BDS/Agent

"BDS/Agent.fhh[backdoor]" detected in file "C:\Program Files\Common Files\alg.exe."

I've been seeing this Avira pop-up every five hours for the last three days.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:50 PM, on 10/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Application Layer Gateway] C:\Program Files\Common Files\alg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Go%20Go%20Gourmet%20-%20Chef%20of%20the%20Year/Images/stg_drm.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c99b9e8f903320) (gupdate1c99b9e8f903320) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6188 bytes

Hi

Please download SpiderKill and save it to your Desktop.

• Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  
• Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  
• Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.

==

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==

Please post the Malwarebytes and the SpiderKill log in your next reply.

Malwarebytes' Anti-Malware 1.41
Database version: 2927
Windows 5.1.2600 Service Pack 3

10/8/2009 10:06:20 PM
mbam-log-2009-10-08 (22-06-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 188054
Time elapsed: 1 hour(s), 28 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SpiderKill by DragonMaster Jay ( Oct 2009 )


Microsoft Windows XP [Version 5.1.2600]

********************Drivers list********************


Volume in drive C is HP_PAVILION
Volume Serial Number is 28FB-76ED

Directory of C:\Windows\System32\Drivers

09/05/2009 04:10 PM .
09/05/2009 04:10 PM ..
04/13/2008 11:36 AM 187,776 acpi.sys
08/04/2004 05:00 AM 11,648 acpiec.sys
04/13/2008 05:11 PM 4,255 adv01nt5.dll
04/13/2008 05:11 PM 3,967 adv02nt5.dll
04/13/2008 05:11 PM 3,615 adv05nt5.dll
04/13/2008 05:11 PM 3,647 adv07nt5.dll
04/13/2008 05:11 PM 3,135 adv08nt5.dll
04/13/2008 05:11 PM 3,711 adv09nt5.dll
04/13/2008 05:11 PM 3,775 adv11nt5.dll
04/13/2008 09:39 AM 142,592 aec.sys
08/14/2008 03:04 AM 138,496 afd.sys
04/13/2008 11:36 AM 42,368 agp440.sys
04/13/2008 11:36 AM 44,928 agpcpq.sys
03/04/2005 12:02 PM 1,066,278 AGRSM.sys
08/01/2003 07:37 PM 1,040 alcxinit.dat
12/12/2003 06:54 AM 391,424 ALCXSENS.SYS
10/01/2004 11:24 AM 2,279,424 ALCXWDM.SYS
04/13/2008 11:36 AM 42,752 alim1541.sys
04/13/2008 11:36 AM 43,008 amdagp.sys
04/13/2008 11:31 AM 37,376 amdk6.sys
04/13/2008 11:31 AM 37,760 amdk7.sys
04/13/2008 11:51 AM 60,800 arp1394.sys
04/13/2008 11:57 AM 14,336 asyncmac.sys
04/13/2008 11:40 AM 96,512 atapi.sys
08/03/2004 10:29 PM 56,623 ati1btxx.sys
08/03/2004 10:29 PM 11,615 ati1mdxx.sys
08/03/2004 10:29 PM 12,047 ati1pdxx.sys
08/03/2004 10:29 PM 30,671 ati1raxx.sys
08/03/2004 10:29 PM 63,663 ati1rvxx.sys
08/03/2004 10:29 PM 26,367 ati1snxx.sys
08/03/2004 10:29 PM 21,343 ati1ttxx.sys
08/03/2004 10:29 PM 36,463 ati1tuxx.sys
08/03/2004 10:29 PM 29,455 ati1xbxx.sys
08/03/2004 10:29 PM 34,735 ati1xsxx.sys
08/03/2004 10:29 PM 327,040 ati2mtaa.sys
08/03/2004 10:29 PM 701,440 ati2mtag.sys
08/03/2004 10:29 PM 57,856 atinbtxx.sys
08/03/2004 10:29 PM 13,824 atinmdxx.sys
08/03/2004 10:29 PM 14,336 atinpdxx.sys
08/03/2004 10:29 PM 52,224 atinraxx.sys
08/03/2004 10:29 PM 104,960 atinrvxx.sys
08/03/2004 10:29 PM 28,672 atinsnxx.sys
08/03/2004 10:29 PM 13,824 atinttxx.sys
08/03/2004 10:29 PM 73,216 atintuxx.sys
08/03/2004 10:29 PM 31,744 atinxbxx.sys
08/03/2004 10:29 PM 63,488 atinxsxx.sys
07/17/2004 11:36 AM 64,352 ativmc20.cod
04/13/2008 11:51 AM 59,904 atmarpc.sys
08/04/2004 05:00 AM 31,360 atmepvc.sys
04/13/2008 11:51 AM 55,808 atmlane.sys
08/04/2004 05:00 AM 352,256 atmuni.sys
04/13/2008 05:11 PM 21,183 atv01nt5.dll
04/13/2008 05:11 PM 11,359 atv02nt5.dll
04/13/2008 05:11 PM 25,471 atv04nt5.dll
04/13/2008 05:11 PM 14,143 atv06nt5.dll
04/13/2008 05:11 PM 17,279 atv10nt5.dll
11/16/2006 09:44 AM 25,136 atwpkt2.sys
11/16/2006 09:44 AM 33,592 atwpkt264.sys
08/17/2001 01:59 PM 3,072 audstub.sys
02/13/2009 11:17 AM 45,416 avgntdd.sys
08/05/2009 01:12 PM 55,656 avgntflt.sys
02/13/2009 11:29 AM 22,360 avgntmgr.sys
04/27/2009 12:13 PM 96,104 avipbb.sys
08/17/2001 12:11 PM 66,557 bcm42u.sys
08/04/2004 05:00 AM 4,224 beep.sys
04/13/2008 11:53 AM 71,552 bridge.sys
04/13/2008 11:46 AM 17,024 bthenum.sys
04/13/2008 11:46 AM 37,888 bthmodem.sys
04/13/2008 11:51 AM 101,120 bthpan.sys
06/13/2008 04:05 AM 272,128 bthport.sys
04/13/2008 11:46 AM 36,480 bthprint.sys
04/13/2008 11:46 AM 18,944 bthusb.sys
08/04/2004 05:00 AM 13,952 cbidf2k.sys
04/13/2008 11:46 AM 17,024 ccdecode.sys
