Tweaks.com Forum / Windows & System Security / HiJack This Logs / Numerous infections, numous scans .... still have some work to do / Latest Posts

RE: Numerous infections, numous scans .... still have some work to do

RichieUK — Sat, 17 May 2008 18:52:36 GMT

You're welcome.

RE: Numerous infections, numous scans .... still have some work to do

fairlite — Sat, 17 May 2008 17:50:57 GMT

Thanks so much~ Once again!

RE: Numerous infections, numous scans .... still have some work to do

RichieUK — Sat, 17 May 2008 17:09:08 GMT

Your log is clean:),please do the following:

Click on Start/Run,copy and paste [b]ComboFix /u[/b] into the 'Open:' space,then press Ok.
This will uninstall Combofix,delete its related folders and files,reset your clock settings,hide file extensions,hide the system/hidden files and resets System Restore.

[IMG]http://img.photobucket.com/albums/v624/29wood/comu.gif[/IMG]

Please double-click [b]OTMoveIt.exe[/b] again to run it.
Click on the 'Cleanup' button [IMG]http://img.photobucket.com/albums/v624/29wood/Clipboard01cleanup.gif[/IMG]
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
[b]Restart your pc when prompted.[/b]

You should now take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

[b][color="blue"]Simple and easy ways to keep your computer safe and secure on the Internet[/color][/b]:
[url]http://www.bleepingcomputer.com/tutorials/tutorial82.html[/url]

[b][color="blue"]How to prevent Malware[/color][/b]:
[url]http://users.telenet.be/bluepatchy/miekiemoes/prevention.html[/url]

[B][color="blue"]So how did I get infected in the first place[/color][/B]:
[URL]http://forums.spybot.info/showthread.php?t=279[/URL]

[B][color="blue"]Malware Cleanup Programs and Preventative Procedures[/color][/B]:
[URL]http://russelltexas.com/malware/allclear.htm[/URL]

[b][color="blue"]Hardening Windows Security - Part 1[/color][/b]:
[url]http://www.malwarehelp.org/Malware-Prevention-Hardening-Windows-Security1.html[/url]

[b][color="blue"]Hardening Windows Security - Part 2[/color][/b]:
[url]http://www.malwarehelp.org/malware-prevention-hardening-windows-security2.html[/url]

RE: Numerous infections, numous scans .... still have some work to do

fairlite — Sat, 17 May 2008 12:29:29 GMT

C:\WINDOWS\BMc303b894.xml moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05172008_110652

______________________________________________________________________

Malwarebytes' Anti-Malware 1.12
Database version: 758

Scan type: Quick Scan
Objects scanned: 50370
Time elapsed: 13 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_____________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:52 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Total Recorder Professional 6\TotRecSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\CounterSpy\SBCSTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AnyDVD\AnyDVDtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Chris\Desktop\OldTimerMoveIt2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\Total Recorder Professional 6\TotRecSched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\AnyDVD\AnyDVDtray.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///D:/components/hidinputmonitorx.ocx
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///D:/components/A9.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107394181500
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///D:/components/wmvhdrating.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62EC955C-255C-405C-A396-1967C4580BEB}: NameServer = 204.174.120.45 204.174.120.46
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\CounterSpy\SBCSSvc.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe

--
End of file - 9278 bytes

RE: Numerous infections, numous scans .... still have some work to do

RichieUK — Sat, 17 May 2008 03:31:27 GMT

Please download [b]OTMoveIt[/b] by [b]OldTimer[/b],save it to your desktop:
[url]http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe[/url]
Please double-click OTMoveIt.exe to run it.
Copy ALL the text inside the code box below to the clipboard by highlighting [b]ALL[/b] of it and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

[quote]C:\WINDOWS\BMc303b894.xml[/quote]
Return to OTMoveIt, right click on the "[b]Paste List of Files/Folders to Move[/b]" window under the [b]"yellow"[/b] bar,and choose [b]Paste[/b],see image below:

[IMG]http://img.photobucket.com/albums/v624/29wood/Clipboard01-3.png[/IMG]

Click on the Moveit! button [IMG]http://img.photobucket.com/albums/v624/29wood/Clipboard01moveit.gif[/IMG]
[b]Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.[/b]
Close OTMoveIt by clicking on the "Exit" button.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose [b]Yes[/b].

