Troj/Rustok-N

This is what I got from running the combofix

ComboFix 08-12-28.04 - Joseph 2008-12-29 17:02:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2484 [GMT -5:00]
Running from: c:\documents and settings\Joseph\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated)
FW: Bitdefender Firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 19:36 . 2008-12-28 19:36 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-28 19:36 . 2008-12-28 19:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-28 19:09 . 2005-12-06 07:20 d-------- c:\documents and settings\Administrator\Application Data\Creative
2008-12-28 19:09 . 2008-12-28 19:09 d-------- c:\documents and settings\Administrator
2008-12-28 18:04 . 2008-12-28 18:03 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-28 18:03 . 2008-12-28 18:03 d-------- c:\windows\Sun
2008-12-28 18:03 . 2008-12-28 18:10 d-------- c:\documents and settings\Joseph\.housecall6.6
2008-12-28 17:57 . 2008-12-28 19:36 d-------- c:\program files\Java
2008-12-28 17:57 . 2008-12-28 17:57 d-------- c:\program files\Common Files\Java
2008-12-28 10:58 . 2008-12-28 10:58 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-28 10:57 . 2008-12-28 10:57 d-------- c:\windows\ERUNT
2008-12-27 18:59 . 2008-12-27 18:59 d-------- C:\Malwarebytes' Anti-Malware
2008-12-27 18:59 . 2008-12-27 18:59 d-------- c:\documents and settings\Joseph\Application Data\Malwarebytes
2008-12-27 18:59 . 2008-12-27 18:59 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 18:59 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 18:59 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 17:17 . 2008-12-27 17:17 d-------- c:\documents and settings\Joseph\Application Data\InstallShield
2008-12-27 11:49 . 2008-12-27 12:19 d-------- C:\iDump
2008-12-27 11:22 . 2008-12-27 11:22 d-------- c:\program files\Common Files\Protexis
2008-12-27 11:20 . 2008-12-27 17:20 d-------- c:\program files\Common Files\Corel
2008-12-27 11:20 . 2008-12-27 17:20 d-------- C:\Corel
2008-12-26 23:10 . 2005-11-21 00:48 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2008-12-26 23:10 . 2005-11-21 00:48 16,512 --a------ c:\windows\system32\drivers\ASPI32.SYS
2008-12-26 23:09 . 2008-12-26 23:10 d-------- C:\DVD to iPod Converter 4
2008-12-26 23:08 . 2008-12-26 23:08 d-------- C:\DVD Decrypter
2008-12-25 20:59 . 2008-12-27 11:27 3,140 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-25 20:59 . 2008-12-27 11:27 88 -r-hs---- c:\documents and settings\All Users\Application Data\72300DC921.sys
2008-12-23 20:38 . 2008-12-27 17:28 3,140 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-12-23 20:38 . 2008-12-27 17:24 88 -r-hs---- c:\windows\system32\72300DC921.sys
2008-12-23 20:37 . 2008-12-27 17:21 d-------- c:\documents and settings\Joseph\Application Data\Corel
2008-12-23 20:37 . 2008-12-27 11:22 d-------- c:\documents and settings\All Users\Application Data\Corel
2008-12-21 10:54 . 2008-12-21 10:54 d-------- c:\documents and settings\Joseph\Application Data\Snapfish
2008-12-18 20:06 . 2008-12-18 20:06 d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-07 21:13 . 2008-12-07 21:13 d-------- c:\windows\system32\AGEIA
2008-12-07 21:13 . 2008-12-07 21:18 d-------- c:\windows\NV37763404.TMP
2008-12-07 21:13 . 2008-12-07 21:13 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-07 21:13 . 2008-12-07 21:13 d-------- c:\program files\AGEIA Technologies
2008-12-07 19:36 . 2008-12-07 19:38 d-------- c:\windows\NV11081104.TMP
2008-12-07 12:28 . 2008-12-07 17:45 d-------- c:\windows\NV9883524.TMP
2008-12-07 12:26 . 2008-12-07 17:45 d-------- c:\windows\NV9882008.TMP
2008-12-03 19:01 . 2008-12-03 19:01 d-------- c:\documents and settings\Joseph\Application Data\CyberLink
2008-12-03 19:01 . 2008-12-03 19:01 d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-12-02 18:06 . 2008-12-02 18:06 d-------- c:\program files\Common Files\Adobe AIR
2008-12-02 18:02 . 2008-12-02 18:03 d-------- c:\program files\Common Files\Adobe
2008-11-30 13:22 . 2008-11-30 13:22 d-------- c:\documents and settings\Joseph\Application Data\FaxCtr
2008-11-29 14:02 . 2007-03-30 09:13 344,064 --a------ c:\windows\system32\lxdicoin.dll
2008-11-29 14:02 . 2006-08-01 00:53 40,960 --a------ c:\windows\system32\lxdivs.dll
2008-11-29 14:01 . 2007-03-23 14:44 692,224 --a------ c:\windows\system32\lxdidrs.dll
2008-11-29 14:01 . 2007-02-09 13:07 69,632 --a------ c:\windows\system32\lxdicnv4.dll
2008-11-29 14:01 . 2007-01-23 18:40 65,536 --a------ c:\windows\system32\lxdicaps.dll
2008-11-29 13:59 . 2008-11-29 14:02 d-------- c:\program files\Lexmark 3500-4500 Series

