Reinstalling Spyware Doctor, bad idea, trojan madness lurkin

I uninstalled spy ware doctor yesterday to install a new version and as soon as I did that, it seems that all hell broke loose. I got all these crashes and trojan's popping up as adware. I couldn't use my machine because everything I did online kept getting rediirected to some spam page. I was able to install the new spyware doctor again, but my monitoring was disabled.

I decided to go into safe mode and had malwaremalbytes installed and updated with the latest definitions. It found like 30 infections. Rebooted, back to safe mode, reran it again, found some more trojans, fixed them. Ran Spywaredoctor, kept finding more spyware, removed them, rebooted. Did the same thing in safe mode with running malewaremalbytes a few times and spydoctor a few timesi and with every run, it would find something different.


After all of this last night, these are what I observe.

1. 
   svchost.exe has two memory 'read' errors at safe boot startup user login window, twice, causes two beeps. Happens every time and not detected as a problem through MalwareMalBytes or SpyDcotor
   
   When I log back into the regular windows mode, I see these pop up all the time
   
   dsca.exe application error
   mom.exe application error
   
   it creates all these tmp files in the c:\windows\temp\ folder and c:\windows\system32 folder
   s
   
   My SpyDoctor program always picks up that there's an initial detection of network access that I have to block coming from " irc.zief.pl "
   
   as soon as i open up a browser window, eventually my network icon on the taskbar continuously tries to stream something very VERY slowly, even though I'm not doing anything at one point and the webpage i'm visiting has already finished downloading, and my pages are getting redirected to some spam whenever i enter them in, i'm lucky to have gotten to this page to type this message.
   
   Over the last ten minutes, SpyDoctor has picked up these things and I've had to manually block them
   
   mail.virtumundo.com
   stats.peakclick.com
   c-lab.dyndns.info
   207.44.240.65
   dns3.terra.es
   
   My network is constantly streaming even though I'm not loading anything right now, which shows that it's downloading or uploading from somewhere that I don't know. Need help. Security issue.

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:40 AM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [HP KEYBOARDg] "C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download Flash with Flash &Grabber - res://C:\PROGRA~1\Flash Grabber\swfgrab.dll/iesave
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237734374343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171423935984
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_3.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9804 bytes

Some recent MalwareMalBytes scans, one after the other, in chronological order from latest to oldest in the past day

Malwarebytes' Anti-Malware 1.36
Database version: 1967
Windows 5.1.2600 Service Pack 3

4/13/2009 12:32:57 AM
mbam-log-2009-04-13 (00-32-57).txt

Scan type: Quick Scan
Objects scanned: 89954
Time elapsed: 13 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\BN8.tmp (Trojan.Kobcka) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\restore.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.36
Database version: 1967
Windows 5.1.2600 Service Pack 3

4/12/2009 11:54:56 PM
mbam-log-2009-04-12 (23-54-56).txt

Scan type: Quick Scan
Objects scanned: 91576
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.36
Database version: 1967
Windows 5.1.2600 Service Pack 3

4/12/2009 11:41:19 PM
mbam-log-2009-04-12 (23-41-19).txt

Scan type: Quick Scan
Objects scanned: 91776
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-2499693998-431215553-879677990-1007\Dc43.tmp (Trojan.Kobcka) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\restore.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.36
Database version: 1967
Windows 5.1.2600 Service Pack 3

4/12/2009 8:58:20 PM
mbam-log-2009-04-12 (20-58-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 169479
Time elapsed: 2 hour(s), 1 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ds43g4nfjkn93.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d5bf49a0-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d5bf49a0-94f3-42bd-f434-3604812c8955} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a0-94f3-42bd-f434-3604812c8955} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a0-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ds43g4nfjkn93.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP93\A0014203.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4B.tmp (Trojan.Kobcka) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uyttdqjr9.ex_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcxool64.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winlognn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\320024400.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdctxte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

Where did you install Spyware Doctor from? did you download it from their website, or an illegal crack/keygen?

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

I installed it a website that wasn't from the company, but all there was was a spyware doctor trail version install file and a license key provided, that was it, did not look like any custom install file or anything.

The problem was that I had a similar trojan attack by zafi b worm a few months ago (that you helped me out with), installed Spyware Doctor 6 for Windows over that, and although it fixed that problem, my pc hasn't felt 100% secure since.

I uninstalled it over the weekend to reinstall it with a new spydoctor 6.0 version I found and inbetween the uninstall of the old one and the install of the new one was when everything started to fall apart.

