win32/cryptor found in Iexplorer.exe and evchost.exe

Wow.. I dont use half of that stuff. I needa do some cleaning
Computers getting slow XDD

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

• Adobe Reader 8.1.2
  Java 2 Runtime Environment, SE v1.4.2_05
  Java(TM) 6 Update 2
  Java(TM) 6 Update 3
  Java(TM) 6 Update 5
  LimeWire 5.1.2
  

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
OneStepSearch Service

Folder::
C:\_OTMoveIt
c:\program files\LimeWire
c:\program files\OneStep

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
"AntiVirusDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a2844de-99c3-11dd-acb4-00132014273f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{875c54c8-2d74-11de-90be-00132014273f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4ee268b-4d56-11dd-ac4e-00132014273f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Hmm.. Why do I need to delete adobe reader? and limewire *presses delete* sob sob*

a new update to combofix? >< *presses download*

You had a rootkit infection, do you want to it come back again? all because you downloaded an infection from Limewire.

Combofix is updated daily, so get the new version if it asks.

ComboFix 09-05-15.06 - handsome kevin 05/17/2009 0:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.467 [GMT 10:00]
Running from: c:\documents and settings\handsome kevin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\handsome kevin\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\05142009_231348.log
c:\_otmoveit\MovedFiles\05142009_231348.res
c:\_otmoveit\MovedFiles\05142009_231348\DOCUME~1\HANDSO~1\LOCALS~1\Temp\NGLALog.txt
c:\_otmoveit\MovedFiles\05142009_231348\DOCUME~1\HANDSO~1\LOCALS~1\Temp\NGLATempNokia\Nokia Sans Wide Bold v3.1.ttf
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\O0WPPG9P\MsgrConfig[7].asmx
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\O0WPPG9P\signin[2].htm
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\RREW40LA\acCA02GIG8.htm
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid1340.log
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\LimeWire.rar
c:\program files\OneStep
c:\program files\OneStep\home.js
c:\program files\OneStep\onestep.exe
c:\program files\OneStep\osopt.exe
c:\program files\OneStep\readme.html
c:\program files\OneStep\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ONESTEPSEARCH_SERVICE
-------\Service_OneStepSearch Service


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-13 11:15 . 2009-05-13 11:15 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-13 11:15 . 2009-05-13 11:15 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-24 09:23 . 2009-04-26 10:15 -------- d-----w c:\program files\Soldat
2009-04-23 05:57 . 2009-04-23 05:57 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-17 00:21 . 2009-04-17 00:21 -------- d-----w c:\program files\iPod
2009-04-17 00:21 . 2009-04-17 00:21 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 14:17 . 2008-06-14 11:12 -------- d-----w c:\program files\LogMeIn
2009-05-16 14:05 . 2007-06-28 02:09 -------- d-----w c:\program files\Java
2009-05-16 14:02 . 2007-08-14 01:13 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 08:00 . 2009-02-16 04:35 -------- d-----w c:\program files\Norton Security Scan
2009-05-14 13:55 . 2007-06-28 02:51 110168 ----a-w c:\documents and settings\handsome kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 08:01 . 2007-06-28 02:14 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-25 23:45 . 2008-06-02 06:08 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-25 23:45 . 2008-06-02 06:08 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-25 23:44 . 2008-06-02 06:08 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-23 11:26 . 2008-10-18 12:31 34 ----a-w c:\documents and settings\handsome kevin\jagex_runescape_preferences.dat
2009-04-17 00:21 . 2008-02-04 10:54 -------- d-----w c:\program files\iTunes
2009-04-17 00:21 . 2008-02-04 10:53 -------- d-----w c:\program files\Common Files\Apple
2009-04-14 09:32 . 2008-03-13 05:01 -------- d-----w c:\program files\Valve
2009-04-12 13:11 . 2008-02-28 10:32 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 09:37 . 2009-04-10 09:37 -------- d-----w c:\program files\NeedforMadness_at
2009-04-06 23:44 . 2009-04-06 23:40 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-06 07:39 . 2009-04-05 09:46 -------- d-----w c:\program files\mIRC
2009-04-06 07:20 . 2008-11-03 06:49 -------- d-----w c:\program files\Warcraft III
2009-04-05 08:34 . 2007-06-28 02:09 -------- d-----w c:\program files\ATI Technologies
2009-04-02 09:16 . 2007-07-03 14:47 -------- d-----w c:\program files\Google
2009-03-25 04:56 . 2009-03-25 04:56 -------- d-----w c:\program files\QuickTime
2009-03-25 04:51 . 2008-03-29 00:54 -------- d-----w c:\program files\Safari
2009-03-25 04:50 . 2009-03-25 04:50 -------- d-----w c:\program files\Bonjour
2009-03-19 06:32 . 2008-01-29 01:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:44 . 2004-08-10 06:38 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-25 04:53 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 12:59 . 2008-08-02 03:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-08-11 08:41 . 2007-10-04 22:49 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-11 08:41 . 2007-10-04 22:49 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-11 08:41 . 2008-03-07 08:30 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-11 08:41 . 2008-03-07 08:30 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-11 08:41 . 2007-10-04 22:49 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-15_14.44.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 14:18 . 2009-05-16 14:18 16384 c:\windows\Temp\Perflib_Perfdata_850.dat
+ 2009-05-16 14:18 . 2009-05-16 14:18 16384 c:\windows\Temp\Perflib_Perfdata_428.dat
+ 2004-08-10 06:38 . 2009-05-16 05:40 63188 c:\windows\system32\perfc009.dat
- 2004-08-10 06:38 . 2009-05-15 14:17 63188 c:\windows\system32\perfc009.dat
+ 2004-08-10 06:38 . 2009-05-16 05:40 403968 c:\windows\system32\perfh009.dat
- 2004-08-10 06:38 . 2009-05-15 14:17 403968 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
2008-03-14 03:08 265360 ----a-w c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2004-10-07 81920]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2004-03-04 299008]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"KiweeHook"="c:\program files\Kiwee Toolbar2\1.4.127\kwtbaim.exe" [2008-03-14 56456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-25 1947928]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-05 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2004-09-10 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-09-15 2557952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208]

