Combofix log please help..

codeman0013

codeman0013

Active Member
Hey guys... I have a pc for a good friend who had a daughter who decided to start using morpheus and downloaded a lot of viruses so i have done a lot but it appears to still be replicating please help...


ComboFix 07-12-22.1 - Owner 2007-12-22 9:30:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\J5R69IKQ\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\appatc~1
C:\Program Files\appatc~1\A?pPatch\
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\ljjhghe.dll
C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.
2007-12-20 23:09 . 2007-12-20 23:09 <DIR> d-------- C:\Program Files\MSBuild
2007-12-20 22:57 . 2007-12-21 17:39 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-20 22:51 . 2007-12-20 22:51 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-20 22:13 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-12-20 22:12 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-20 22:11 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-20 22:10 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-20 22:09 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-20 22:08 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-20 22:07 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-20 22:06 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-20 22:05 . 2004-08-04 00:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-20 22:04 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-12-20 22:03 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-20 22:02 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-20 22:01 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-20 22:00 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-20 21:59 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2007-12-20 21:58 . 2001-08-17 14:56 342,336 --a--c--- C:\WINDOWS\system32\dllcache\banshee.dll
2007-12-20 21:57 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2007-12-20 21:56 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys
2007-12-20 21:56 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys
2007-12-20 21:56 . 2004-08-03 22:31 36,224 --a--c--- C:\WINDOWS\system32\dllcache\an983.sys
2007-12-20 21:56 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys
2007-12-20 21:56 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys
2007-12-20 21:56 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax
2007-12-20 21:56 . 2001-08-17 12:11 16,969 --a--c--- C:\WINDOWS\system32\dllcache\amb8002.sys
2007-12-20 21:56 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys
2007-12-20 21:56 . 2001-08-17 13:52 12,032 --a--c--- C:\WINDOWS\system32\dllcache\amsint.sys
2007-12-20 21:56 . 2001-08-17 13:47 6,272 --a--c--- C:\WINDOWS\system32\dllcache\apmbatt.sys
2007-12-20 21:56 . 2001-08-17 13:51 5,248 --a--c--- C:\WINDOWS\system32\dllcache\aliide.sys
2007-12-20 21:53 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-12-20 21:46 . 2007-12-20 21:46 <DIR> d-------- C:\VundoFix Backups
2007-12-20 12:25 . 2003-11-18 00:09 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-20 12:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-20 12:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-20 12:13 . 2007-12-20 12:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer
2007-12-20 03:31 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-20 03:18 . 2007-12-20 03:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-20 03:10 . 2007-12-20 03:10 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-20 03:10 . 2007-12-20 03:10 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-20 02:57 . 2007-12-20 02:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-20 02:09 . 2007-12-20 12:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-20 02:09 . 2007-12-20 02:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-19 22:19 . 2007-12-19 23:03 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-19 22:13 . 2006-11-13 00:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-12-19 22:13 . 2006-11-13 00:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-12-19 22:13 . 2006-11-13 00:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-12-19 19:49 . 2007-12-19 19:49 <DIR> d-------- C:\Program Files\CCleaner
2007-12-19 19:23 . 2007-12-22 08:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-19 19:23 . 2007-12-19 19:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-19 19:22 . 2007-12-19 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-19 19:22 . 2007-12-19 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-19 18:54 . 2007-12-20 12:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-19 18:43 . 2007-12-19 18:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TeamViewer
2007-12-19 18:42 . 2007-12-19 18:43 <DIR> d-------- C:\Program Files\TeamViewer3