I just got a blue screen on the PC that's infected, so I'm typing on a different computer. The network connected on the infected kept on connecting and disconnecting over and over, among all other observances I originally noted in the first post.

I installed it a website that wasn't from the company, but all there was was a spyware doctor trail version install file and a license key provided, that was it, did not look like any custom install file or anything.

That's how you got infected then.

The "key" provided was probably just a bunch of lettings/numbers. The file you installed was probably named spywaredoctor6.exe, when really it installs malware.

my pc hasn't felt 100% secure since.

Malware does damage to machines all the time, sometimes we can clean it, sometimes we can't. If you feel unsafe, and have the resources to format your machine, then for you sake of security, I would advice you do so.

If you can use a USB stick to carry across DDS and run it, we'll see what it says.

I probably will have to best resolve this hopefully without a format. Too many years of files and documents to transfer. It would take days to back that up.

Maybe you're right about the spyware doctor install file. I just downlaoded the actual trail file from the pctools.com website and the filesize was 22.5MB, while comparing the file that I have on the infected computer (checked the properties while in safe mode) is 17.5MB.

OKay, I will run the DDS and get back to you shortly.

After I run DDS, should I try to see if I can uninstall the SpywareDoctor and rerun a MalwareMalBytes scan after that?

If Spyware Doctor is on the uninstall list, then uninstall it.
If not, then run MBAM first, and DDS after that.

Damn, it's not recognizing my USB flash drive. Works and is detected on this computer that's not infected, but the affected one, it shows the green arrow in the taskbar, but no drive letter is loaded or assigned for me to access the usb drive that has the dds in it. I disabled the network connections on the infected machine when I did a normal boot login.

Is there a workaround to this or a way to enable the usb through the registry or something?

Nope, unless you can try in safe mode.
You may have to use a CD instead.

wow, so once the usb is disabled, then that's it? Oh my goodness. Isn't there a way to detect and enable the service that's preventing windows from mounting a letter drive?

I just uninstalled the spyware doctor and I'm running malwarebytes right now. I might enable the network connections on that infected machine so that I can get the dds on the infected machine, run it, and see if there's anything you can do.

Without the usb, this is terrible, that means all of my personal files is trapped on the laptop.

Currently on the infected machine

DDS File


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mike at 14:40:13.42 on Mon 04/13/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.391 [GMT -7:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
uSearch Bar =
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP KEYBOARDg] "c:\program files\hewlett-packard\hp wireless elite desktop\HPKEYBOARDg.EXE"
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash &Grabber - c:\progra~1\flash grabber\swfgrab.dll/iesave
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237734374343
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171423935984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll, digeste.dll
LSA: Notification Packages = scecli c:\windows\system32\sinehotu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\8y4k1ogv.default user\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 IOPort;IOPort;c:\windows\system32\drivers\IOPORT.SYS [2008-2-29 6144]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 Ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 33792]
S3 at1394;at1394; [x]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [2008-6-24 65024]
S3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\windows\system32\drivers\kwflower.sys --> c:\windows\system32\drivers\kwflower.sys [?]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-27 1251720]