Please download [b][color="red"]Malwarebytes Anti-Malware[/color][/b]:
[url]http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html[/url]
[url]http://www.besttechie.net/tools/mbam-setup.exe[/url]

Double Click mbam-setup.exe to install the application.
(If using Windows Vista,be sure to [b][url=http://windowshelp.microsoft.com/Windows/en-US/Help/fb464905-31d5-4427-89a2-ed5322327fc21033.mspx][color="blue"]"Run As Administrator"[/color][/url][/b]).

* Make sure a checkmark is placed next to [b]Update Malwarebytes' Anti-Malware[/b] and [b]Launch Malwarebytes' Anti-Malware[/b], then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* [b]Copy and paste the entire report into your next reply[/b].

Extra Note:
[b][color="green"]If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.[/color][/b]

[b]Also post a new Hijackthis log please.[/b]

RE: Numerous infections, numous scans .... still have some work to do

fairlite — Fri, 16 May 2008 22:05:51 GMT

My PC seems to be running 'excellent' once again Richie. THANKS. I'd like to add, I do not use p2p programs other than soulseek which is strictly mp3 so no viruses/malware. I did have my browser security and cookies set to low, actually cookies were set to 'accept all cookies!' I would assume this is not good! I can't believe I found my browser settings in this state. I use bit torrents sometimes as carefully as i can and i know this poses a risk as well. What would you recommend I run for AV and spyware guard? It seems very tough to find 1 program to protect from and remove all infections. SpyNoMore seems to find the most but I realize this is a case-by-case type of thing. Anyway, it just seems to be happening all-too-often lately! I'm sure there's a guide somewhere on here. I'll search for one in the meantime. Thanks again.