08/04/2004 12:00 PM 18,688 cdaudio.sys
04/13/2008 12:14 PM 63,744 cdfs.sys
04/13/2008 11:40 AM 62,976 cdrom.sys
04/13/2008 05:11 PM 15,423 ch7xxnt5.dll
08/04/2004 12:00 PM 262,528 cinemst2.sys
04/13/2008 12:16 PM 49,536 classpnp.sys
08/04/2004 12:00 PM 11,776 cpqdap01.sys
04/13/2008 11:31 AM 36,736 crusoe.sys
07/17/2004 10:55 PM 129,045 cxthsfs2.cty
08/11/2004 11:01 AM disdn
04/13/2008 11:40 AM 36,352 disk.sys
04/13/2008 11:40 AM 14,208 diskdump.sys
04/13/2008 11:44 AM 799,744 dmboot.sys
04/13/2008 11:44 AM 153,344 dmio.sys
08/04/2004 05:00 AM 5,888 dmload.sys
04/13/2008 11:45 AM 52,864 dmusic.sys
04/13/2008 11:45 AM 60,160 drmk.sys
04/13/2008 11:45 AM 2,944 drmkaud.sys
08/04/2004 05:00 AM 10,496 dxapi.sys
04/13/2008 11:38 AM 71,168 dxg.sys
08/04/2004 05:00 AM 3,328 dxgthk.sys
04/13/2009 03:57 PM etc
04/13/2008 12:14 PM 143,744 fastfat.sys
04/13/2008 11:40 AM 27,392 fdc.sys
04/13/2008 11:33 AM 44,544 fips.sys
04/13/2008 11:40 AM 20,480 flpydisk.sys
04/13/2008 11:32 AM 129,792 fltmgr.sys
08/04/2004 12:00 PM 12,160 fsvga.sys
08/04/2004 05:00 AM 7,936 fs_rec.sys
08/04/2004 05:00 AM 125,056 ftdisk.sys
04/13/2008 11:36 AM 46,464 gagp30kx.sys
03/19/2009 04:32 PM 23,400 GEARAspiWDM.sys
08/04/2004 05:00 AM 3,440,660 gm.dls
08/04/2004 05:00 AM 646 gmreadme.txt
04/13/2008 09:36 AM 144,384 hdaudbus.sys
03/17/2004 11:10 PM 113,664 Hdaudio.sys
04/13/2008 11:46 AM 25,600 hidbth.sys
04/13/2008 11:45 AM 36,864 hidclass.sys
04/13/2008 11:45 AM 19,200 hidir.sys
04/13/2008 11:45 AM 24,960 hidparse.sys
04/13/2008 11:45 AM 10,368 hidusb.sys
08/03/2004 10:41 PM 220,032 hsfbs2s2.sys
08/03/2004 10:41 PM 685,056 hsfcxts2.sys
08/03/2004 10:41 PM 1,041,536 hsfdpsp2.sys
04/13/2008 11:53 AM 264,832 http.sys
04/13/2008 12:18 PM 52,480 i8042prt.sys
08/20/2004 05:26 PM 737,874 ialmnt5.sys
04/13/2008 11:40 AM 42,112 imapi.sys
04/13/2008 11:40 AM 5,504 intelide.sys
04/13/2008 11:31 AM 36,352 intelppm.sys
04/13/2008 11:53 AM 36,608 ip6fw.sys
08/04/2004 05:00 AM 32,896 ipfltdrv.sys
04/13/2008 11:57 AM 20,864 ipinip.sys
04/13/2008 11:57 AM 152,832 ipnat.sys
04/13/2008 12:19 PM 75,264 ipsec.sys
04/13/2008 11:54 AM 11,264 irenum.sys
04/13/2008 11:36 AM 37,248 isapnp.sys
04/13/2008 11:39 AM 24,576 kbdclass.sys
04/13/2008 11:39 AM 14,592 kbdhid.sys
04/13/2008 11:45 AM 172,416 kmixer.sys
04/13/2008 12:16 PM 141,056 ks.sys
04/13/2008 11:31 AM 92,288 ksecdd.sys
08/03/2009 01:36 PM 19,096 mbam.sys
08/03/2009 01:36 PM 38,160 mbamswissarmy.sys
08/04/2004 05:00 AM 7,680 mcd.sys
08/03/2004 10:41 PM 11,868 mdmxsdk.sys
04/13/2008 11:36 AM 63,744 mf.sys
08/04/2004 05:00 AM 4,224 mnmdd.sys
04/13/2008 12:00 PM 30,080 modem.sys
06/18/2007 08:18 PM 23,680 motmodem.sys
04/13/2008 11:39 AM 23,040 mouclass.sys
08/17/2001 01:48 PM 12,160 mouhid.sys
04/13/2008 11:39 AM 42,368 mountmgr.sys
04/13/2008 11:32 AM 180,608 mrxdav.sys
10/24/2008 04:21 AM 455,296 mrxsmb.sys
04/13/2008 11:32 AM 19,072 msfs.sys
04/13/2008 11:56 AM 35,072 msgpc.sys
04/13/2008 11:39 AM 7,552 mskssrv.sys
04/13/2008 11:39 AM 5,376 mspclock.sys
04/13/2008 11:39 AM 4,992 mspqm.sys
04/13/2008 11:36 AM 15,488 mssmbios.sys
04/13/2008 11:39 AM 5,504 mstee.sys
08/03/2004 10:41 PM 126,686 mtlmnt5.sys
08/03/2004 10:41 PM 1,309,184 mtlstrm.sys
08/03/2004 10:29 PM 452,736 mtxparhm.sys
04/13/2008 12:17 PM 105,344 mup.sys
04/13/2008 11:43 AM 12,672 mutohpen.sys
04/13/2008 11:46 AM 85,248 nabtsfec.sys
04/13/2008 12:20 PM 182,656 ndis.sys
04/13/2008 11:46 AM 10,880 ndisip.sys
04/13/2008 11:57 AM 10,112 ndistapi.sys
04/13/2008 11:55 AM 14,592 ndisuio.sys
04/13/2008 12:20 PM 91,520 ndiswan.sys
04/13/2008 11:57 AM 40,576 ndproxy.sys
04/13/2008 11:56 AM 34,688 netbios.sys
04/13/2008 12:21 PM 162,816 netbt.sys
07/17/2004 11:35 AM 67,866 netwlan5.img
04/13/2008 11:51 AM 61,824 nic1394.sys
08/04/2004 12:00 PM 12,032 nikedrv.sys
04/13/2008 11:53 AM 40,320 nmnt.sys
04/13/2008 11:32 AM 30,848 npfs.sys
04/13/2008 12:15 PM 574,976 ntfs.sys
08/03/2004 10:41 PM 180,360 ntmtlfax.sys
08/04/2004 05:00 AM 2,944 null.sys
08/03/2004 10:29 PM 1,897,408 nv4_mini.sys
08/04/2004 05:00 AM 12,416 nwlnkflt.sys
08/04/2004 05:00 AM 32,512 nwlnkfwd.sys
04/13/2008 11:56 AM 88,320 nwlnkipx.sys
08/04/2004 05:00 AM 63,232 nwlnknb.sys
08/04/2004 05:00 AM 55,936 nwlnkspx.sys
08/04/2004 05:00 AM 3,456 oprghdlr.sys
04/13/2008 11:31 AM 42,752 p3.sys
04/13/2008 11:40 AM 80,128 parport.sys
04/13/2008 11:40 AM 19,712 partmgr.sys
08/04/2004 05:00 AM 6,784 parvdm.sys
04/13/2008 11:36 AM 68,224 pci.sys
08/04/2004 05:00 AM 3,328 pciide.sys
04/13/2008 11:40 AM 24,960 pciidex.sys