=============== Created Last 30 ================

2009-04-13 14:36 --d----- c:\windows\system32\NtmsData
2009-04-12 17:23 565,248 a------- c:\windows\system32\IPHACTION.dll
2009-04-12 10:44 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-12 10:43 18,190,616 a------- c:\documents and settings\mike\xwrYuByN.exe
2009-04-12 10:43 49,152 a------- c:\documents and settings\mike\tZbYrY.exe
2009-04-12 10:39 0 a------- c:\windows\system32\IpSvchostF.dll
2009-04-12 10:21 61,440 a------- c:\windows\system32\tcpd.exe
2009-04-12 10:21 989,696 a------- c:\windows\system32\kernel32_check.dll
2009-04-12 10:21 10,240 a------- c:\windows\system32\Packer.dll
2009-04-12 10:21 9 a------- c:\windows\system32\riphy.dll
2009-04-12 10:21 9 a------- c:\windows\system32\iphy.dll
2009-04-12 10:21 3 a------- c:\windows\system32\fhpatch.dll
2009-04-12 10:20 --d----- c:\windows\system32\3361
2009-04-12 10:20 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-12 10:20 --d----- c:\windows\dhcp
2009-04-12 10:20 --dshr-- c:\program files\ThunMail
2009-04-12 10:20 21,704 a------- c:\windows\system32\kk.exe
2009-04-12 10:20 18,190,616 a------- c:\documents and settings\mike\bwDYGc.exe
2009-04-12 10:20 49,152 a------- c:\documents and settings\mike\YEgCWdu.exe
2009-03-22 08:17 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-22 08:04 23,576 a------- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2009-04-12 17:20 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-12 17:20 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-02-04 00:27 3,488,768 a------- c:\windows\system32\dllcache\ati2mtag.sys
2009-02-03 22:57 11,702,272 a------- c:\windows\system32\atioglxx.dll
2009-02-03 22:05 614,400 -------- c:\windows\system32\ati2sgag.exe
2009-02-03 22:03 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-03 21:56 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-03 21:55 324,096 a------- c:\windows\system32\ati2dvag.dll
2009-02-03 21:44 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-02-03 21:44 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-03 21:43 45,568 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-03 21:43 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-03 21:43 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-03 21:41 622,592 a------- c:\windows\system32\ati2evxx.exe
2009-02-03 21:40 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-03 21:30 3,884,768 a------- c:\windows\system32\ati3duag.dll
2009-02-03 21:14 2,645,504 a------- c:\windows\system32\ativvaxx.dll
2009-02-03 20:58 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-03 20:54 471,040 a------- c:\windows\system32\atikvmag.dll
2009-02-03 20:53 122,880 a------- c:\windows\system32\atiadlxx.dll
2009-02-03 20:52 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-03 20:46 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-03 20:44 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-03 19:43 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-03 19:42 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-03 19:40 3,244,032 a------- c:\windows\system32\aticaldd.dll
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2007-11-12 19:37 60,968 a------- c:\documents and settings\mike\GoToAssistDownloadHelper.exe
2007-10-14 12:52 90 a------- c:\docume~1\mike\applic~1\wklnhst.dat
2008-11-08 21:23 930,203 a--sh--- c:\windows\system32\KUtDdJlm.ini2
2008-05-17 15:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051720080518\index.dat

============= FINISH: 14:40:22.53 ===============

[img][/img]

[img][/img]

[img][/img]

[img][/img]

Not good.

You are infected with Virut. A file infector, it's infected all your executable files (.exe and .scr)

See here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
  

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

I don't get what's spawning all of this. it seems like every time these apps detect something, it supposedly removes it, forces me to restart, then when I rescan again, it's there again.

Belahzur,

I need your help, don't tell me i have to reformat everything, There's no way I can get my files out of the hard drive? that's years of data, and this laptop unit that I'm using can only store on 650 cd's, that's not going to be possible to do.

please tell me there's some options or ways you can get rid of this.

Last edited by mike69 on 13th April 2009, 10:18 pm; edited 1 time in total

Nope, sorry. We'll see what this says.

• Download combofix from here
  Link 1
  Link 2
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

you mean not even a scan sfc will be able to revive these files?

What if I backed up my registry before all of this began? Would importing that help?

I want to at least bypass some time to get my usb ports functional again so that I can transfer my files out through to an external drive instead of burning cd's one after the other.

I'm running combofix right now, will update in a bit

Nope, none of that would work.

Combofix just installed the recovery console (had to open up the network connection again) and was about to scan for malware when it detected a few things in the windows/system32 folder, and a window popped up forcing to restart.

At this point, I'm going to see what the combofix can do.

I'm willing to reformat, but I just want to get my usb ports enabled, up and running to quickly transfer personal files over (over 3gb's)

combo fix log
ComboFix 09-04-13.A2 - Mike 2009-04-13 15:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.583 [GMT -7:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mike\Application Data\IUpd721
c:\documents and settings\Mike\Application Data\IUpd721\Logs\scns.log
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Install.txt
c:\windows\msvrc20.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\drivers\ovfsthletnosvxswprwkmovpepxutlraxrmbft.sys
c:\windows\system32\drt
c:\windows\system32\fhpatch.dll
c:\windows\system32\Install.txt
c:\windows\system32\IPHACTION.dll
c:\windows\system32\iphy.dll
c:\windows\system32\IpSvchostF.dll
c:\windows\system32\kernel32_check.dll
c:\windows\system32\KUtDdJlm.ini
c:\windows\system32\KUtDdJlm.ini2
c:\windows\system32\m3.dll
c:\windows\system32\MX5
c:\windows\system32\ovfsthdsnwgupmmhwpxgemgsxyitelpxyqbpot.dll
c:\windows\system32\ovfsthilxetfqgnxbrbcauafqqmiyasmkymrqr.dat
c:\windows\system32\ovfsthiqjrgmeoyfuexxtdmbxaeqdksdljlklr.dll
c:\windows\system32\ovfsthnioqmiaqahyotobvkilttitlttjlnkvw.dat
c:\windows\system32\ovfsthywvktrhfuhdofmiduvrrqhxlyijqbqxg.dll
c:\windows\system32\riphy.dll
c:\windows\system32\svm
c:\windows\system32\u2
c:\windows\system32\uzuyikud.ini
c:\windows\system32\zb