Chris

RE: Numerous infections, numous scans .... still have some work to do

fairlite — Fri, 16 May 2008 18:38:08 GMT

ComboFix 08-05-15.3 - Chris 2008-05-16 17:19:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.370 [GMT -6:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\system32\hdouopdd.dll
C:\WINDOWS\system32\xgddunxf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\hdouopdd.dll
C:\WINDOWS\system32\xgddunxf.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-16 13:57 . 2008-05-16 13:57 <DIR> d-------- C:\Documents and Settings\Christopher\Accessories
2008-05-16 13:24 . 2008-05-16 13:24 0 --a------ C:\WINDOWS\BMc303b894.xml
2008-05-16 10:47 . 2008-05-16 10:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 09:08 . 2008-05-16 09:30 <DIR> d-------- C:\Program Files\SpyNoMore
2008-05-15 23:52 . 2008-05-15 23:52 <DIR> d-------- C:\Program Files\Avira
2008-05-15 23:22 . 2008-05-15 23:22 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-05-15 23:21 . 2008-05-15 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-05-15 23:20 . 2008-05-16 00:06 <DIR> d-------- C:\Program Files\CounterSpy
2008-05-15 18:14 . 2008-05-16 13:07 4,566 --a------ C:\WINDOWS\imsins.BAK
2008-05-15 10:32 . 2008-05-15 10:59 <DIR> d-------- C:\Program Files\Cucusoft AVI To DVD Pro
2008-05-15 09:32 . 2008-05-15 09:33 <DIR> d-------- C:\Program Files\Cucusoft Ultimate Video Converter
2008-05-15 09:32 . 2006-09-11 04:13 409,600 --a------ C:\WINDOWS\system32\vampd.ax
2008-05-15 09:32 . 2003-03-30 20:08 372,736 --a------ C:\WINDOWS\system32\xvid.ax
2008-05-15 09:32 . 2008-01-25 21:06 364,544 --a------ C:\WINDOWS\system32\cdg.dll
2008-05-15 09:32 . 2006-09-27 17:46 348,160 --a------ C:\WINDOWS\system32\cdga.dll
2008-05-15 09:32 . 2006-07-08 04:07 114,688 --a------ C:\WINDOWS\system32\PropListCtrl.ocx
2008-05-15 09:32 . 2006-07-17 21:42 14,909 --a------ C:\WINDOWS\system32\A_reg.reg
2008-05-09 12:41 . 2008-05-09 12:41 <DIR> d-------- C:\Program Files\Synaptics
2008-05-09 12:41 . 2007-12-05 16:11 177,664 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-05-09 12:41 . 2007-12-05 16:12 110,592 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-05-09 12:41 . 2007-12-05 16:12 110,592 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-05-09 12:41 . 2007-12-05 17:10 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-05-09 12:41 . 2007-12-05 16:12 73,728 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-05-09 12:41 . 2007-12-05 16:14 65,536 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-05-09 12:13 . 2007-03-21 13:33 1,257,566 -ra------ C:\WINDOWS\system32\dsa.dll
2008-05-09 12:13 . 2007-03-21 13:46 254,023 --a------ C:\WINDOWS\system32\wsfwDS.dll
2008-05-09 12:13 . 2007-03-21 13:46 249,925 --a------ C:\WINDOWS\system32\wsimd.dll
2008-05-09 12:13 . 2007-03-21 13:33 82,017 -ra------ C:\WINDOWS\system32\dsaNac.dll
2008-05-09 12:12 . 2008-05-09 12:12 <DIR> d-------- C:\Program Files\ThinkPad R51
2008-05-09 12:12 . 2007-10-26 01:20 549,184 --a------ C:\WINDOWS\system32\ar5211.sys
2008-05-09 12:12 . 2006-08-07 14:17 118,784 --a------ C:\WINDOWS\system32\ATHCFG10.DLL
2008-05-09 12:12 . 2007-10-26 01:20 100,996 --a------ C:\WINDOWS\system32\net5211.inf
2008-05-09 12:12 . 2007-07-03 18:46 57,344 --a------ C:\WINDOWS\system32\wsimd.sys
2008-05-09 12:12 . 2007-07-03 18:46 57,344 --------- C:\WINDOWS\system32\drivers\wsimd.sys
2008-05-09 12:12 . 2007-10-29 12:47 23,501 --a------ C:\WINDOWS\system32\net5211.cat
2008-05-09 12:12 . 2007-07-28 17:07 12,552 --a------ C:\WINDOWS\system32\wsimdp.cat
2008-05-09 12:12 . 2007-07-28 17:07 12,129 --a------ C:\WINDOWS\system32\wsimd.cat
2008-05-09 12:12 . 2007-07-03 18:46 5,361 --a------ C:\WINDOWS\system32\wsimdp.inf
2008-05-09 12:12 . 2007-07-03 18:46 2,179 --a------ C:\WINDOWS\system32\wsimd.inf
2008-05-09 11:56 . 2008-05-09 11:56 99,264 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-05-09 09:54 . 2008-05-09 09:57 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-09 09:53 . 2008-05-09 09:54 <DIR> d-------- C:\Program Files\Nero 7.8.5.0 Premium