2007-12-19 18:41 . 2007-12-19 18:41 <DIR> d-------- C:\Documents and Settings\Owner\temp
2007-12-19 17:40 . 2007-12-20 18:18 <DIR> d-------- C:\WINDOWS\system32\njprckha
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\VirDefs
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Support
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\SevInst
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\LiveUpdt
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Data
2007-12-14 22:25 . 2007-12-19 18:20 1,246,773 --a------ C:\Data1.cab
2007-12-14 22:25 . 2007-12-19 18:20 1,663 --a------ C:\Setup.wis
2007-12-14 22:19 . 2007-12-19 12:46 <DIR> d-------- C:\WINDOWS\system32\juvprpba
2007-12-14 22:18 . 2007-12-19 22:29 <DIR> d-------- C:\Program Files\Bqscjpok
2007-12-14 22:18 . 2007-12-19 22:29 <DIR> d-------- C:\Program Files\aryvobmf
2007-12-13 14:48 . 2007-12-13 14:48 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\TransRender
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Temporary
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Samsung
2007-12-13 02:53 . 2007-12-13 02:53 <DIR> d-------- C:\Program Files\Samsung
2007-12-10 00:57 . 2007-12-10 00:58 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Move Networks
2007-12-04 13:55 . 2007-12-14 20:30 <DIR> d-------- C:\Program Files\Eypekskp
2007-12-03 21:45 . 2007-12-14 20:38 <DIR> d-------- C:\Program Files\Zcmvyoll
2007-12-03 00:58 . 2007-12-14 20:37 <DIR> d-------- C:\Program Files\Pqdoufwx
2007-12-03 00:58 . 2007-12-14 22:16 <DIR> d-------- C:\Program Files\lshklgle
2007-12-03 00:21 . 2007-12-03 00:21 <DIR> d-------- C:\Program Files\Drug Lord 2
2007-11-26 06:19 . 2007-11-26 06:19 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 23:31 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-20 23:46 --------- d-----w C:\Program Files\Morpheus
2007-12-20 18:13 --------- d-----w C:\Program Files\Google
2007-12-20 00:54 --------- d-----w C:\Program Files\Windows Defender
2007-12-20 00:53 --------- d-----w C:\Program Files\Symantec
2007-12-20 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-20 00:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-15 04:18 --------- d-----w C:\Program Files\Finale NotePad 2007
2007-12-13 08:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 04:14 --------- d-----w C:\Program Files\Trillian
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-23 00:52 --------- d-----w C:\Program Files\QuickTime
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 675,840 2006-02-07 19:36:23 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
----a-w 180,269 2006-08-22 13:45:17 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 155,648 2006-02-07 21:03:41 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 1,415,824 2005-05-31 07:04:00 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
----a-w 1,460,560 2007-08-31 22:46:28 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
----a-w 77,824 2002-07-30 17:35:04 C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe
----a-w 777,424 2006-04-03 23:12:24 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 15,360 2004-08-04 06:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 06:56:50 C:\WINDOWS\system32\ctfmon.exe
----a-w 106,496 2002-03-27 01:20:52 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 118,784 2003-11-18 06:11:00 C:\WINDOWS\system32\hkcmd.exe
----a-w 155,648 2002-03-27 01:28:56 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 155,648 2003-11-18 06:24:00 C:\WINDOWS\system32\igfxtray.exe
----a-w 196,608 2001-10-15 08:42:45 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7555906D-70F1-4FD6-8250-4FBE75252F58}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:15]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 00:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 00:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-19 19:22]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhghe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fypsbqpy]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\fypsbqpy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odmtypcj]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\odmtypcj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkdglqlq]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\tkdglqlq.dll
S3 Dptiiserwia;Dptiiserwia;C:\WINDOWS\system32\drivers\bthpan.sys [2004-08-03 22:58]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2005-12-22 12:24]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2005-12-22 12:24]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2005-12-22 12:24]
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 09:46:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-22 9:48:54 - machine was rebooted
.
2007-12-20 23:44:33 --- E O F ---
 