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthabdmycpyrjntydepcbvpiewbmurterim
-------\Legacy_AFISICX
-------\Legacy_AT1394
-------\Legacy_IAS
-------\Legacy_SOPIDKC
-------\Legacy_TDCTXTE
-------\Service_at1394
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-12 17:44 . 2009-04-13 21:13 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-12 17:43 . 2009-04-12 17:44 18190616 ----a-w c:\documents and settings\Mike\xwrYuByN.exe
2009-04-12 17:43 . 2009-04-12 17:43 49152 ----a-w c:\documents and settings\Mike\tZbYrY.exe
2009-04-12 17:21 . 2009-04-13 00:20 61440 ----a-w c:\windows\system32\tcpd.exe
2009-04-12 17:21 . 2009-04-13 00:20 10240 ----a-w c:\windows\system32\Packer.dll
2009-04-12 17:20 . 2009-04-13 03:58 -------- d-----w c:\windows\system32\3361
2009-04-12 17:20 . 2009-04-12 17:20 108336 ----a-w c:\windows\system32\MSWINSCK.OCX
2009-04-12 17:20 . 2009-04-13 19:27 -------- d-----w c:\windows\dhcp
2009-04-12 17:20 . 2009-04-10 22:00 21704 ----a-w c:\windows\system32\kk.exe
2009-04-12 17:20 . 2009-04-12 17:20 18190616 ----a-w c:\documents and settings\Mike\bwDYGc.exe
2009-04-12 17:20 . 2009-04-12 17:20 49152 ----a-w c:\documents and settings\Mike\YEgCWdu.exe
2009-03-22 15:17 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-03-22 15:04 . 2008-10-16 21:07 23576 ----a-w c:\windows\system32\wuapi.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 22:30 . 2009-04-13 00:20 16384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2009-04-13 22:30 . 2009-04-13 07:11 98304 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041320090414\index.dat
2009-04-13 22:21 . 2009-04-13 22:20 2032 ----a-w C:\avenger.txt
2009-04-13 21:43 . 2009-04-13 15:50 32768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
2009-04-13 21:13 . 2007-05-25 14:44 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-13 07:11 . 2009-04-13 07:11 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009040620090413\index.dat
2009-04-13 00:20 . 2008-11-19 05:09 -------- d-----w c:\program files\Unlocker
2009-04-13 00:20 . 2009-04-12 17:20 -------- d-sh--r c:\program files\ThunMail
2009-04-13 00:20 . 2004-08-10 18:51 213120 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-13 00:20 . 2004-08-10 18:51 213120 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-04-11 18:32 . 2008-11-09 05:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-07 14:32 . 2007-01-27 08:50 -------- d-----w c:\program files\Java
2009-04-06 22:32 . 2008-11-09 05:57 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-11-09 05:58 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 16:24 . 2008-05-12 03:58 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-09 12:19 . 2008-12-03 18:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 19:06 . 2009-03-07 19:06 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-03-07 19:03 . 2007-01-27 08:53 -------- d-----w c:\program files\ATI Technologies
2009-03-07 18:43 . 2009-03-07 18:43 -------- d-----w c:\program files\AMD
2009-03-07 18:34 . 2009-03-07 18:34 -------- d-----w c:\program files\DIFX
2009-03-07 01:16 . 2007-02-04 02:54 -------- d-----w c:\program files\Winamp
2009-02-15 09:18 . 2007-01-27 09:06 -------- d-----w c:\program files\Google
2009-02-09 11:13 . 2004-08-10 18:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 . 2004-08-10 18:51 1846784 ----a-w c:\windows\system32\dllcache\win32k.sys
2009-02-04 07:27 . 2007-01-27 08:33 3488768 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2009-02-04 05:57 . 2007-01-27 08:33 11702272 ----a-w c:\windows\system32\atioglxx.dll
2009-02-04 05:05 . 2008-12-12 19:37 614400 ------w c:\windows\system32\ati2sgag.exe