2008-05-04 18:48 . 2008-05-06 10:24 <DIR> d-------- C:\Program Files\Spybot S&D
2008-05-04 18:48 . 2008-05-06 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-04 17:56 . 2008-05-04 17:56 <DIR> d-------- C:\Program Files\KillBox
2008-05-02 12:14 . 2008-05-02 12:17 <DIR> d-------- C:\Program Files\Kaspersky Antivirus 7
2008-05-01 18:12 . 2008-05-01 18:12 <DIR> d-------- C:\Program Files\ACW
2008-05-01 14:01 . 2008-05-01 14:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-05-01 12:31 . 2008-05-01 12:31 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-05-01 12:31 . 2008-05-01 12:31 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Sunbelt Software
2008-05-01 11:54 . 2006-08-24 15:56 40,832 --a------ C:\WINDOWS\system32\drivers\apusbsnt.sys
2008-05-01 11:54 . 2005-03-15 11:11 17,920 --a------ C:\WINDOWS\system32\apintfnt.dll
2008-05-01 11:54 . 2006-08-24 15:57 11,776 --a------ C:\WINDOWS\system32\apusbdco.dll
2008-05-01 00:05 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-04-30 22:03 . 2008-04-30 22:17 <DIR> d-------- C:\Program Files\SpyZooka
2008-04-30 21:48 . 2008-04-30 21:50 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Mp3tag
2008-04-30 21:47 . 2008-04-30 21:47 <DIR> d-------- C:\Program Files\Mp3tag
2008-04-30 20:27 . 2008-05-03 08:28 <DIR> d-------- C:\Program Files\Virtual DJ Pro 5
2008-04-30 17:50 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-30 17:49 . 2008-04-30 17:50 <DIR> d-------- C:\Program Files\Java
2008-04-30 17:46 . 2008-04-30 17:46 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-30 13:49 . 2008-04-30 13:49 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-04-30 13:14 . 2008-04-30 13:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 01:49 . 2008-05-15 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-29 19:26 . 2008-04-29 19:26 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-04-29 19:18 . 2008-05-09 09:43 <DIR> d-------- C:\Program Files\Nero
2008-04-29 19:18 . 2008-05-02 03:31 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-29 19:18 . 2008-05-09 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-29 19:03 . 2008-04-29 19:03 <DIR> d-------- C:\Program Files\MagicISO
2008-04-28 19:29 . 2008-04-28 19:29 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 22:44 . 2008-04-30 21:02 <DIR> d-------- C:\WINDOWS\RegCure
2008-04-27 22:44 . 2008-04-30 21:02 <DIR> d-------- C:\Program Files\RegCure
2008-04-26 17:18 . 2008-04-26 17:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-24 12:05 . 2008-04-24 12:28 <DIR> d-------- C:\Program Files\QuickTax 2007
2008-04-24 12:05 . 2008-04-24 12:05 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-04-24 12:05 . 2008-04-24 12:05 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-24 12:05 . 2008-04-24 12:05 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Intuit Canada
2008-04-24 12:03 . 2008-04-24 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-04-22 23:13 . 2008-04-22 23:13 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\GTek
2008-04-22 23:13 . 2008-04-22 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-04-22 23:13 . 2008-04-22 23:13 5,248 --a------ C:\WINDOWS\system32\OEMINFO.PNF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 20:12 --------- d-----w C:\Program Files\Azureus
2008-05-16 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 04:32 --------- d-----w C:\Program Files\XoftSpy SE
2008-05-16 00:12 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-15 16:34 --------- d-----w C:\Documents and Settings\Chris\Application Data\Azureus
2008-05-15 04:21 --------- d-----w C:\Program Files\AnyDVD
2008-05-09 18:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-09 18:01 --------- d-----w C:\Program Files\ThinkPad
2008-05-05 20:07 --------- d-----w C:\Program Files\Soulseek
2008-05-02 18:38 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd6637.sys
2008-05-01 22:02 --------- d-----w C:\Program Files\Power ISO