04/13/2008 11:36 AM 120,192 pcmcia.sys
04/13/2008 12:19 PM 146,048 portcls.sys
04/13/2008 11:31 AM 35,840 processr.sys
06/04/2001 02:00 PM 14,112 PS2.sys
04/13/2008 11:56 AM 69,120 psched.sys
08/04/2004 05:00 AM 17,792 ptilink.sys
10/04/2002 05:04 PM 46,976 R8139n51.sys
08/04/2004 05:00 AM 8,832 rasacd.sys
04/13/2008 12:19 PM 51,328 rasl2tp.sys
04/13/2008 11:57 AM 41,472 raspppoe.sys
04/13/2008 12:19 PM 48,384 raspptp.sys
08/04/2004 05:00 AM 16,512 raspti.sys
08/04/2004 05:00 AM 34,432 rawwan.sys
04/13/2008 12:28 PM 175,744 rdbss.sys
08/04/2004 05:00 AM 4,224 rdpcdd.sys
04/13/2008 11:32 AM 196,224 rdpdr.sys
04/13/2008 05:13 PM 139,656 rdpwd.sys
08/03/2004 10:41 PM 13,776 recagent.sys
04/13/2008 11:40 AM 57,600 redbook.sys
04/13/2008 11:46 AM 59,136 rfcomm.sys
08/04/2004 12:00 PM 12,032 rio8drv.sys
08/04/2004 12:00 PM 12,032 riodrv.sys
05/08/2008 07:02 AM 203,136 rmcast.sys
04/13/2008 11:56 AM 30,592 rndismp.sys
04/13/2008 11:56 AM 30,592 rndismpx.sys
08/04/2004 05:00 AM 5,888 rootmdm.sys
08/03/2004 10:31 PM 20,992 RTL8139.sys
03/18/2004 01:26 PM 185,216 RTL8180.sys
08/03/2004 10:29 PM 166,912 s3gnbm.sys
04/13/2008 11:40 AM 96,384 scsiport.sys
04/13/2008 11:36 AM 79,232 sdbus.sys
11/13/2007 03:25 AM 20,480 secdrv.sys
04/13/2008 11:40 AM 15,744 serenum.sys
04/13/2008 12:15 PM 64,512 serial.sys
04/13/2008 11:40 AM 11,904 sffdisk.sys
04/13/2008 11:40 AM 10,240 sffp_mmc.sys
04/13/2008 11:40 AM 11,008 sffp_sd.sys
04/13/2008 11:40 AM 11,392 sfloppy.sys
04/13/2008 05:12 PM 3,901 siint5.dll
04/13/2008 11:36 AM 40,960 sisagp.sys
04/13/2008 11:46 AM 11,136 slip.sys
08/03/2004 10:41 PM 129,535 slnt7554.sys
08/03/2004 10:41 PM 404,990 slntamr.sys
08/03/2004 10:41 PM 95,424 slnthal.sys
08/03/2004 10:41 PM 13,240 slwdmsup.sys
04/13/2008 11:36 AM 5,888 smbali.sys
08/04/2004 05:00 AM 14,592 smclib.sys
04/13/2008 11:46 AM 25,344 sonydcam.sys
08/17/2001 01:56 PM 7,552 SONYPVU1.SYS
04/13/2008 11:45 AM 6,272 splitter.sys
04/13/2008 11:36 AM 73,472 sr.sys
12/11/2008 03:57 AM 333,952 srv.sys
06/09/2009 12:18 PM 28,520 ssmdrv.sys
04/13/2008 11:45 AM 49,408 stream.sys
04/13/2008 11:46 AM 15,232 streamip.sys
04/13/2008 11:39 AM 4,352 swenum.sys
04/13/2008 11:45 AM 56,576 swmidi.sys
05/12/2006 11:46 PM 10,344 symlcbrd.sys
04/13/2008 12:15 PM 60,800 sysaudio.sys
04/13/2008 11:40 AM 14,976 tape.sys
06/20/2008 04:51 AM 361,600 tcpip.sys
06/20/2008 04:08 AM 225,856 tcpip6.sys
04/13/2008 12:00 PM 19,072 tdi.sys
04/13/2008 05:13 PM 12,040 tdpipe.sys
04/13/2008 05:13 PM 21,896 tdtcp.sys
04/13/2008 05:13 PM 40,840 termdd.sys
08/04/2004 12:00 PM 51,712 tosdvd.sys
08/04/2004 12:00 PM 21,376 tsbvcap.sys
04/13/2008 11:56 AM 12,288 tunmp.sys
04/13/2008 11:36 AM 44,672 uagp35.sys
04/13/2008 11:32 AM 66,048 udfs.sys
01/20/2009 01:11 PM UMDF
04/13/2008 11:39 AM 384,768 update.sys
04/13/2008 11:56 AM 12,800 usb8023.sys
04/13/2008 11:56 AM 12,800 usb8023x.sys
07/09/2009 12:16 PM 39,424 usbaapl.sys
04/13/2008 11:45 AM 25,600 usbcamd.sys
04/13/2008 11:45 AM 25,728 usbcamd2.sys
04/13/2008 11:45 AM 32,128 usbccgp.sys
08/04/2004 05:00 AM 4,736 usbd.sys
04/13/2008 11:45 AM 30,208 usbehci.sys
04/13/2008 11:45 AM 59,520 usbhub.sys
04/13/2008 11:45 AM 15,872 usbintel.sys
04/13/2008 11:45 AM 143,872 usbport.sys
04/13/2008 11:47 AM 25,856 usbprint.sys
04/13/2008 12:45 PM 15,104 usbscan.sys
04/13/2008 11:45 AM 26,368 usbstor.sys
04/13/2008 11:45 AM 20,608 usbuhci.sys
04/13/2008 11:46 AM 121,984 usbvideo.sys
04/13/2008 05:12 PM 11,325 vchnt5.dll
08/04/2004 12:00 PM 58,112 vdmindvd.sys
04/13/2008 11:44 AM 20,992 vga.sys
04/13/2008 11:36 AM 42,240 viaagp.sys
07/02/2003 11:42 AM 27,904 VIAAGP1.SYS
04/13/2008 11:40 AM 5,376 viaide.sys
04/13/2008 11:44 AM 81,664 videoprt.sys
04/13/2008 11:41 AM 52,352 volsnap.sys
05/05/2004 09:28 PM 142,976 vtmini.sys
04/13/2008 11:43 AM 14,208 wacompen.sys
08/03/2004 10:29 PM 11,807 wadv07nt.sys
08/03/2004 10:29 PM 11,295 wadv08nt.sys
08/03/2004 10:29 PM 11,871 wadv09nt.sys
08/03/2004 10:29 PM 11,935 wadv11nt.sys
04/13/2008 11:57 AM 34,560 wanarp.sys
01/10/2003 06:13 PM 33,588 wanatw4.sys
08/03/2004 10:29 PM 22,271 watv06nt.sys
08/03/2004 10:29 PM 25,471 watv10nt.sys
11/02/2006 07:22 AM 492,000 wdf01000.sys
11/02/2006 07:22 AM 32,224 wdfldr.sys
04/13/2008 12:17 PM 83,072 wdmaud.sys
08/04/2004 05:00 AM 4,352 wmilib.sys
10/18/2006 09:00 PM 38,528 wpdusb.sys
08/04/2004 05:00 AM 12,032 ws2ifsl.sys
04/13/2008 11:46 AM 19,200 wstcodec.sys
09/28/2006 07:55 PM 77,568 WudfPf.sys
09/28/2006 08:00 PM 82,944 WudfRd.sys
305 File(s) 32,261,422 bytes