2009-02-04 05:03 . 2008-12-01 19:50 290816 ----a-w c:\windows\system32\atiok3x2.dll
2009-02-04 04:56 . 2008-12-01 20:52 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-02-04 04:55 . 2007-01-27 08:33 324096 ----a-w c:\windows\system32\ati2dvag.dll
2009-02-04 04:44 . 2007-01-27 08:33 196608 ----a-w c:\windows\system32\atipdlxx.dll
2009-02-04 04:44 . 2007-01-27 08:33 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-02-04 04:43 . 2007-01-27 08:33 45568 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-02-04 04:43 . 2007-01-27 08:33 43520 ----a-w c:\windows\system32\ati2edxx.dll
2009-02-04 04:43 . 2007-01-27 08:33 155648 ----a-w c:\windows\system32\ati2evxx.dll
2009-02-04 04:41 . 2007-01-27 08:33 622592 ----a-w c:\windows\system32\ati2evxx.exe
2009-02-04 04:40 . 2007-01-27 08:33 53248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-02-04 04:30 . 2007-01-27 08:33 3884768 ----a-w c:\windows\system32\ati3duag.dll
2009-02-04 04:14 . 2007-01-27 08:33 2645504 ----a-w c:\windows\system32\ativvaxx.dll
2009-02-04 03:58 . 2008-12-01 19:57 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-02-04 03:54 . 2007-01-27 08:33 471040 ----a-w c:\windows\system32\atikvmag.dll
2009-02-04 03:53 . 2008-12-01 19:52 122880 ----a-w c:\windows\system32\atiadlxx.dll
2009-02-04 03:52 . 2007-01-27 08:33 17408 ----a-w c:\windows\system32\atitvo32.dll
2009-02-04 03:46 . 2007-01-27 08:33 626688 ----a-w c:\windows\system32\ati2cqag.dll
2009-02-04 03:44 . 2007-01-27 08:33 307200 ----a-w c:\windows\system32\atiiiexx.dll
2009-02-04 02:43 . 2009-02-04 02:43 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-02-04 02:42 . 2009-02-04 02:42 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-02-04 02:40 . 2009-02-04 02:40 3244032 ----a-w c:\windows\system32\aticaldd.dll
2009-01-17 04:35 . 2004-08-10 18:51 3594752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-11 22:30 . 2007-02-03 20:12 70640 ----a-w c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-11-19 04:10 . 2007-03-11 02:38 70640 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-11-08 23:54 . 2007-03-03 20:04 70640 ----a-w c:\documents and settings\Chuong\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-13 02:37 . 2007-11-13 02:37 60968 ----a-w c:\documents and settings\Mike\GoToAssistDownloadHelper.exe
2007-10-14 19:52 . 2007-10-14 19:52 90 ----a-w c:\documents and settings\Mike\Application Data\wklnhst.dat
2007-03-11 02:39 . 2007-03-11 02:38 128 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2007-03-03 20:05 . 2007-03-03 20:04 129 ----a-w c:\documents and settings\Chuong\Local Settings\Application Data\fusioncache.dat
2007-02-14 17:18 . 2008-11-19 02:48 66416 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-02-14 17:18 . 2007-09-13 16:50 66416 ----a-w c:\documents and settings\MICHAEL\ASPNET\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-02-03 20:13 . 2007-02-03 20:12 127 ----a-w c:\documents and settings\Mike\Local Settings\Application Data\fusioncache.dat
2007-01-27 09:17 . 2007-02-03 20:10 65584 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-01-27 08:59 . 2008-11-19 02:48 128 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2007-01-27 08:59 . 2007-09-13 16:50 128 ----a-w c:\documents and settings\MICHAEL\ASPNET\Local Settings\Application Data\fusioncache.dat
2007-01-27 08:59 . 2007-02-03 20:10 128 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[-] 2004-08-04 11:00 33792 7505E5998B63590FA3A50ED9E923D7A5 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 12:42 33792 9B2E776F5D9EC1A2FE3FC48D4A0CFF8F c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 12:42 33792 27A3A3509F666C6E5C6E416D6F314558 c:\windows\system32\svchost.exe