2008-04-30 19:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-30 19:16 --------- d-----w C:\Documents and Settings\Chris\Application Data\SUPERAntiSpyware.com
2008-04-29 22:34 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-25 05:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 22:15 --------- d-----w C:\Program Files\Native Instruments
2008-04-15 22:13 --------- d-----w C:\Program Files\Syncrosoft
2008-04-15 21:52 --------- d-----w C:\Program Files\Games
2008-04-14 18:02 --------- d-----w C:\Program Files\DivX
2008-04-09 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-06 11:27 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-04-04 04:39 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-03 05:41 3,532 ----a-w C:\drmHeader.bin
2008-04-03 04:18 --------- d-----w C:\Program Files\Windows Live
2008-04-03 04:16 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-03 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 21:25 831,488 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-02 00:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2007-07-23 18:50 39,832 ----a-w C:\Documents and Settings\Chris\Application Data\GDIPFONTCACHEV1.DAT
2007-02-06 00:11 87,608 ----a-w C:\Documents and Settings\Chris\Application Data\ezpinst.exe
2007-02-06 00:11 47,360 ----a-w C:\Documents and Settings\Chris\Application Data\pcouffin.sys
2006-10-10 13:25 14 ----a-w C:\Documents and Settings\Chris\getfile.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"="" []
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"AnyDVD"="C:\Program Files\AnyDVD\AnyDVDtray.exe" [2008-05-13 12:41 2091968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"TotalRecorderScheduler"="C:\Program Files\Total Recorder Professional 6\TotRecSched.exe" [2006-05-12 02:32 86016]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-12-05 16:14 122880]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-05 16:14 524288]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"SBCSTray"="C:\Program Files\CounterSpy\SBCSTray.exe" [2007-12-21 15:30 698864]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"CTHelper"="CTHELPER.EXE" [2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 02:38 110592]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-05-16 01:37 262401]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-02-06 21:00 344064]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-06-16 23:23 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"VIDC.ZMBV"= zmbv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Games\\Kyodai Mahjongg 2006\\kmj.exe"=
"C:\\Program Files\\Motorola\\Software Update\\msu.exe"=
"C:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:LimeWire UDP
"6881:TCP"= 6881:TCP:Azureus TCP
"6881:UDP"= 6881:UDP:Azureus UDP
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2008-05-15 23:22]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 02:38]
R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-09-26 11:43]
R2 SwiWiFiComm;SwiWiFiComm;C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe [2007-03-16 15:50]
R3 apusbsnt;Sierra Wireless USB Modem Device Driver;C:\WINDOWS\system32\DRIVERS\apusbsnt.sys [2006-08-24 15:56]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2007-07-03 18:46]
S3 atinysxx;ATI USB 2.0 TV Audio Crossbar;C:\WINDOWS\system32\DRIVERS\atinysxx.sys [2005-01-25 20:36]
S3 atinyvxx;ATI TV WONDER USB2.0 Video & Audio;C:\WINDOWS\system32\DRIVERS\atinyvxx.sys [2005-01-25 20:36]
S3 ATITUNEP2;ATI TV WONDER USB2.0 TV Tuner;C:\WINDOWS\system32\DRIVERS\atinyuxx.sys [2005-01-25 20:37]
S3 ATIUTD;ATI TV WONDER USB2.0 Device Driver;C:\WINDOWS\system32\Drivers\ATIUTD.sys [2005-01-25 20:37]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-10-10 17:41]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-09-26 11:43]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-09-26 11:43]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S3 TTDec;ATI TV WONDER USB2.0 Teletext Decoder;C:\WINDOWS\system32\DRIVERS\atinyttx.sys [2005-01-25 20:33]