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 21:53 81,984 ----a-w c:\windows\system32\bdod.bin
2008-12-27 02:56 --------- d-----w c:\documents and settings\Joseph\Application Data\Azureus
2008-12-26 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-21 00:34 --------- d-----w c:\program files\Bonjour
2008-12-06 00:10 --------- d-----w c:\program files\Common Files\BitDefender
2008-11-30 18:21 --------- d-----w c:\program files\Lexmark Fax Solutions
2008-11-29 19:04 --------- d-----w c:\documents and settings\Joseph\Application Data\Lexmark Productivity Studio
2008-11-29 18:56 --------- d-----w c:\program files\QuickTime
2008-11-28 18:20 --------- d-----w c:\documents and settings\All Users\Application Data\Creative Labs
2008-11-24 23:52 --------- d-----w c:\program files\Webroot
2008-11-24 23:52 --------- d-----w c:\program files\Common Files\Webroot Shared
2008-11-24 23:52 --------- d-----w c:\documents and settings\Joseph\Application Data\Webroot
2008-11-24 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-11-22 18:51 --------- d-----w c:\documents and settings\Joseph\Application Data\Ahead
2008-11-22 16:03 --------- d-----w c:\program files\Ahead
2008-11-22 16:02 --------- d-----w c:\program files\Common Files\Ahead
2008-11-22 13:29 --------- d-----w c:\program files\Common Files\Nero
2008-11-22 13:29 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-22 12:57 --------- d-----w c:\documents and settings\Joseph\Application Data\Nero
2008-11-21 22:10 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 22:09 --------- d-----w c:\program files\iPod
2008-11-21 22:09 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 03:25 --------- d-----w c:\program files\BFG
2008-11-21 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-11-12 18:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-06 01:55 --------- d-----w c:\program files\Opera
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 14:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-08-26 22:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080420080811\index.dat
2008-08-26 22:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2008-11-20 290088]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-12-05 368640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"Corel File Shell Monitor"="c:\corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"c:\windows\system32\baloon.exe"="c:\windows\system32\baloon.exe" [2008-12-28 110592]
"c:\windows\system32\cfrog.exe"="c:\windows\system32\cfrog.exe" [2008-12-28 25600]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"=
"c:\\iTunes\\iTunes.exe"=