[7] 2004-08-04 11:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-14 07:50 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-04-13 00:20 213120 D9C9981C9E83DB13FFC803AEDF5CB57E c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-13 00:20 213120 1CD9BDD460658BB768618AF445B4A1C4 c:\windows\system32\drivers\ndis.sys

[-] 2008-04-14 12:42 1053184 69C574E5C5BBDBAB2376F4AD34547BA7 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1052672 0DEBF78C6B5FA14F45AA67803B23CBAE c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1052672 BB0577101F9C036BD03EE0E69A334065 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-04 11:00 1051648 F41A1A417BA077E1950F4E195553F042 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 12:42 1053184 E7E313A9D71936DA1B82CD28C9A6DB9D c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 12:42 1053184 DCDE3C6D2D32088B22889AE949C6F706 c:\windows\system32\dllcache\explorer.exe

[-] 2004-08-04 11:00 34816 40C88C2F8AA0FEF5C10C7C454585E2AF c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 12:42 34816 6ED13A9FC767E7638E59AA1EDE62211B c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 12:42 34816 075F3092526399E5CA5144DD2FE90D84 c:\windows\system32\ctfmon.exe
[-] 2008-04-14 12:42 34816 4E3DC653798C0158BD29CC4386B9FB00 c:\windows\system32\dllcache\ctfmon.exe

[-] 2005-06-11 00:17 77312 4CDFC6C7FF2CB2B2482B89EEF4D36623 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 77312 366818952D24D0BA1C45AE1FE66CAD56 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2008-04-14 12:42 77312 60C92789C77D349578DA921F69AB807E c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 12:42 77312 417B666B3DC68165F4AAC9466F870065 c:\windows\system32\spoolsv.exe
[-] 2008-04-14 12:42 77312 366C9CF98F084D9F8DB2C402BE64FA64 c:\windows\system32\dllcache\spoolsv.exe

[-] 2004-08-04 11:00 44032 6DF87146ED20F56C08AE4EB9E97FF6E6 c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 12:42 45568 159013203C08417340F013C71C2F5F37 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 12:42 45568 B217EDB6C237F58557117DBCA6EBFF35 c:\windows\system32\userinit.exe
[-] 2008-04-14 12:42 45568 A5DAB2E2F14630C8C6C0D2BD48B5B6EE c:\windows\system32\dllcache\userinit.exe

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 12:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-04-13 00:20 989696 93D8DC70F4F82A38D044FD84BA2514B1 c:\windows\system32\kernel32.dll
[7] 2008-04-14 12:41 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

Combofix 2nd half


.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1714176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 782427]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1413120]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 503808]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 36864]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 425984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 434176]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"HP KEYBOARDg"="c:\program files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE" [2008-08-07 486672]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1212416]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-03 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1596656]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MFZ0"= MyFlashZip0.ax

[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^BUFFALO Power Save Utility for HD.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\BUFFALO Power Save Utility for HD.lnk
backup=c:\windows\pss\BUFFALO Power Save Utility for HD.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 19:29 69632 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 TfFsMon;TfFsMon; [x]
R0 TfSysMon;TfSysMon; [x]
R3 kvpndev;Kerio VPN adapter;c:\windows\system32\DRIVERS\kvpndrv.sys [2008-06-24 65024]
R3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer; [x]
R3 pctplsg;pctplsg; [x]
R3 restore;restore; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
R3 TfNetMon;TfNetMon; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-09-03 55024]
S2 IOPort;IOPort;c:\windows\system32\DRIVERS\IOPORT.SYS [2001-03-01 6144]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72a24861-a123-11dc-9acf-00038a000015}]
\Shell\AutoRun\command - ntdelect.com
\Shell\explore\Command - utdetect.com
\Shell\open\Command - utdetect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5a07740-7c52-11dc-9aae-00038a000015}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL CAISS/CAInstallationMenu.html
.
Contents of the 'Scheduled Tasks' folder

2009-04-13 c:\windows\Tasks\hssozkev.job
- c:\windows\system32\jkkKbYpM.dll []

2009-04-13 c:\windows\Tasks\kgtzqlqt.job
- c:\windows\system32\tuvwUkHy.dll []

2009-04-13 c:\windows\Tasks\qdemcmdd.job
- c:\windows\system32\geBsPJBs.dll []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download Flash with Flash &Grabber - c:\progra~1\Flash Grabber\swfgrab.dll/iesave
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\8y4k1ogv.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 15:31
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\Temp\BN1.tmp
c:\program files\Internet Explorer\iexplore.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
.
**************************************************************************
.
Completion time: 2009-04-13 15:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 22:35

Pre-Run: 4,423,110,656 bytes free
Post-Run: 3,836,018,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

313 --- E O F --- 2009-04-13 15:46

Hello.
Sorry, but can we stop now? lots of other files are infected too, were fighting against a brick wall here. Even if we try to kill it, the infected windows files will regenerate it all again.

I understand Belahzur.

Well, some good news in a sense.

for some reason, my flash drive was not able to boot into the infected computer to show up as a drive, but my external hard drive was able to boot up to a drive letter

i'm currently copying my documents, and others, it will take about half an hour

in the meantime, could you tell me based on analyzing these results from dds and combofix and others:

1) which files or folder sources SHOULD I NOT carry over to the external hard drive?