.
Contents of the 'Scheduled Tasks' folder
"2006-03-11 10:42:52 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2008-05-16 23:30:16 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-05-16 23:26:08 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-15 09:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2005-06-06 04:59:37 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy 4\XoftSpy.exe
"2008-05-16 23:26:08 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpy SE\XoftSpy.exe
"2008-05-10 10:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpy SE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 17:27:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-16 17:35:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 23:35:39
ComboFix2.txt 2008-05-16 19:30:11
ComboFix3.txt 2008-05-16 17:58:59
ComboFix4.txt 2008-05-01 00:15:51

Pre-Run: 5,696,503,808 bytes free
Post-Run: 5,672,001,536 bytes free

303 --- E O F --- 2008-05-16 18:11:05
___________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:50 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Total Recorder Professional 6\TotRecSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\CounterSpy\SBCSTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AnyDVD\AnyDVDtray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\HijackThis.exe

--
End of file - 9239 bytes

RE: Numerous infections, numous scans .... still have some work to do

RichieUK — Fri, 16 May 2008 16:39:07 GMT

RE: Numerous infections, numous scans .... still have some work to do

fairlite — Fri, 16 May 2008 14:35:05 GMT

ComboFix 08-05-15.3 - Chris 2008-05-16 13:14:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.348 [GMT -6:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\BMc303b894.xml
C:\WINDOWS\system32\feqbfrob.dll
C:\WINDOWS\system32\yayaYsSJ.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMc303b894.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\feqbfrob.dll
C:\WINDOWS\system32\JSsYayay.ini
C:\WINDOWS\system32\JSsYayay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\yayaYsSJ.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))
.