Directory of C:\Windows\System32\Drivers\disdn

08/11/2004 11:01 AM .
08/11/2004 11:01 AM ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\Drivers\etc

04/13/2009 03:57 PM .
04/13/2009 03:57 PM ..
04/13/2009 03:57 PM 27 hosts
08/04/2004 05:00 AM 3,683 lmhosts.sam
08/04/2004 12:00 PM 407 networks
08/04/2004 12:00 PM 799 protocol
08/04/2004 12:00 PM 7,116 services
5 File(s) 12,032 bytes

Directory of C:\Windows\System32\Drivers\UMDF

01/20/2009 01:11 PM .
01/20/2009 01:11 PM ..
10/18/2006 10:47 PM 671,232 wpdmtpdr.dll
1 File(s) 671,232 bytes

Total Files Listed:
311 File(s) 32,944,686 bytes
11 Dir(s) 6,499,409,920 bytes free


***********************Hidden Drivers********************
Volume in drive C is HP_PAVILION
Volume Serial Number is 28FB-76ED

Directory of C:\Windows\System32\Drivers

12/29/2004 03:04 PM 4,156 HP_PJ562AA-ABA a705w_YC_Pavi_QCNC441_E44NAheBLW1_4_IGamila Giovani Neon series_SMICRO-STAR INTERNATIONAL CO., LTD_V030_B3.15_T040805_WXH2_L409_M248_J40_7Intel_8Celeron_92.93_1_N10EC8139_P_Z11C1048C_K_A808624C5_U808624C2.MRK
05/22/2009 09:35 PM 0 MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
05/22/2009 09:35 PM 0 Msft_Kernel_motmodem_01005.Wdf
3 File(s) 4,156 bytes
0 Dir(s) 6,499,422,208 bytes free


*********************Processes*******************


PROCESS PID PRIO PATH
smss.exe 436 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 500 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 524 High C:\WINDOWS\system32\winlogon.exe
services.exe 568 Normal C:\WINDOWS\system32\services.exe
lsass.exe 580 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 740 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 804 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 872 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 940 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1048 Normal C:\WINDOWS\system32\svchost.exe
Explorer.EXE 1260 Normal C:\WINDOWS\Explorer.EXE
spoolsv.exe 1356 Normal C:\WINDOWS\system32\spoolsv.exe
sched.exe 1404 Normal C:\Program Files\Avira\AntiVir Desktop\sched.exe
avgnt.exe 1628 Normal C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
alg.exe 1640 Normal C:\Program Files\Common Files\alg.exe
svchost.exe 1648 Normal C:\WINDOWS\system32\svchost.exe
ctfmon.exe 1656 Normal C:\WINDOWS\system32\ctfmon.exe
avguard.exe 1832 Normal C:\Program Files\Avira\AntiVir Desktop\avguard.exe
AOLAcsd.exe 1844 Normal C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
AppleMobileDeviceService.exe 1856 Normal C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
mDNSResponder.exe 1876 Normal C:\Program Files\Bonjour\mDNSResponder.exe
jqs.exe 1964 Idle C:\Program Files\Java\jre6\bin\jqs.exe
MDM.EXE 2008 Normal C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
npkcmsvc.exe 128 Normal C:\Nexon\Mabinogi\npkcmsvc.exe
svchost.exe 260 Normal C:\WINDOWS\system32\svchost.exe
symlcsvc.exe 388 Normal C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
wanmpsvc.exe 428 Normal C:\WINDOWS\wanmpsvc.exe
alg.exe 2340 Normal C:\WINDOWS\System32\alg.exe
svchost.exe 2608 Normal C:\WINDOWS\System32\svchost.exe
iPodService.exe 3384 Normal C:\Program Files\iPod\bin\iPodService.exe
firefox.exe 2464 Normal C:\Program Files\Mozilla Firefox\firefox.exe
wuauclt.exe 1672 Normal C:\WINDOWS\system32\wuauclt.exe
cmd.exe 3288 Normal C:\WINDOWS\system32\cmd.exe
processes.exe 904 Normal C:\Documents and Settings\HP_Owner\Desktop\SpiderKill\processes.exe