R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service []
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2008-11-29 99248]
R2 SonyIEx;SonyIEx;c:\windows\system32\SonyIEx.exe [2008-08-10 126976]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2008-11-24 598856]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2008-06-02 86792]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;"c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe" [2008-08-10 79360]
S3 PciCon;PciCon;\??\E:\PciCon.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Joseph\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.verizon.yahoo.com/
FF - component: c:\documents and settings\Joseph\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 17:03:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxkymtaswe.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1368)
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2008-12-29 17:03:57
ComboFix-quarantined-files.txt 2008-12-29 22:03:55
ComboFix2.txt 2008-12-29 21:58:16

Pre-Run: 127,757,840,384 bytes free
Post-Run: 127,735,361,536 bytes free

213 --- E O F --- 2008-12-17 21:26:41

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
msqpdxserv.sys

File::
c:\windows\system32\drivers\msqpdxkymtaswe.sys
c:\windows\system32\baloon.exe
c:\windows\system32\cfrog.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\baloon.exe"=-
"c:\windows\system32\cfrog.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

This is what the report says now.

ComboFix 08-12-28.04 - Joseph 2008-12-29 17:56:07.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2436 [GMT -5:00]
Running from: c:\documents and settings\Joseph\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joseph\Desktop\CFscript.txt
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated)
FW: Bitdefender Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\baloon.exe
c:\windows\system32\cfrog.exe
c:\windows\system32\drivers\msqpdxkymtaswe.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\baloon.exe
c:\windows\system32\cfrog.exe
c:\windows\system32\drivers\msqpdxkymtaswe.sys