2008-05-16 13:02 . 2008-05-16 13:02 125,952 --a------ C:\WINDOWS\system32\xgddunxf.dll
2008-05-16 13:02 . 2008-05-16 13:02 125,952 --a------ C:\WINDOWS\system32\hdouopdd.dll
2008-05-16 10:47 . 2008-05-16 10:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-16 09:08 . 2008-05-16 09:30 <DIR> d-------- C:\Program Files\SpyNoMore
2008-05-15 23:52 . 2008-05-15 23:52 <DIR> d-------- C:\Program Files\Avira
2008-05-15 23:22 . 2008-05-15 23:22 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2008-05-15 23:21 . 2008-05-15 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-05-15 23:20 . 2008-05-16 00:06 <DIR> d-------- C:\Program Files\CounterSpy
2008-05-15 18:14 . 2008-05-16 13:07 4,566 --a------ C:\WINDOWS\imsins.BAK
2008-05-15 10:32 . 2008-05-15 10:59 <DIR> d-------- C:\Program Files\Cucusoft AVI To DVD Pro
2008-05-15 09:32 . 2008-05-15 09:33 <DIR> d-------- C:\Program Files\Cucusoft Ultimate Video Converter
2008-05-15 09:32 . 2006-09-11 04:13 409,600 --a------ C:\WINDOWS\system32\vampd.ax
2008-05-15 09:32 . 2003-03-30 20:08 372,736 --a------ C:\WINDOWS\system32\xvid.ax
2008-05-15 09:32 . 2008-01-25 21:06 364,544 --a------ C:\WINDOWS\system32\cdg.dll
2008-05-15 09:32 . 2006-09-27 17:46 348,160 --a------ C:\WINDOWS\system32\cdga.dll
2008-05-15 09:32 . 2006-07-08 04:07 114,688 --a------ C:\WINDOWS\system32\PropListCtrl.ocx
2008-05-15 09:32 . 2006-07-17 21:42 14,909 --a------ C:\WINDOWS\system32\A_reg.reg
2008-05-09 12:41 . 2008-05-09 12:41 <DIR> d-------- C:\Program Files\Synaptics
2008-05-09 12:41 . 2007-12-05 16:11 177,664 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2008-05-09 12:41 . 2007-12-05 16:12 110,592 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2008-05-09 12:41 . 2007-12-05 16:12 110,592 --a------ C:\WINDOWS\system32\SynCtrl.dll
2008-05-09 12:41 . 2007-12-05 17:10 77,824 --a------ C:\WINDOWS\system32\SynTPCoI.dll
2008-05-09 12:41 . 2007-12-05 16:12 73,728 --a------ C:\WINDOWS\system32\SynCOM.dll
2008-05-09 12:41 . 2007-12-05 16:14 65,536 --a------ C:\WINDOWS\system32\SynTPFcs.dll
2008-05-09 12:13 . 2007-03-21 13:33 1,257,566 -ra------ C:\WINDOWS\system32\dsa.dll
2008-05-09 12:13 . 2007-03-21 13:46 254,023 --a------ C:\WINDOWS\system32\wsfwDS.dll
2008-05-09 12:13 . 2007-03-21 13:46 249,925 --a------ C:\WINDOWS\system32\wsimd.dll
2008-05-09 12:13 . 2007-03-21 13:33 82,017 -ra------ C:\WINDOWS\system32\dsaNac.dll
2008-05-09 12:12 . 2008-05-09 12:12 <DIR> d-------- C:\Program Files\ThinkPad R51
2008-05-09 12:12 . 2007-10-26 01:20 549,184 --a------ C:\WINDOWS\system32\ar5211.sys
2008-05-09 12:12 . 2006-08-07 14:17 118,784 --a------ C:\WINDOWS\system32\ATHCFG10.DLL
2008-05-09 12:12 . 2007-10-26 01:20 100,996 --a------ C:\WINDOWS\system32\net5211.inf
2008-05-09 12:12 . 2007-07-03 18:46 57,344 --a------ C:\WINDOWS\system32\wsimd.sys
2008-05-09 12:12 . 2007-07-03 18:46 57,344 --------- C:\WINDOWS\system32\drivers\wsimd.sys
2008-05-09 12:12 . 2007-10-29 12:47 23,501 --a------ C:\WINDOWS\system32\net5211.cat
2008-05-09 12:12 . 2007-07-28 17:07 12,552 --a------ C:\WINDOWS\system32\wsimdp.cat
2008-05-09 12:12 . 2007-07-28 17:07 12,129 --a------ C:\WINDOWS\system32\wsimd.cat
2008-05-09 12:12 . 2007-07-03 18:46 5,361 --a------ C:\WINDOWS\system32\wsimdp.inf
2008-05-09 12:12 . 2007-07-03 18:46 2,179 --a------ C:\WINDOWS\system32\wsimd.inf
2008-05-09 11:56 . 2008-05-09 11:56 99,264 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-05-09 09:54 . 2008-05-09 09:57 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-09 09:53 . 2008-05-09 09:54 <DIR> d-------- C:\Program Files\Nero 7.8.5.0 Premium
2008-05-04 18:48 . 2008-05-06 10:24 <DIR> d-------- C:\Program Files\Spybot S&D
2008-05-04 18:48 . 2008-05-06 00:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-04 17:56 . 2008-05-04 17:56 <DIR> d-------- C:\Program Files\KillBox
2008-05-02 12:14 . 2008-05-02 12:17 <DIR> d-------- C:\Program Files\Kaspersky Antivirus 7
2008-05-01 18:12 . 2008-05-01 18:12 <DIR> d-------- C:\Program Files\ACW
2008-05-01 14:01 . 2008-05-01 14:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-05-01 12:31 . 2008-05-01 12:31 0 --a------ C:\WINDOWS\system32\SBRC.dat
2008-05-01 12:31 . 2008-05-01 12:31 0 --a------ C:\WINDOWS\system32\SBFC.dat
2008-05-01 12:22 . 2008-05-01 12:22 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Sunbelt Software
2008-05-01 11:54 . 2006-08-24 15:56 40,832 --a------ C:\WINDOWS\system32\drivers\apusbsnt.sys
2008-05-01 11:54 . 2005-03-15 11:11 17,920 --a------ C:\WINDOWS\system32\apintfnt.dll
2008-05-01 11:54 . 2006-08-24 15:57 11,776 --a------ C:\WINDOWS\system32\apusbdco.dll
2008-05-01 00:05 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-04-30 22:03 . 2008-04-30 22:17 <DIR> d-------- C:\Program Files\SpyZooka
2008-04-30 21:48 . 2008-04-30 21:50 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Mp3tag
2008-04-30 21:47 . 2008-04-30 21:47 <DIR> d-------- C:\Program Files\Mp3tag
2008-04-30 20:27 . 2008-05-03 08:28 <DIR> d-------- C:\Program Files\Virtual DJ Pro 5
2008-04-30 17:50 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-30 17:49 . 2008-04-30 17:50 <DIR> d-------- C:\Program Files\Java
2008-04-30 17:46 . 2008-04-30 17:46 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-30 13:49 . 2008-04-30 13:49 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-04-30 13:14 . 2008-04-30 13:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-30 01:49 . 2008-05-15 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-29 19:26 . 2008-04-29 19:26 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-04-29 19:18 . 2008-05-09 09:43 <DIR> d-------- C:\Program Files\Nero
2008-04-29 19:18 . 2008-05-02 03:31 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-29 19:18 . 2008-05-09 09:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-29 19:03 . 2008-04-29 19:03 <DIR> d-------- C:\Program Files\MagicISO
2008-04-28 19:29 . 2008-04-28 19:29 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 22:44 . 2008-04-30 21:02 <DIR> d-------- C:\WINDOWS\RegCure
2008-04-27 22:44 . 2008-04-30 21:02 <DIR> d-------- C:\Program Files\RegCure
2008-04-26 17:18 . 2008-04-26 17:18 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-24 12:05 . 2008-04-24 12:28 <DIR> d-------- C:\Program Files\QuickTax 2007
2008-04-24 12:05 . 2008-04-24 12:05 <DIR> d-------- C:\Program Files\Common Files\Intuit
2008-04-24 12:05 . 2008-04-24 12:05 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-24 12:05 . 2008-04-24 12:05 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Intuit Canada
2008-04-24 12:03 . 2008-04-24 12:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit Canada
2008-04-22 23:13 . 2008-04-22 23:13 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\GTek
2008-04-22 23:13 . 2008-04-22 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gtek
2008-04-22 23:13 . 2008-04-22 23:13 5,248 --a------ C:\WINDOWS\system32\OEMINFO.PNF