2a) what is the process of formatting the hard drive and reinstalling from scratch?

2b) Does the windows os cd have a built in format that behaves exactly the same way as booting in dos and doing a format?

2c) What format should it be formated under?

3) Could internet explorer or mozilla bookmarks carry over traces of the virus where I cannot back those up and should leave them discarded?

4) you mentioned that even after reformatting and reinstalling windows, anything I do, I have to change passwords on another computer. Why? If this is a brand new install, why should we have to worry about that?

5) Do we really have to change EVERYTHING?

1. Don't carry over any EXE/SCR/HTML/HTM/PHP/ASP files. Anything aside from them is fine.

2. If you read some links from my last post on page 1, they'll help you understand in more detail.

2b. When you boot from disc, you have several different options (repair, format, delete partitions. Again, all this information is in the links provided)

2c. Formatted under? as in file format? by default, it should be NTFS.

3. Bookmarks could be infected, ditch all them.

4. Virut has backdoor capabilities, allows hackers to keylog. Doing so, they have access to your bank information (if you have bought anything online from eBay, Paypal, Amazon, etc)

5. Yep, everything has to go.

regarding response 4)

1) Even if I didn't log into any of those banking or purchasing services during the time of this massive virus issue over the past couple of days, they still have access to the login information somehow?

Last edited by mike69 on 13th April 2009, 11:56 pm; edited 2 times in total

There's no telling how long this malware has been sat on your machine. If you want to risk not changing your passwords, then you put yourself at risk.

Formatting is the only way out, once a backdoor is opened, it can't be closed without formatting. They can't trace you anymore once you format.

2) If I reformat and reinstall, how could they still trace the machine with the new install?


3) Assuming I get this far and install everything back to the default factory, what can we conclude from this incident? Is it the setup executable that may have caused this virus or if you use a license key, could the ID of that license key cause the tracing of all of these viruses? I'm confused which one it would be between these two.

4) Does the Windows XP Cd boot with the format option really do the deepest of the deep root level format of the hard drive? or does it simply overlap the previous install?

5) Also, when formatting to NTFS, does it matter if you do a quick format or a full?

6) you mentioned on the first page that I will need to change the ISP password. How do I do that? Also, if I do a format, would this even be necessary? The only reason why i ask is because I have several people in the household using this isp wirelessly and have it set up on MAC table, but changing the isp password will probably cause me to have to manually readd them by going to each device one by one. I just want to know if this is your suggestion even after reformatting.

2) Once you have formatted, they WONT be able to trace you.

3) What can we conclude? download software from the original source only, don't get it from some website that promises you a licence. The installer here was the problem.

4) I would do a full format, wipe the partition, then remake it. I say this because overlapping one OS with another may cause the new OS some problems because remnants of the old OS is there. (Upgrading from XP to Vista causes Internet Explorer errors)

5) ^ full format

6) The master router (the thing all your wireless networks use) should be fine (assuming it's got a custom password and not the default administrator password), it's just website passwords that are compromised

in regards to question 3

1) so the license key, does not allow any hackers to trace from you or anyone who uses that key?

in regards to question 6

1) so after formatting and installing, you would recommend changing the master router password? I would think that if I change the password on that, then all devices using that as an access point (those on the MAC table) wouldn't work and I"d have to manually readd them with the new password that's not cached into the system right? Is that how it works?

2) If the infected pc was a laptop that was connected wirelessly to a main router and that got infected (in my case), does that mean that the hacker could obtain information of other devices to hack that is connected to that same main router?

3) would you recommend using Spyware Doctor or using Norton for a combo Antivirus, Spyware, and Internet Security?

I think we have a misunderstanding. When I said master password, I wasn't talking about the WEP key. I was talking about the access to the router via it's IP adress (depending on your model, but it's usually 192.168.1.1)

I don't recommend Norton. It's too big and has been known to drag systems down. I would recommend Avira along with Kerio firewall. Both are free.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Kerio
A tutorial on understanding and using firewalls may be found here.

As for Antispyware, I would stick with SUPERAntispyware or MBAM.

isn't the access to the router always 192.168.0.1?

1) you're talking about the admin login for that? I wasn't sure how you change that? Is it by just reseting the router by pressing down the pin on the back for 10 seconds? Not sure. Need some help on that.

2) I tried to use kerio firewall once. It doesn't seem as user friendly for non-tech people who are new to installing those things. I installed it once and I couldn't figure out how to get my internet connection up since I didn't know how to tie that into the router. If the router (being by definition it has a built in firewall) and software firewall router link, doesn't that cause complications?

