple Computer
2008-11-12 02:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 02:21 --------- d-----w c:\program files\ATI Technologies
2008-11-12 02:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 19:17 --------- d-----w c:\program files\Common Files\Adobe
2008-11-02 04:28 --------- d-----w c:\program files\Rogers
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 21:38 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-20 13:55 --------- d-----w c:\documents and settings\John\Application Data\Uniblue
2008-10-10 20:01 --------- d-----w c:\documents and settings\Ryan\Application Data\Yahoo!
2008-10-09 02:12 --------- d-----w c:\program files\uTorrent
2008-10-05 05:06 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-10-05 05:06 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-10-05 05:05 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-10-05 04:35 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-10-05 04:35 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-10-03 17:44 39,984 ----a-w c:\windows\system32\drivers\symids.sys
2008-10-03 17:44 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
2008-10-03 17:44 35,120 ----a-w c:\windows\system32\drivers\symndis.sys
2008-10-03 17:44 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
2008-10-03 17:44 187,952 ----a-w c:\windows\system32\drivers\symtdi.sys
2008-10-03 17:44 146,096 ----a-w c:\windows\system32\drivers\symfw.sys
2008-10-03 17:44 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
2008-10-03 17:44 10,804 ----a-w c:\windows\system32\drivers\SymRedir.cat
2008-10-03 17:44 1,358 ----a-w c:\windows\system32\drivers\SymRedir.inf
2008-09-29 00:20 --------- d-----w c:\program files\Messenger Plus! Live
2008-09-29 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
2008-09-27 18:56 --------- d-----w c:\program files\Split Join Convert Video
2008-05-06 11:59 30,142 -c--a-w c:\documents and settings\John\Application Data\wklnhst.dat
2008-03-04 02:32 424 ----a-w c:\documents and settings\Mary\Application Data\wklnhst.dat
2007-10-16 22:31 59,600 ----a-w c:\documents and settings\Mary\Application Data\GDIPFONTCACHEV1.DAT
2006-12-21 01:12 544 -c--a-w c:\documents and settings\Ryan\Application Data\wklnhst.dat
2006-07-06 03:45 889 -csha-w c:\windows\system32\mmf(2)(2)(2).sys
2006-07-06 00:58 889 -csha-w c:\windows\system32\mmf(2)(2)(3).sys
2006-07-06 00:58 889 -csha-w c:\windows\system32\mmf(2)(2)(4).sys
2006-07-05 03:05 889 -csha-w c:\windows\system32\mmf(2)(2).sys
2006-07-06 03:54 889 -csha-w c:\windows\system32\mmf(2)(3)(2).sys
2006-06-24 21:40 889 -csha-w c:\windows\system32\mmf(2)(3).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(2)(4).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(2)(5).sys
2006-07-06 03:54 889 -csha-w c:\windows\system32\mmf(2)(6).sys
2007-01-22 20:13 889 -csha-w c:\windows\system32\mmf(2)(7).sys
2006-07-05 03:00 889 -csha-w c:\windows\system32\mmf(3)(2).sys
2006-07-06 01:04 889 -csha-w c:\windows\system32\mmf(3)(3).sys
2006-07-06 10:55 889 -csha-w c:\windows\system32\mmf(3)(4).sys
2006-07-06 01:04 889 -csha-w c:\windows\system32\mmf(4)(2).sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-26_17.06.03.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 23:32:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-07-19 00:40:20 36,552 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 17:38:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2008-07-19 00:40:20 36,552 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 17:38:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2008-07-19 00:40:40 45,768 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 17:39:44 43,544 ----a-w c:\windows\system32\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 335872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2007-10-26 509224]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\progra~1\Symantec\osCheck.exe" [2007-01-14 771704]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"Rogers SHS"="c:\program files\Rogers\SelfHealing\shs.exe" [2008-05-16 2733416]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AsioReg"="CTASIO.DLL" [2003-02-20 c:\windows\system32\CTASIO.DLL]
"CTHelper"="CTHELPER.EXE" [2003-02-20 c:\windows\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16881:TCP"= 16881:TCP:BitTorrent
"16881:UDP"= 16881:UDP:Torrent
"80:TCP"= 80:TCP:MSN games port
"1863:TCP"= 1863:TCP:MSN Port 2

R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-10-10 2560]
R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-03 170640]
R2 RogersSelfHelpService;Rogers SHS Service;c:\program files\Rogers\SelfHealing\RogersSelfHelpService.exe [2008-05-16 140648]
R2 RogersUpdateManager;Rogers Update Manager;c:\program files\Rogers\Update Manager\RogersUpdateManager.exe [2008-04-22 163840]
R2 zumbus;Zune Bus Enumerator Driver;c:\windows\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-11-03 15504]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\Malwarebytes' Scheduled Update for Jason.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 16:10]

2008-11-25 c:\windows\Tasks\Norton Security Online - Run Full System Scan - Jason.job
- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 05:39]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 18:52:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\progra~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2008-11-26 18:55:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-26 22:25:46
ComboFix2.txt 2008-11-26 20:36:41

Pre-Run: 121,218,052,096 bytes free
Post-Run: 121,133,318,144 bytes free

215 --- E O F --- 2008-11-12 23:24:02

How is everything now?
Log looks clean.

Looks good! First off, regardless if any of this worked, thanks a lot, this site is a real godsend.

I do have a few questions though, what are those two programs, hijackthis and combofix actually doing? It seems strange fro two free programs to be able to get rid of something that has been PLAGUING me for almost 2 months now!

Hijack This is basically our eyes to see the infection, then we use combofix to take it out. But combofix is extremely powerful and should only be used with supervision.

I have had the tidserv show up in my Norton Scan again...ugh...please help!

How did that happen?
This threads alittle old now, so please start a new thread and post a Hijack This log in the topic.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.