Module information for 'Explorer.EXE'(1260)
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5753 (xpsp_sp3_gdr.090203-1302) Security Support Provider Interface
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5659 (xpsp_sp3_gdr.080819-1237) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5512 (xpsp.080413-0852) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
WININET.dll 63000000 901120 C:\WINDOWS\system32\WININET.dll 8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
urlmon.dll 1a400000 1224704 C:\WINDOWS\system32\urlmon.dll 8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214) OLE32 Extensions for Win32
iertutil.dll 5dca0000 1789952 C:\WINDOWS\system32\iertutil.dll 8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
cscui.dll 77a20000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
themeui.dll 5ba60000 462848 C:\WINDOWS\system32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
MSIMG32.dll 76380000 20480 C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
xpsp2res.dll 13f0000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 19e0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
eappprxy.dll 18f0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
ieframe.dll 2060000 12001280 C:\WINDOWS\system32\ieframe.dll 8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214) Internet Explorer
MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
mslbui.dll 605d0000 36864 C:\WINDOWS\system32\mslbui.dll 5.1.2600.5512 (xpsp.080413-2105) LangageBar Add In
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
webcheck.dll 2d00000 249856 C:\WINDOWS\system32\webcheck.dll 8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214) Web Site Monitor
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5727 (xpsp_sp3_gdr.081215-1359) Windows HTTP Services
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
fxsst.dll 68df0000 577536 C:\WINDOWS\system32\fxsst.dll 5.2.2600.5512 (xpsp.080413-0852) Fax Service
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
FXSAPI.dll 5a980000 466944 C:\WINDOWS\system32\FXSAPI.dll 5.2.2600.5512 (xpsp.080413-0852) Microsoft Fax API Support DLL
NTMARTA.DLL 77690000 135168 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.5512 (xpsp.080413-2113) Windows NT MARTA provider
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
SDHelper.dll 33b0000 1925120 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 6, 2, 14 SBSD IE Protection
comdlg32.dll 763b0000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.5512 (xpsp.080413-2105) Common Dialogs DLL
wsock32.dll 71ad0000 36864 C:\WINDOWS\system32\wsock32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 32-Bit DLL
faultrep.dll 69450000 90112 C:\WINDOWS\system32\faultrep.dll 5.1.2600.5512 (xpsp.080413-2108) Windows Error Reporting
olepro32.dll 5edd0000 94208 C:\WINDOWS\system32\olepro32.dll 5.1.2600.5512 5.1.2600.5512
jsproxy.dll 1780000 40960 C:\WINDOWS\system32\jsproxy.dll 8.00.6001.18241 (longhorn_ie8_beta2(wmbla).080822-0214) Jscript Proxy Auto-Configuration
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
shdoclc.dll 71800000 557056 C:\WINDOWS\system32\shdoclc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
wmvcore.dll 15110000 2473984 C:\WINDOWS\system32\wmvcore.dll 11.0.5721.5265 (WMP_11.090519-2220) Windows Media Playback/Authoring DLL
WMASF.DLL 11c70000 237568 C:\WINDOWS\system32\WMASF.DLL 11.0.5721.5238 (WMP_11.071025-0642) Windows Media ASF DLL
shmedia.dll 5cad0000 159744 C:\WINDOWS\system32\shmedia.dll 6.00.2900.5512 (xpsp.080413-2105) Media File Property Extractor Shell Extension
MSVFW32.dll 75a70000 135168 C:\WINDOWS\system32\MSVFW32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft Video for Windows DLL
AVIFIL32.dll 73b50000 94208 C:\WINDOWS\system32\AVIFIL32.dll 5.1.2600.5827 (xpsp_sp3_gdr.090610-1300) Microsoft AVI File support library
PDFShell.dll 10000000 372736 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 9.1.0.2009022700 PDF Shell Extension
MSVCR80.dll 78130000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll 8.00.50727.3053 Microsoft C Runtime Library



******************************************
EOF

Hi

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
  
• Accept the License Agreement.
  
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==

Please post the F-Secure log/results and the Security Check log in your next reply.

Scanning Report
Saturday, October 10, 2009 02:59:10 - 03:58:39

Computer name: OFFICECOMPUTER
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\
4 malware found
TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

Gen:Adware.Heur.Ku4@28k5E7ei (spyware)

* System (Not cleaned)

Gen:Adware.Heur.Ku4@2am1wbfi (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 34286
* System: 3689
* Not scanned: 8

Actions:

* Disinfected: 3
* Renamed: 0
* Deleted: 0
* Not cleaned: 1
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE
* C:\PROGRAM FILES\COMMON FILES\ALG.EXE

Options
Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
CCleaner (remove only)
Java(TM) 6 Update 15
Java(TM) SE Development Kit 6 Update 14
Java DB 10.4.2.1
Adobe Flash Player 10
Adobe Reader 9.1
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Now in addition to the original Avira alert I am now receiving this pop up when restarting my computer...

Hi

I removed my previous post. Let's try to disinfect using ComboFix:

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective
  programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