If the Problems are replicating it might have memory resident malware.

Have you flushed the restore points and run the scans in safe mode?
 
I have gotten rid of all of system restore and also ran the scans in safe mode. I'm thinking combofix might have finallly fixed the problem but i'm not sure i'm still hoping someone can look at this and show me if its ok before i tell them its ok...
 
ComboFix has mostly cleaned the Vundo infection that was causing the problems, a few deactivated leftovers still to remove, though:

Please download this file - Combofix to your desktop

  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    Folder::
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\juvprpba
C:\Program Files\Bqscjpok
C:\Program Files\aryvobmf
C:\Program Files\Eypekskp
C:\Program Files\Zcmvyoll
C:\Program Files\Pqdoufwx
C:\Program Files\lshklgle

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7555906D-70F1-4FD6-8250-4FBE75252F58}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhghe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fypsbqpy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odmtypcj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkdglqlq]
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please also download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.

Please post both the ComboFix log and the HijackThis log.
 
UPDATED LOG AND HIJACKTHIS:

ComboFix 07-12-23.1 - Owner 2007-12-22 20:50:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -6:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\aryvobmf
C:\Program Files\Bqscjpok
C:\Program Files\Eypekskp
C:\Program Files\lshklgle
C:\Program Files\Pqdoufwx
C:\Program Files\Zcmvyoll
C:\WINDOWS\system32\juvprpba
C:\WINDOWS\system32\juvprpba\bg1.gif
C:\WINDOWS\system32\juvprpba\bgtop.gif
C:\WINDOWS\system32\juvprpba\bottom1.gif
C:\WINDOWS\system32\juvprpba\essentials.gif
C:\WINDOWS\system32\juvprpba\icon1.ico
C:\WINDOWS\system32\juvprpba\install1.gif
C:\WINDOWS\system32\juvprpba\left1.gif
C:\WINDOWS\system32\juvprpba\li.gif
C:\WINDOWS\system32\juvprpba\logo.gif
C:\WINDOWS\system32\juvprpba\main.htm
C:\WINDOWS\system32\juvprpba\mainframe.htm
C:\WINDOWS\system32\juvprpba\reinstall1.gif
C:\WINDOWS\system32\juvprpba\right1.gif
C:\WINDOWS\system32\juvprpba\s1.htm
C:\WINDOWS\system32\juvprpba\s2.htm
C:\WINDOWS\system32\juvprpba\s3.htm
C:\WINDOWS\system32\juvprpba\SMTop1.gif
C:\WINDOWS\system32\juvprpba\SMTop2.gif
C:\WINDOWS\system32\juvprpba\SMTop3.gif
C:\WINDOWS\system32\juvprpba\SMTop4.gif
C:\WINDOWS\system32\juvprpba\soft1_off.gif
C:\WINDOWS\system32\juvprpba\soft1_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft1_on.gif
C:\WINDOWS\system32\juvprpba\soft1_on_ext.gif
C:\WINDOWS\system32\juvprpba\soft2_off.gif
C:\WINDOWS\system32\juvprpba\soft2_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft2_on.gif
C:\WINDOWS\system32\juvprpba\soft2_on_ext.gif
C:\WINDOWS\system32\juvprpba\soft3_off.gif
C:\WINDOWS\system32\juvprpba\soft3_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft3_on.gif
C:\WINDOWS\system32\juvprpba\soft3_on_ext.gif
C:\WINDOWS\system32\juvprpba\softbottom_off.gif
C:\WINDOWS\system32\juvprpba\softbottom_on.gif
C:\WINDOWS\system32\juvprpba\softleft_off.gif
C:\WINDOWS\system32\juvprpba\softleft_on.gif
C:\WINDOWS\system32\juvprpba\top1.gif
C:\WINDOWS\system32\juvprpba\top2.gif
C:\WINDOWS\system32\juvprpba\turnoff1.gif
C:\WINDOWS\system32\juvprpba\turnon1.gif
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\njprckha\bg1.gif
C:\WINDOWS\system32\njprckha\bgtop.gif
C:\WINDOWS\system32\njprckha\bottom1.gif
C:\WINDOWS\system32\njprckha\essentials.gif
C:\WINDOWS\system32\njprckha\icon1.ico
C:\WINDOWS\system32\njprckha\install1.gif
C:\WINDOWS\system32\njprckha\left1.gif
C:\WINDOWS\system32\njprckha\li.gif
C:\WINDOWS\system32\njprckha\logo.gif
C:\WINDOWS\system32\njprckha\main.htm
C:\WINDOWS\system32\njprckha\mainframe.htm
C:\WINDOWS\system32\njprckha\reinstall1.gif
C:\WINDOWS\system32\njprckha\right1.gif
C:\WINDOWS\system32\njprckha\s1.htm
C:\WINDOWS\system32\njprckha\s2.htm
C:\WINDOWS\system32\njprckha\s3.htm
C:\WINDOWS\system32\njprckha\SMTop1.gif
C:\WINDOWS\system32\njprckha\SMTop2.gif
C:\WINDOWS\system32\njprckha\SMTop3.gif
C:\WINDOWS\system32\njprckha\SMTop4.gif
C:\WINDOWS\system32\njprckha\soft1_off.gif
C:\WINDOWS\system32\njprckha\soft1_off_ext.gif
C:\WINDOWS\system32\njprckha\soft1_on.gif
C:\WINDOWS\system32\njprckha\soft1_on_ext.gif
C:\WINDOWS\system32\njprckha\soft2_off.gif
C:\WINDOWS\system32\njprckha\soft2_off_ext.gif
C:\WINDOWS\system32\njprckha\soft2_on.gif
C:\WINDOWS\system32\njprckha\soft2_on_ext.gif
C:\WINDOWS\system32\njprckha\soft3_off.gif
C:\WINDOWS\system32\njprckha\soft3_off_ext.gif
C:\WINDOWS\system32\njprckha\soft3_on.gif
C:\WINDOWS\system32\njprckha\soft3_on_ext.gif
C:\WINDOWS\system32\njprckha\softbottom_off.gif
C:\WINDOWS\system32\njprckha\softbottom_on.gif