c:\documents and settings\handsome kevin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-12-17 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 23:45 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 11:10 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Warcraft III\\war3.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Soldat\\Soldat.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Games\\halo\\halo.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Media Converter SA Edition\\Media Converter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6122:TCP"= 6122:TCP:Warcraft

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2008 4:08 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2008 4:08 PM 108552]
R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [6/28/2007 12:18 PM 49024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/9/2009 7:34 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 7:34 PM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 3:31 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/14/2008 9:12 PM 47640]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 4:53 PM 226656]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [6/28/2007 12:18 PM 139264]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2/5/2008 8:29 PM 710144]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2/28/2008 3:31 PM 12192]
S3 Cap713x;Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [1/1/1980 751104]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2/5/2008 8:58 PM 15360]
S3 PageFau1t;PageFau1t;\??\c:\documents and settings\handsome kevin\Desktop\PageFau1t.sys --> c:\documents and settings\handsome kevin\Desktop\PageFau1t.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva092;XDva092;\??\c:\windows\system32\XDva092.sys --> c:\windows\system32\XDva092.sys [?]
S3 XDva093;XDva093;\??\c:\windows\system32\XDva093.sys --> c:\windows\system32\XDva093.sys [?]
S3 XDva104;XDva104;\??\c:\windows\system32\XDva104.sys --> c:\windows\system32\XDva104.sys [?]
S3 XDva129;XDva129;\??\c:\windows\system32\XDva129.sys --> c:\windows\system32\XDva129.sys [?]
S3 XDva181;XDva181;\??\c:\windows\system32\XDva181.sys --> c:\windows\system32\XDva181.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]

2008-12-23 c:\windows\Tasks\At3.job
- c:\program files\norton pc checkup\pc_checkup.exe [2009-01-29 22:10]

2009-05-16 c:\windows\Tasks\At4.job
- c:\program files\norton pc checkup\pc_checkup.exe [2009-01-29 22:10]

2009-05-15 c:\windows\Tasks\Norton Security Scan for handsome kevin.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-18 09:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 00:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,6c,84,a2,95,e8,
c3,ee,d8,c8,28,51,af,b0,29,a3,98,1b,5a,55,b7,2c,fe,65,30,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,43,0b,e8,7a,a4,
8c,3f,82,71,3b,04,66,8b,46,0d,96,2c,46,83,03,6a,cf,97,1f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,b3,d4,5d,e6,86,
b5,2c,29,25,da,ec,7e,55,20,c9,26,af,00,5d,1d,59,65,64,70,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,88,24,86,e3,1b,
da,87,b2,3e,1e,9e,e0,57,5a,93,61,d2,3c,be,a3,d6,6e,8a,73,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,e8,03,56,95,d5,
56,8e,59,cd,44,cd,b9,a6,33,6c,cd,96,78,13,26,0a,c5,33,44,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,83,3c,4d,52,6f,
aa,2d,7b,b0,18,ed,a7,3f,8d,37,a4,6a,2b,ff,76,41,fc,ce,ce,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,49,1c,62,bd,f4,
7d,5d,5c,31,77,e1,ba,b1,f8,68,02,7e,e8,49,bf,57,38,78,0b,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,21,3c,6c,95,81,
93,15,34,83,6c,56,8b,a0,85,96,ab,f5,f5,9f,b3,b7,ba,fb,55,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d5,82,08,44,f1,
e9,71,db,51,fa,6e,91,28,9e,14,cc,a3,28,39,2c,10,03,cf,1a,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,6b,11,b5,e1,83,
8c,54,e9,b1,cd,45,5a,a8,c4,f8,b9,5d,dd,cc,ea,a1,1a,a1,6d,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,0b,0b,75,91,54,
38,34,a6,e3,0e,66,d5,eb,bc,2f,6b,d8,b5,95,c0,8d,2a,77,26,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,1a,af,7b,92,3f,
7a,e1,8e,fa,ea,66,7f,d4,3b,6b,70,06,40,74,9e,b5,92,40,cd,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(880)
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\apps\ABoard\AOSD.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-05-16 0:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 14:23
ComboFix2.txt 2009-05-15 14:45

Pre-Run: 68,714,438,656 bytes free
Post-Run: 68,597,166,080 bytes free

360 --- E O F --- 2009-05-13 13:19

What about adobe reader?

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Nothing detected by AVG, and it seems to run smoother with less lag
Thanks heaps.
Could you give me a list of the infections I had just so I can do a bit of research on what they do
Thanks

The main infection was that rootkit, part of the TDSS family.

Thank again, you helped heaps goodnight.