ComboFix 09-10-10.02 - HP_Owner 10/11/2009 4:47.14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.334 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\recycler\NPROTECT\00000884.
c:\recycler\NPROTECT\00000885.
c:\recycler\NPROTECT\00000886.
c:\recycler\NPROTECT\00000888.
c:\recycler\NPROTECT\00000930.
c:\recycler\NPROTECT\00000995.
c:\recycler\NPROTECT\00000996.
c:\recycler\NPROTECT\00000997.
c:\recycler\NPROTECT\00000999.
c:\recycler\NPROTECT\00001043.
c:\recycler\NPROTECT\00008774.
c:\recycler\NPROTECT\00008775.
c:\recycler\NPROTECT\00008813.
c:\recycler\NPROTECT\00008814.
c:\recycler\NPROTECT\00008815.
c:\recycler\NPROTECT\00008816.
c:\recycler\NPROTECT\00008817.
c:\recycler\NPROTECT\00008818.
c:\recycler\NPROTECT\00008819.
c:\recycler\NPROTECT\00008820.
c:\recycler\NPROTECT\00008821.
c:\recycler\NPROTECT\00008822.
c:\recycler\NPROTECT\00008825.
c:\recycler\NPROTECT\00008826.
c:\recycler\NPROTECT\00008827.
c:\recycler\NPROTECT\00008828.
c:\recycler\NPROTECT\00008829.
c:\recycler\NPROTECT\00008830.
c:\recycler\NPROTECT\00008886.
c:\recycler\NPROTECT\00008887.
c:\recycler\NPROTECT\00008888.
c:\recycler\NPROTECT\00008902.
c:\recycler\NPROTECT\00008944.
c:\recycler\NPROTECT\00008945.
c:\recycler\NPROTECT\00008946.
c:\recycler\NPROTECT\00008947.
c:\recycler\NPROTECT\00008948.
c:\recycler\NPROTECT\00008949.
c:\recycler\NPROTECT\00008950.
c:\recycler\NPROTECT\00008951.
c:\recycler\NPROTECT\00008952.
c:\recycler\NPROTECT\00008953.
c:\recycler\NPROTECT\00008954.
c:\recycler\NPROTECT\00008955.
c:\recycler\NPROTECT\00008956.
c:\recycler\NPROTECT\00008957.
c:\recycler\NPROTECT\00008958.
c:\recycler\NPROTECT\00008959.
c:\recycler\NPROTECT\00008960.
c:\recycler\NPROTECT\00008961.
c:\recycler\NPROTECT\00008962.
c:\recycler\NPROTECT\00008963.
c:\recycler\NPROTECT\00008964.
c:\recycler\NPROTECT\00008965.
c:\recycler\NPROTECT\00008966.
c:\recycler\NPROTECT\00008967.
c:\recycler\NPROTECT\00009230.
c:\recycler\NPROTECT\00009231.
c:\recycler\NPROTECT\00009232.
c:\recycler\NPROTECT\00009233.
c:\recycler\NPROTECT\00009234.
c:\recycler\NPROTECT\00009235.
c:\recycler\NPROTECT\00009236.
c:\recycler\NPROTECT\00009237.
c:\recycler\NPROTECT\00009238.
c:\recycler\NPROTECT\00009239.
c:\recycler\NPROTECT\00009240.
c:\recycler\NPROTECT\00009241.
c:\recycler\NPROTECT\00009242.
c:\recycler\NPROTECT\00009243.
c:\recycler\NPROTECT\00027294.
c:\recycler\NPROTECT\00027295.
c:\recycler\NPROTECT\00027296.
c:\recycler\NPROTECT\00027297.
c:\recycler\NPROTECT\00027298.
c:\recycler\NPROTECT\00027299.
c:\recycler\NPROTECT\00027300.
c:\recycler\NPROTECT\00027301.
c:\recycler\NPROTECT\00027302.
c:\recycler\NPROTECT\00027303.
c:\recycler\NPROTECT\00027304.
c:\recycler\NPROTECT\00027305.
c:\recycler\NPROTECT\00027306.
c:\recycler\NPROTECT\00027307.
c:\recycler\NPROTECT\00027308.
c:\recycler\NPROTECT\00027309.
c:\recycler\NPROTECT\00027310.
c:\recycler\NPROTECT\00027311.
c:\recycler\NPROTECT\00027312.
c:\recycler\NPROTECT\00027313.
c:\recycler\NPROTECT\00027314.
c:\recycler\NPROTECT\00027315.
c:\recycler\NPROTECT\00027316.
c:\recycler\NPROTECT\00027317.
c:\recycler\NPROTECT\00027318.
c:\recycler\NPROTECT\00027319.
c:\recycler\NPROTECT\00027320.
c:\recycler\NPROTECT\00027321.
c:\recycler\NPROTECT\00027322.
c:\recycler\NPROTECT\00027323.
c:\recycler\NPROTECT\00027324.
c:\recycler\NPROTECT\00027325.
c:\recycler\NPROTECT\00027326.
c:\recycler\NPROTECT\00027327.
c:\recycler\NPROTECT\00027328.
c:\recycler\NPROTECT\00027329.
c:\recycler\NPROTECT\00027330.
c:\recycler\NPROTECT\00027331.
c:\recycler\NPROTECT\00027332.
c:\recycler\NPROTECT\00027333.
c:\recycler\NPROTECT\00027334.
c:\recycler\NPROTECT\00027335.
c:\recycler\NPROTECT\00027336.
c:\recycler\NPROTECT\00027337.
c:\recycler\NPROTECT\00027338.
c:\recycler\NPROTECT\00027339.
c:\recycler\NPROTECT\00027340.
c:\recycler\NPROTECT\00027341.
c:\recycler\NPROTECT\00027342.
c:\recycler\NPROTECT\00027343.
c:\recycler\NPROTECT\00027344.
c:\recycler\NPROTECT\00027345.
c:\recycler\NPROTECT\00027346.
c:\recycler\NPROTECT\00027347.
c:\recycler\NPROTECT\00027348.
c:\recycler\NPROTECT\00027349.
c:\recycler\NPROTECT\00027350.
c:\recycler\NPROTECT\00027351.
c:\recycler\NPROTECT\00027352.
c:\recycler\NPROTECT\00027353.
c:\recycler\NPROTECT\00027354.
c:\recycler\NPROTECT\00027355.
c:\recycler\NPROTECT\00027356.
c:\recycler\NPROTECT\00027357.
c:\recycler\NPROTECT\00027358.
c:\recycler\NPROTECT\00027359.
c:\recycler\NPROTECT\00027360.
c:\recycler\NPROTECT\00027361.
c:\recycler\NPROTECT\00059103.
c:\recycler\NPROTECT\00059147.
c:\recycler\NPROTECT\00059148.
c:\recycler\NPROTECT\00110996.
c:\recycler\NPROTECT\00111001.
c:\windows\Installer\1e2470ff.msi
c:\windows\Installer\1e247100.msp
c:\windows\Installer\1e247101.msp
c:\windows\Installer\1e247102.msp
c:\windows\Installer\1e247103.msp
c:\windows\Installer\1e247104.msp
c:\windows\Installer\1e247105.msp
c:\windows\Installer\1e247106.msp
c:\windows\Installer\1e247107.msp
c:\windows\Installer\1e247108.msp
c:\windows\Installer\6cb90.msp
c:\windows\Installer\bcf03.msp
c:\windows\Installer\bcf04.msp
c:\windows\Installer\bcf05.msp
c:\windows\Installer\bcf06.msp
c:\windows\Installer\bcf07.msp
c:\windows\Installer\bcf08.msp
c:\windows\Installer\bcf09.msp
c:\windows\Installer\bcf0a.msp
c:\windows\Installer\bcf0b.msp

.
((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-10 06:45 . 2009-10-10 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\WeatherBug
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\WeatherBug
2009-10-09 16:18 . 2009-10-10 12:55 -------- d-----w- c:\program files\Weemi
2009-10-09 16:18 . 2009-10-10 22:53 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-10-09 05:26 . 2009-10-09 05:26 -------- d-----w- c:\program files\Games
2009-09-22 08:07 . 2009-09-22 08:07 691420 ----a-w- c:\windows\system32\Client.exe
2009-09-21 02:11 . 2009-09-21 02:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\V-Games
2009-09-18 21:19 . 2009-09-18 21:22 -------- d-----w- c:\program files\Nancy Drew Dossier - Resorting to Danger
2009-09-18 03:36 . 2009-10-03 04:01 45 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat
2009-09-18 03:36 . 2009-10-03 04:06 38 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 04:24 . 2009-03-01 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 22:18 . 2009-03-01 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-10 09:46 . 2008-12-09 01:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 22:58 . 2008-12-09 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-10-09 05:29 . 2008-10-05 22:01 -------- d-----w- c:\program files\Diablo II
2009-10-09 02:23 . 2008-12-09 01:19 -------- d-----w- c:\program files\bfgclient
2009-10-09 02:22 . 2008-12-09 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-10-09 00:43 . 2009-04-06 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 10:47 . 2009-04-02 09:55 -------- d-----w- c:\program files\support.com
2009-09-20 02:51 . 2009-07-01 00:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ERS G-Studio
2009-09-18 07:26 . 2009-01-06 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-09-17 23:32 . 2009-08-29 22:39 -------- d-----w- c:\program files\Princess Isabella A Witch's Curse
2009-09-10 21:54 . 2009-04-06 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-06 06:05 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 00:47 . 2009-03-03 01:22 -------- d-----w- c:\program files\Google
2009-09-07 02:00 . 2009-01-07 02:06 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Big Fish Games
2009-09-05 00:44 . 2009-09-17 23:38 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-09-17 23:38 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-26 11:13 . 2005-02-22 00:34 33968 -c--a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 04:27 . 2004-12-29 22:03 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-08-26 04:26 . 2008-08-29 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-26 04:24 . 2009-08-26 04:23 -------- d-----w- c:\program files\iTunes
2009-08-26 04:24 . 2009-08-26 04:24 -------- d-----w- c:\program files\iPod
2009-08-26 04:24 . 2008-08-29 22:01 -------- d-----w- c:\program files\Common Files\Apple
2009-08-26 04:21 . 2009-08-26 04:20 -------- d-----w- c:\program files\QuickTime
2009-08-25 03:08 . 2009-08-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-08-22 03:20 . 2009-08-22 03:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Batovi
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\MSBuild
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 03:45 . 2009-08-14 03:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\she_is_a_shadow
2009-08-13 01:12 . 2009-08-13 01:12 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SulusGames
2009-08-13 01:12 . 2009-08-13 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2009-08-07 02:24 . 2004-09-20 02:21 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-09-20 02:21 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-12-30 03:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-09-20 02:21 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-09-20 03:11 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-09-20 02:21 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-06-10 02:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-06-10 02:37 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2004-09-20 02:21 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 20:12 . 2009-04-14 18:57 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-09-20 02:19 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2008-12-22 15:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-09-20 03:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-09-20 02:21 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w- c:\program files\aolsetup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-05-28 02:15 . 2005-05-28 02:15 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/14/2009 12:10 PM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [5/12/2006 11:33 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [5/12/2006 11:33 PM 3904]
S2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2009 6:22 PM 133104]
S2 Weemi Service;Weemi Service;"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe" "c:\program files\Weemi\weemi.dll" Service --> c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe [?]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\drivers\bcm42u.sys [4/4/2008 1:04 AM 66557]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [3/18/2004 1:26 PM 185216]
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
AddRemove-HijackThis - c:\documents and settings\HP_Owner\Desktop\HijackThis.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 05:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2504)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-11 5:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 12:12
ComboFix2.txt 2009-04-13 23:03