C:\WINDOWS\system32\njprckha\softleft_off.gif
C:\WINDOWS\system32\njprckha\softleft_on.gif
C:\WINDOWS\system32\njprckha\top1.gif
C:\WINDOWS\system32\njprckha\top2.gif
C:\WINDOWS\system32\njprckha\turnoff1.gif
C:\WINDOWS\system32\njprckha\turnon1.gif
.
((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.
2007-12-20 23:09 . 2007-12-20 23:09 <DIR> d-------- C:\Program Files\MSBuild
2007-12-20 22:57 . 2007-12-21 17:39 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-20 22:51 . 2007-12-20 22:51 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-20 22:13 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-12-20 22:12 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-20 22:11 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-20 22:10 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-20 22:09 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-20 22:08 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-20 22:07 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-20 22:06 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-20 22:05 . 2004-08-04 00:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-20 22:04 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-12-20 22:03 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-20 22:02 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-20 22:01 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-20 22:00 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-20 21:59 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2007-12-20 21:58 . 2001-08-17 14:56 342,336 --a--c--- C:\WINDOWS\system32\dllcache\banshee.dll
2007-12-20 21:57 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2007-12-20 21:56 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys
2007-12-20 21:56 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys
2007-12-20 21:56 . 2004-08-03 22:31 36,224 --a--c--- C:\WINDOWS\system32\dllcache\an983.sys
2007-12-20 21:56 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys
2007-12-20 21:56 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys
2007-12-20 21:56 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax
2007-12-20 21:56 . 2001-08-17 12:11 16,969 --a--c--- C:\WINDOWS\system32\dllcache\amb8002.sys
2007-12-20 21:56 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys
2007-12-20 21:56 . 2001-08-17 13:52 12,032 --a--c--- C:\WINDOWS\system32\dllcache\amsint.sys
2007-12-20 21:56 . 2001-08-17 13:47 6,272 --a--c--- C:\WINDOWS\system32\dllcache\apmbatt.sys
2007-12-20 21:56 . 2001-08-17 13:51 5,248 --a--c--- C:\WINDOWS\system32\dllcache\aliide.sys
2007-12-20 21:53 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-12-20 21:46 . 2007-12-20 21:46 <DIR> d-------- C:\VundoFix Backups
2007-12-20 12:25 . 2003-11-18 00:09 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-20 12:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-20 12:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-20 12:13 . 2007-12-20 12:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer
2007-12-20 03:31 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-20 03:18 . 2007-12-20 03:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-20 03:10 . 2007-12-20 03:10 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-20 03:10 . 2007-12-20 03:10 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-20 02:57 . 2007-12-20 02:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-20 02:09 . 2007-12-20 12:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-20 02:09 . 2007-12-20 02:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-19 22:19 . 2007-12-19 23:03 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-19 22:13 . 2006-11-13 00:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-12-19 22:13 . 2006-11-13 00:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-12-19 22:13 . 2006-11-13 00:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-12-19 19:49 . 2007-12-19 19:49 <DIR> d-------- C:\Program Files\CCleaner
2007-12-19 19:23 . 2007-12-22 11:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-19 19:23 . 2007-12-19 19:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-19 19:22 . 2007-12-19 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-19 19:22 . 2007-12-19 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-19 18:54 . 2007-12-20 12:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-19 18:43 . 2007-12-19 18:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TeamViewer
2007-12-19 18:42 . 2007-12-19 18:43 <DIR> d-------- C:\Program Files\TeamViewer3
2007-12-19 18:41 . 2007-12-19 18:41 <DIR> d-------- C:\Documents and Settings\Owner\temp
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\VirDefs
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Support
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\SevInst
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\LiveUpdt
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Data