3) do you know if spyware doctor has a built in firewall? or is it simply for antivirus and spyware?

Belehzur,

You're probably asleep at this time, so I'll check up with you later. Please respond to the previous questions in my last reply.

As an update. I am now typing on what was the originally infected laptop. I spent the last few hours reformatting and reinstalling windows from scratch. I got the official files of malwarebytes and spydoctor off of the original company websites and installed them before going online. So, the process that I did went:

1) format and install windows XP os
2) install laptop drivers, (disabling the wireless)
3) downloading malwarebytes and spyware doctor from another pc, copying it over, and installing it
4) running quick and full tests
5) installed ms office and other basic apps
6) copied back up personal files (my documents, desktop files) over to the newly formated pc (when I did a select all before copying, it had over 40 hidden files, I made sure that I didn't select those and said no to it asking if I wanted to include that in the selection process)
7) now online, having windows do an autoupdate since it was installed up to xp service pack 2

Curiously though, for some reason, I ran malware bytes a few times, it found nothing and that was the newest version with file updates. However, with the official spyware doctor program from pctools.com website, I did a intelliscan (quick) scan, and it found 5 infections of low profile. These results always, and I mean, always, seem to pop up as some result all the time from a test run from spyware doctor after first installing. I don't know if it's supposed to mean something. This is no corrupted file this time around and thank god it's not doing anything crazy on me right now, but it doesn't make sense to me. Why is a fresh install of xp and some installs having it pick up a few threats?

[img][/img]

Hello.

They aren't threats. The picture is small, but I can just about read it.

"TrackingCookies" aren't infections, everyone needs tracking cookies. If you use Internet Explorer/Firefox and clear the cookies, notice that you get logged out of everything, because cookies is where your login details is stored on your machine.

Adware.Advertising is the same thing, but fix them if you want to. [Although you wil get logged out of stuff. ]

well, once I get this system back up and running, could you help me go through the diagnostics check on this new installed machine again?

I want to make sure that the folder contents and new installs I made don't have anything left from the previous infection or bring up any new ones.

Sure. But don't use this topic, open a new one and post a Hijack This log for me to check.

Thanks.

Belahzur wrote:

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Kerio
A tutorial on understanding and using firewalls may be found here.

As for Antispyware, I would stick with SUPERAntispyware or MBAM.

I was wondering. I just got a clean copy of spyware spydoctor and I was thinking that since doesn't have a firewall and intrusion detection, I wanted to install instead mcafee total protection 2009, which has all of that. I have a copy of that as well.

What's your opinion? I know you mentioned that you can't have 2 apps because they will conflict? How should I proceed with the steps to uninstall and install? or can i keep them both?

If you get Mcafee all in one, then don't install any other firewall or antivirus.

o oh, new spyware doctor has been finding some things on the machine, even after reformating and reinstalling. Take a look at this. It seems every time it finishes scanning, something happens.

The only thing I remember doing is that I accidently mispelled hotmail.com for something like 'homtial.com' or something like that, and it poped up a site that was blocked by spydoctor, and since this, all these strange things have been happening

[img][/img]

here's the hijacker log, do you find anything suspicious?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:10 PM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [HP KEYBOARDg] "C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5293 bytes

Log looks clean.
That screenshot is looking at history, not a current infection?

well, it is the history of a recent scan. From the time stamp and my time zone, that scan was about an hour ago after I accidently mistyped going to msn
hotmail website.'

1) Do you think it's anything to worry about?



Also,


2) Another question. I currently have spyware doctor installed. Will installing mcafee over this cause complications or should I uninstall spyware doctor first and then install mcafee ...OR should I just install mcafee and then deal with spyware doctor uninstall later?

Well, the screenshot says Spyware Doctor with antivirus.
If you want Mcafee, Spyware Doctor has to go.

And no, I don't think you should worry.

So the ordering of what to install or uninstall first would not be a problem?

Will installing mcafee over this cause complications or should I uninstall spyware doctor first and then install mcafee ...OR should I just install mcafee and then deal with spyware doctor uninstall later?

Install Mcafee first, then uninstall Spyware Doctor. Atleast that way, you will be protected during the removal instead of the other way around.

Whoa, Mcafee just found this. I don't know why spyware doctor never did. I didn't even run this app in this new installed laptop after reformatting, but somehow, this was caught. This program is a program just to schedule automated downloads from sites like rapidshare, megaupload, and other sides,

Anything you think I should be worried about?
[img][/img]

Hello.
I can just about read that. JDownloader I think.

Where did you download the JDownloader from? from the original website or via another source?

original website