Pre-Run: 8,907,845,632 bytes free
Post-Run: 8,799,842,304 bytes free

373 --- E O F --- 2009-09-10 05:02

Hi

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   KillAll::
   
   File::
   c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe
   c:\program files\Weemi\weemi.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 09-10-11.01 - HP_Owner 10/11/2009 15:44.15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.353 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe"
"c:\program files\Weemi\weemi.dll"
.

((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-10 06:45 . 2009-10-10 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\WeatherBug
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\WeatherBug
2009-10-09 16:18 . 2009-10-10 12:55 -------- d-----w- c:\program files\Weemi
2009-10-09 16:18 . 2009-10-10 22:53 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-10-09 05:26 . 2009-10-09 05:26 -------- d-----w- c:\program files\Games
2009-09-22 08:07 . 2009-09-22 08:07 691420 ----a-w- c:\windows\system32\Client.exe
2009-09-21 02:11 . 2009-09-21 02:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\V-Games
2009-09-18 21:19 . 2009-09-18 21:22 -------- d-----w- c:\program files\Nancy Drew Dossier - Resorting to Danger
2009-09-18 03:36 . 2009-10-03 04:01 45 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat
2009-09-18 03:36 . 2009-10-03 04:06 38 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 04:24 . 2009-03-01 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 22:18 . 2009-03-01 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-10 09:46 . 2008-12-09 01:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 22:58 . 2008-12-09 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-10-09 05:29 . 2008-10-05 22:01 -------- d-----w- c:\program files\Diablo II
2009-10-09 02:23 . 2008-12-09 01:19 -------- d-----w- c:\program files\bfgclient
2009-10-09 02:22 . 2008-12-09 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-10-09 00:43 . 2009-04-06 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 10:47 . 2009-04-02 09:55 -------- d-----w- c:\program files\support.com
2009-09-20 02:51 . 2009-07-01 00:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ERS G-Studio
2009-09-18 07:26 . 2009-01-06 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-09-17 23:32 . 2009-08-29 22:39 -------- d-----w- c:\program files\Princess Isabella A Witch's Curse
2009-09-10 21:54 . 2009-04-06 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-06 06:05 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 00:47 . 2009-03-03 01:22 -------- d-----w- c:\program files\Google
2009-09-07 02:00 . 2009-01-07 02:06 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Big Fish Games
2009-09-05 00:44 . 2009-09-17 23:38 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-09-17 23:38 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-26 11:13 . 2005-02-22 00:34 33968 -c--a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 04:27 . 2004-12-29 22:03 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-08-26 04:26 . 2008-08-29 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-26 04:24 . 2009-08-26 04:23 -------- d-----w- c:\program files\iTunes
2009-08-26 04:24 . 2009-08-26 04:24 -------- d-----w- c:\program files\iPod
2009-08-26 04:24 . 2008-08-29 22:01 -------- d-----w- c:\program files\Common Files\Apple
2009-08-26 04:21 . 2009-08-26 04:20 -------- d-----w- c:\program files\QuickTime
2009-08-25 03:08 . 2009-08-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-08-22 03:20 . 2009-08-22 03:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Batovi
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\MSBuild
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 03:45 . 2009-08-14 03:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\she_is_a_shadow
2009-08-13 01:12 . 2009-08-13 01:12 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SulusGames
2009-08-13 01:12 . 2009-08-13 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2009-08-07 02:24 . 2004-09-20 02:21 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-09-20 02:21 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-12-30 03:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-09-20 02:21 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-09-20 03:11 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-09-20 02:21 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-06-10 02:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-06-10 02:37 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2004-09-20 02:21 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 20:12 . 2009-04-14 18:57 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-09-20 02:19 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2008-12-22 15:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-09-20 03:11 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-09-20 02:21 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w- c:\program files\aolsetup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-05-28 02:15 . 2005-05-28 02:15 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-11_12.04.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-11 22:54 . 2009-10-11 22:54 16384 c:\windows\temp\Perflib_Perfdata_7d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/14/2009 12:10 PM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [5/12/2006 11:33 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [5/12/2006 11:33 PM 3904]
S2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2009 6:22 PM 133104]
S2 Weemi Service;Weemi Service;"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe" "c:\program files\Weemi\weemi.dll" Service --> c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe [?]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\drivers\bcm42u.sys [4/4/2008 1:04 AM 66557]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [3/18/2004 1:26 PM 185216]
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 15:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2528)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2009-10-11 16:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 23:03
ComboFix2.txt 2009-10-11 12:12
ComboFix3.txt 2009-04-13 23:03

Pre-Run: 8,782,032,896 bytes free
Post-Run: 8,743,329,792 bytes free

209 --- E O F --- 2009-09-10 05:02

Hi, let's try again.

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   KillAll::
   