2007-12-14 22:25 . 2007-12-19 18:20 1,246,773 --a------ C:\Data1.cab
2007-12-14 22:25 . 2007-12-19 18:20 1,663 --a------ C:\Setup.wis
2007-12-13 14:48 . 2007-12-13 14:48 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\TransRender
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Temporary
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Samsung
2007-12-13 02:53 . 2007-12-13 02:53 <DIR> d-------- C:\Program Files\Samsung
2007-12-10 00:57 . 2007-12-10 00:58 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Move Networks
2007-12-03 00:21 . 2007-12-03 00:21 <DIR> d-------- C:\Program Files\Drug Lord 2
2007-11-26 06:19 . 2007-11-26 06:19 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 20:14 --------- d-----w C:\Program Files\Gateway
2007-12-22 20:14 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2007-12-22 20:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 23:31 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-20 23:46 --------- d-----w C:\Program Files\Morpheus
2007-12-20 18:13 --------- d-----w C:\Program Files\Google
2007-12-20 00:54 --------- d-----w C:\Program Files\Windows Defender
2007-12-20 00:53 --------- d-----w C:\Program Files\Symantec
2007-12-20 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-15 04:18 --------- d-----w C:\Program Files\Finale NotePad 2007
2007-12-13 08:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 04:14 --------- d-----w C:\Program Files\Trillian
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 07:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 07:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 07:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 07:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-23 00:52 --------- d-----w C:\Program Files\QuickTime
2007-10-11 15:55 88,576 ----a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-11 15:55 579,584 ----a-w C:\WINDOWS\system32\icardagt.exe
2007-10-11 15:55 11,776 ----a-w C:\WINDOWS\system32\icardres.dll
2007-10-09 19:03 779,800 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 19:03 73,752 ----a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 19:03 493,080 ----a-w C:\WINDOWS\system32\evr.dll
2007-10-09 19:03 350,744 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 19:03 33,304 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 19:03 161,304 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 19:03 106,520 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2007-10-09 19:03 1,986,072 ----a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 18:58 16,896 ----a-w C:\WINDOWS\system32\tswpfwrp.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( snapshot@2007-12-22_ 9.46.47.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-22 01:27:09 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-22 17:17:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-22 01:27:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-22 17:17:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-22 01:27:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-22 17:17:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:15]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 00:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 00:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-19 19:22]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service []
S3 Dptiiserwia;Dptiiserwia;C:\WINDOWS\system32\drivers\bthpan.sys [2004-08-03 22:58]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2005-12-22 12:24]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2005-12-22 12:24]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2005-12-22 12:24]
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 20:53:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-22 20:54:24
C:\ComboFix2.txt ... 2007-12-22 10:00
C:\ComboFix3.txt ... 2007-12-22 09:48
.
2007-12-20 23:44:33 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:08 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139342246468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198122147968
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
--
End of file - 4187 bytes
 
Excellent, the logfiles appear to be clean.

Below I have included some ideas on how to prevent future infections, which you might want to pass on to your friend:

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measuer.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

I notice you are running Spybot, which is good. You might want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs, and will work alongside Spybot to protect your system:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
 
Thanks for all of your help i figured after 3 days of beating my head against the wall i would ask the expert for his help! YOU ARE THE BEST!!!

Cody!
 
You must log in or register to reply here.
Back
Top