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 19:48 434528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2005-06-16 23:23 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"VIDC.ZMBV"= zmbv.dll

.
Contents of the 'Scheduled Tasks' folder
"2006-03-11 10:42:52 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2008-05-16 19:24:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-05-16 19:21:18 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-05-15 09:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
"2005-06-06 04:59:37 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy 4\XoftSpy.exe
"2008-05-16 19:21:18 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpy SE\XoftSpy.exe
"2008-05-10 10:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpy SE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 13:22:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\hdouopdd.dll
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-16 13:30:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-16 19:29:42
ComboFix2.txt 2008-05-16 17:58:59
ComboFix3.txt 2008-05-01 00:15:51

Pre-Run: 5,610,016,768 bytes free
Post-Run: 5,600,915,456 bytes free

312 --- E O F --- 2008-05-16 18:11:05

__________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:34:42 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Total Recorder Professional 6\TotRecSched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\CounterSpy\SBCSTray.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AnyDVD\AnyDVDtray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\Total Recorder Professional 6\TotRecSched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMc303b894] Rundll32.exe "C:\WINDOWS\system32\hdouopdd.dll",s
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\AnyDVD\AnyDVDtray.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///D:/components/hidinputmonitorx.ocx
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///D:/components/A9.ocx
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107394181500
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7030CC6C-1A88-4591-BB5A-651B9F7F0C30} (WMVHDRatingCtrl Class) - file:///D:/components/wmvhdrating.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{62EC955C-255C-405C-A396-1967C4580BEB}: NameServer = 204.174.120.45 204.174.120.46
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\CounterSpy\SBCSSvc.exe
O23 - Service: SwiWiFiComm - Unknown owner - C:\Program Files\Sierra Wireless\AirCard 580\Generic\Components\swiwificomm.exe

--
End of file - 9355 bytes

RE: Numerous infections, numous scans .... still have some work to do

RichieUK — Fri, 16 May 2008 13:23:10 GMT

Copy and paste ALL the following text in the code box below into [b]Notepad[/b].
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: [b]CFScript[/b] to your desktop.
[quote]File::
C:\WINDOWS\system32\feqbfrob.dll
C:\WINDOWS\BMc303b894.xml
C:\WINDOWS\system32\yayaYsSJ.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14370F76-7676-44A2-AD11-93A31C5FC9FC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA07D05F-5465-41ED-A457-3516E108D6BC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f591201f-dc78-4126-8875-ce6b8b2117cd}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{14370F76-7676-44A2-AD11-93A31C5FC9FC}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJARkKA]
[/quote]
Now drag then drop the [b]CFScript[/b] file onto [b]ComboFix.exe[/b] as seen in the image below.

[img]http://img.photobucket.com/albums/v624/29wood/CFScript.gif[/img]

This will start ComboFix again.
After reboot, (in case it asks to reboot), [b]post the contents of Combofix.txt in your next reply along with a new HijackThis log.[/b]