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 19:36 . 2008-12-28 19:36 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-28 19:36 . 2008-12-28 19:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-28 19:09 . 2005-12-06 07:20 d-------- c:\documents and settings\Administrator\Application Data\Creative
2008-12-28 19:09 . 2008-12-28 19:09 d-------- c:\documents and settings\Administrator
2008-12-28 18:04 . 2008-12-28 18:03 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-28 18:03 . 2008-12-28 18:03 d-------- c:\windows\Sun
2008-12-28 18:03 . 2008-12-28 18:10 d-------- c:\documents and settings\Joseph\.housecall6.6
2008-12-28 17:57 . 2008-12-28 19:36 d-------- c:\program files\Java
2008-12-28 17:57 . 2008-12-28 17:57 d-------- c:\program files\Common Files\Java
2008-12-28 10:58 . 2008-12-28 10:58 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-28 10:57 . 2008-12-28 10:57 d-------- c:\windows\ERUNT
2008-12-27 18:59 . 2008-12-27 18:59 d-------- C:\Malwarebytes' Anti-Malware
2008-12-27 18:59 . 2008-12-27 18:59 d-------- c:\documents and settings\Joseph\Application Data\Malwarebytes
2008-12-27 18:59 . 2008-12-27 18:59 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 18:59 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-27 18:59 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-27 17:17 . 2008-12-27 17:17 d-------- c:\documents and settings\Joseph\Application Data\InstallShield
2008-12-27 11:49 . 2008-12-27 12:19 d-------- C:\iDump
2008-12-27 11:22 . 2008-12-27 11:22 d-------- c:\program files\Common Files\Protexis
2008-12-27 11:20 . 2008-12-27 17:20 d-------- c:\program files\Common Files\Corel
2008-12-27 11:20 . 2008-12-27 17:20 d-------- C:\Corel
2008-12-26 23:10 . 2005-11-21 00:48 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2008-12-26 23:10 . 2005-11-21 00:48 16,512 --a------ c:\windows\system32\drivers\ASPI32.SYS
2008-12-26 23:09 . 2008-12-26 23:10 d-------- C:\DVD to iPod Converter 4
2008-12-26 23:08 . 2008-12-26 23:08 d-------- C:\DVD Decrypter
2008-12-25 20:59 . 2008-12-27 11:27 3,140 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-25 20:59 . 2008-12-27 11:27 88 -r-hs---- c:\documents and settings\All Users\Application Data\72300DC921.sys
2008-12-24 17:21 . 2008-12-24 17:21 55,296 --a------ c:\windows\system32\msqpdxwbowpdqv.dll
2008-12-23 20:38 . 2008-12-27 17:28 3,140 --ahs---- c:\windows\system32\KGyGaAvL.sys
2008-12-23 20:38 . 2008-12-27 17:24 88 -r-hs---- c:\windows\system32\72300DC921.sys
2008-12-23 20:37 . 2008-12-27 17:21 d-------- c:\documents and settings\Joseph\Application Data\Corel
2008-12-23 20:37 . 2008-12-27 11:22 d-------- c:\documents and settings\All Users\Application Data\Corel
2008-12-21 10:54 . 2008-12-21 10:54 d-------- c:\documents and settings\Joseph\Application Data\Snapfish
2008-12-18 20:06 . 2008-12-18 20:06 d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-07 21:13 . 2008-12-07 21:13 d-------- c:\windows\system32\AGEIA
2008-12-07 21:13 . 2008-12-07 21:18 d-------- c:\windows\NV37763404.TMP
2008-12-07 21:13 . 2008-12-07 21:13 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-07 21:13 . 2008-12-07 21:13 d-------- c:\program files\AGEIA Technologies
2008-12-07 19:36 . 2008-12-07 19:38 d-------- c:\windows\NV11081104.TMP
2008-12-07 12:28 . 2008-12-07 17:45 d-------- c:\windows\NV9883524.TMP
2008-12-07 12:26 . 2008-12-07 17:45 d-------- c:\windows\NV9882008.TMP
2008-12-03 19:01 . 2008-12-03 19:01 d-------- c:\documents and settings\Joseph\Application Data\CyberLink
2008-12-03 19:01 . 2008-12-03 19:01 d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-12-02 18:06 . 2008-12-02 18:06 d-------- c:\program files\Common Files\Adobe AIR
2008-12-02 18:02 . 2008-12-02 18:03 d-------- c:\program files\Common Files\Adobe
2008-11-30 13:22 . 2008-11-30 13:22 d-------- c:\documents and settings\Joseph\Application Data\FaxCtr
2008-11-29 14:02 . 2007-03-30 09:13 344,064 --a------ c:\windows\system32\lxdicoin.dll
2008-11-29 14:02 . 2006-08-01 00:53 40,960 --a------ c:\windows\system32\lxdivs.dll
2008-11-29 14:01 . 2007-03-23 14:44 692,224 --a------ c:\windows\system32\lxdidrs.dll
2008-11-29 14:01 . 2007-02-09 13:07 69,632 --a------ c:\windows\system32\lxdicnv4.dll
2008-11-29 14:01 . 2007-01-23 18:40 65,536 --a------ c:\windows\system32\lxdicaps.dll
2008-11-29 13:59 . 2008-11-29 14:02 d-------- c:\program files\Lexmark 3500-4500 Series