   Rootkit::
   c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe
   c:\program files\Weemi\weemi.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 09-10-11.01 - HP_Owner 10/11/2009 23:41.16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.284 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-10 06:45 . 2009-10-10 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\WeatherBug
2009-10-09 16:20 . 2009-10-09 16:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\WeatherBug
2009-10-09 16:18 . 2009-10-10 12:55 -------- d-----w- c:\program files\Weemi
2009-10-09 16:18 . 2009-10-10 22:53 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-10-09 05:26 . 2009-10-09 05:26 -------- d-----w- c:\program files\Games
2009-09-22 08:07 . 2009-09-22 08:07 691420 ----a-w- c:\windows\system32\Client.exe
2009-09-21 02:11 . 2009-09-21 02:11 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\V-Games
2009-09-18 21:19 . 2009-09-18 21:22 -------- d-----w- c:\program files\Nancy Drew Dossier - Resorting to Danger
2009-09-18 03:36 . 2009-10-03 04:01 45 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences2.dat
2009-09-18 03:36 . 2009-10-03 04:06 38 ----a-w- c:\documents and settings\HP_Owner\jagex_runescape_preferences.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 04:08 . 2008-12-09 01:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-11 04:24 . 2009-03-01 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-10 22:18 . 2009-03-01 00:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-09 22:58 . 2008-12-09 10:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-10-09 05:29 . 2008-10-05 22:01 -------- d-----w- c:\program files\Diablo II
2009-10-09 02:23 . 2008-12-09 01:19 -------- d-----w- c:\program files\bfgclient
2009-10-09 02:22 . 2008-12-09 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-10-09 00:43 . 2009-04-06 06:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 10:47 . 2009-04-02 09:55 -------- d-----w- c:\program files\support.com
2009-09-20 02:51 . 2009-07-01 00:35 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ERS G-Studio
2009-09-18 07:26 . 2009-01-06 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-09-17 23:32 . 2009-08-29 22:39 -------- d-----w- c:\program files\Princess Isabella A Witch's Curse
2009-09-10 21:54 . 2009-04-06 06:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-06 06:05 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 00:47 . 2009-03-03 01:22 -------- d-----w- c:\program files\Google
2009-09-07 02:00 . 2009-01-07 02:06 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Big Fish Games
2009-09-05 00:44 . 2009-09-17 23:38 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-05 00:44 . 2009-09-17 23:38 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-05 00:29 . 2009-09-17 23:38 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-05 00:29 . 2009-09-17 23:38 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-26 11:13 . 2005-02-22 00:34 33968 -c--a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 04:27 . 2004-12-29 22:03 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-08-26 04:26 . 2008-08-29 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-26 04:24 . 2009-08-26 04:23 -------- d-----w- c:\program files\iTunes
2009-08-26 04:24 . 2009-08-26 04:24 -------- d-----w- c:\program files\iPod
2009-08-26 04:24 . 2008-08-29 22:01 -------- d-----w- c:\program files\Common Files\Apple
2009-08-26 04:21 . 2009-08-26 04:20 -------- d-----w- c:\program files\QuickTime
2009-08-25 03:08 . 2009-08-25 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Princess Isabella
2009-08-22 03:20 . 2009-08-22 03:20 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Batovi
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\MSBuild
2009-08-14 22:35 . 2009-08-14 22:35 -------- d-----w- c:\program files\Reference Assemblies
2009-08-14 03:45 . 2009-08-14 03:45 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\she_is_a_shadow
2009-08-07 02:24 . 2004-09-20 02:21 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-09-20 02:21 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-12-30 03:09 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-09-20 02:21 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-09-20 03:11 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-09-20 02:21 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2008-06-10 02:37 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23 . 2008-06-10 02:37 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23 . 2004-09-20 02:21 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 20:12 . 2009-04-14 18:57 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-09-20 02:19 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2008-12-22 15:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-09-20 03:11 58880 ----a-w- c:\windows\system32\atl.dll
2005-12-16 16:11 . 2005-12-16 16:11 996968 ----a-w- c:\program files\aolsetup.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-05-28 02:15 . 2005-05-28 02:15 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-11_12.04.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-12 06:51 . 2009-10-12 06:51 16384 c:\windows\temp\Perflib_Perfdata_b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^HP Organize.lnk]
path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\HP Organize.lnk
backup=c:\windows\pss\HP Organize.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/14/2009 12:10 PM 108289]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [5/12/2006 11:33 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [5/12/2006 11:33 PM 3904]
S2 gupdate1c99b9e8f903320;Google Update Service (gupdate1c99b9e8f903320);c:\program files\Google\Update\GoogleUpdate.exe [3/2/2009 6:22 PM 133104]
S2 Weemi Service;Weemi Service;"c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe" "c:\program files\Weemi\weemi.dll" Service --> c:\documents and settings\All Users\Application Data\Weemi\weemi121.exe [?]
S3 BCM42U;USB HPNA 10 Mbps Network Adapter Driver;c:\windows\system32\drivers\bcm42u.sys [4/4/2008 1:04 AM 66557]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rtl8180;Realtek RTL8180 Wireless LAN (Mini-)PCI NIC NT Driver;c:\windows\system32\drivers\RTL8180.sys [3/18/2004 1:26 PM 185216]
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-10-12 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\6rwwrgi5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-11 23:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\wanmpsvc.exe
.
**************************************************************************
.
Completion time: 2009-10-12 23:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-12 06:59
ComboFix2.txt 2009-10-11 23:03
ComboFix3.txt 2009-10-11 12:12
ComboFix4.txt 2009-04-13 23:03

Pre-Run: 8,753,082,368 bytes free
Post-Run: 8,714,100,736 bytes free

204 --- E O F --- 2009-09-10 05:02

Hi

This is being rather difficult. Weemi is malicious software, and ComboFix is not able to remove it. So it must be done manually.

Please print these instructions or copy and paste them to Notepad and save to your Desktop.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Enable the viewing of hȋdden files

• Click Start.
  
• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View tab.
  
• Select the Show hȋdden files and folders option.
  
• Deselect the Hide file extensions for known types option.
  
• Deselect the Hide protected operating system files option.
  
• Click Yes to confirm.
  
• Click OK.
  

Navigate to and delete these folders:

C:\Program Files\Weemi
c:\documents and settings\All Users\Application Data\Weemi

If it gives you any issues on deleting them, follow this tutorial to take ownership of them, so then you can delete them: http://support.microsoft.com/kb/308421

Reboot your computer back to Normal Mode and please tell me if you are experiencing the same issues.

Everything seems fine, I am no longer receiving pop-ups after rebooting.

Edit: Just received this from Avira...

Virus or unwanted program 'BDS/Agent.fhh [backdoor]'
detected in file 'C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP206\A0037117.exe.
Action performed: Deny access

Hi

That can be gotten rid of easily by clearing System Restore:

Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
CCleaner (remove only)
Java(TM) 6 Update 15
Java(TM) SE Development Kit 6 Update 14
Java DB 10.4.2.1
Adobe Flash Player 10
Adobe Reader 9.1
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Cool.

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Noticed Weemi is still listed on HijackThis, should I ignore this?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:07 PM, on 10/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Go%20Go%20Gourmet%20-%20Chef%20of%20the%20Year/Images/stg_drm.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mystery%20Case%20Files%20-%20Ravenhearst/Images/armhelper.ocx
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1c99b9e8f903320) (gupdate1c99b9e8f903320) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Weemi Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Weemi\weemi121.exe (file missing)

--
End of file - 6356 bytes

It seems there is no file there to help the program run any more, which is good. To be safe, fix that entry.

Open HijackThis, and Do a System Scan only. Place a checkmark next to this entry:
O23 - Service: Weemi Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Weemi\weemi121.exe (file missing)

Click Fix Checked. Close HijackThis.

Reboot your computer. Then, that should disappear. How is your computer running?

It's great, thank you. I really appreciate all you've done.