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 02:56 --------- d-----w c:\documents and settings\Joseph\Application Data\Azureus
2008-12-26 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-21 00:34 --------- d-----w c:\program files\Bonjour
2008-12-06 00:10 --------- d-----w c:\program files\Common Files\BitDefender
2008-11-30 18:21 --------- d-----w c:\program files\Lexmark Fax Solutions
2008-11-29 19:04 --------- d-----w c:\documents and settings\Joseph\Application Data\Lexmark Productivity Studio
2008-11-29 18:56 --------- d-----w c:\program files\QuickTime
2008-11-28 18:20 --------- d-----w c:\documents and settings\All Users\Application Data\Creative Labs
2008-11-24 23:52 --------- d-----w c:\program files\Webroot
2008-11-24 23:52 --------- d-----w c:\program files\Common Files\Webroot Shared
2008-11-24 23:52 --------- d-----w c:\documents and settings\Joseph\Application Data\Webroot
2008-11-24 23:52 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-11-22 18:51 --------- d-----w c:\documents and settings\Joseph\Application Data\Ahead
2008-11-22 16:03 --------- d-----w c:\program files\Ahead
2008-11-22 16:02 --------- d-----w c:\program files\Common Files\Ahead
2008-11-22 13:29 --------- d-----w c:\program files\Common Files\Nero
2008-11-22 13:29 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-11-22 12:57 --------- d-----w c:\documents and settings\Joseph\Application Data\Nero
2008-11-21 22:10 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 22:09 --------- d-----w c:\program files\iPod
2008-11-21 22:09 --------- d-----w c:\program files\Common Files\Apple
2008-11-21 03:25 --------- d-----w c:\program files\BFG
2008-11-21 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-11-12 19:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-11-06 01:55 --------- d-----w c:\program files\Opera
2008-08-26 22:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080420080811\index.dat
2008-08-26 22:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082620080827\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-29_16.57.53.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-29 21:53:16 81,984 ----a-w c:\windows\system32\bdod.bin
+ 2008-12-29 22:56:58 81,984 ----a-w c:\windows\system32\bdod.bin
+ 2008-12-29 22:58:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3ac.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2008-11-20 290088]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-05-07 312240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-12-05 368640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"Corel File Shell Monitor"="c:\corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"=
"c:\\iTunes\\iTunes.exe"=

R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service []
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2008-11-29 99248]
R2 SonyIEx;SonyIEx;c:\windows\system32\SonyIEx.exe [2008-08-10 126976]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2008-11-24 598856]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2008-06-02 86792]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;"c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe" [2008-08-10 79360]
S3 PciCon;PciCon;\??\E:\PciCon.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-c:\windows\system32\baloon.exe - c:\windows\system32\baloon.exe
HKLM-Run-c:\windows\system32\cfrog.exe - c:\windows\system32\cfrog.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Joseph\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.verizon.yahoo.com/
FF - component: c:\documents and settings\Joseph\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-29 17:59:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1384)
c:\program files\AlienGUIse\fastload.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe
c:\windows\system32\lxdicoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2008\vsserv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-12-29 18:02:52 - machine was rebooted [Joseph]
ComboFix-quarantined-files.txt 2008-12-29 23:02:48
ComboFix2.txt 2008-12-29 22:03:58
ComboFix3.txt 2008-12-29 21:58:16

Pre-Run: 127,731,953,664 bytes free
Post-Run: 127,668,097,024 bytes free

241 --- E O F --- 2008-12-17 21:26:41

Just a leftover to nuke.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  c:\windows\system32\msqpdxwbowpdqv.dll
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

This is what I received after the OTMoveit3

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\msqpdxwbowpdqv.dll
c:\windows\system32\msqpdxwbowpdqv.dll NOT unregistered.
c:\windows\system32\msqpdxwbowpdqv.dll moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Joseph\LOCALS~1\Temp\etilqs_UBmoEPqz4LmZxPYUnYf0 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Joseph\LOCALS~1\Temp\etilqs_UBmoEPqz4LmZxPYUnYf0-journal scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Joseph\LOCALS~1\Temp\etilqs_wWcoijyb7z0yaxAfoqfb scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3ac.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\OfflineCache\index.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12292008_182900

Files moved on Reboot...
File C:\DOCUME~1\Joseph\LOCALS~1\Temp\etilqs_UBmoEPqz4LmZxPYUnYf0 not found!
File C:\DOCUME~1\Joseph\LOCALS~1\Temp\etilqs_UBmoEPqz4LmZxPYUnYf0-journal not found!
File C:\DOCUME~1\Joseph\LOCALS~1\Temp\etilqs_wWcoijyb7z0yaxAfoqfb not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_3ac.dat not found!
C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\OfflineCache\index.sqlite moved successfully.
C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Joseph\Local Settings\Application Data\Mozilla\Firefox\Profiles\gh1mhv4g.default\XUL.mfl moved successfully.

Looks good, what problems remain?

As of now there are no Problems Thank you for the help.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here or here

• First, unzip it.
  
• Then run JavaRa.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.