Root Kits, Viruses, and the kitchen sink

Edo · August 2007

Hi Guys,

I have been given the wonderful task of fixing an infested pc, and this thing has a bunch of stuff. When I initially received it, even a basic windows function of opening a folder was not posible. It would instantly give an error message and return you to the desktop. After following the guide that was put together by you guys, it's definitely usable now, but still has a ton of problems on it that was found by the multiple scans.

Below are the requested log files from each scan.......

HijackThis......

Logfile of HijackThis v1.99.1
Scan saved at 9:50:40 AM, on 8/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Herbie's Stuff\Desktop\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SDWin32 Class - {BB4375FE-A882-4A56-8D99-750578455259} - C:\WINDOWS\System32\pzjtu.dll
O2 - BHO: SDWin32 Class - {D20CE1DA-3B50-459E-91A0-EFAADC0D5734} - C:\WINDOWS\System32\jhouw.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [pujwkhu] c:\windows\system32\oarmcb.exe r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/omaha/omaha-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.1.34/aces/aces-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/backgammon/backgammon-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.1.27/blackjack/blackjack-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.0.30/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/canasta/canasta-ob-assets.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.95 - http://java.chatstar.net:8000/Java/cs4fs095.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.34/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.51/domino/domino-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.30/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.1.34/greenback/greenback-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.34/harvest/harvest-ob-assets.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.2.1.34/itsoutofhere/itsoutofhere-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.2.1.34/jigsaw/jigsaw-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.2.51/lottso/lottso-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.2.2.51/mlslots/mlslots-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paigow/paigow-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.1.41/freecell/freecell-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.3.36/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.2.1.34/flinger/flinger-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.2.51/pinochle/pinochle-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.2.0.37/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/poppit2/poppit2-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/spider/spider-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/squelchies/squelchies-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.30/holdem/holdem-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.2.0.37/peaks/peaks-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.2.3.36/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.0.37/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.1.34/whackdown/whackdown-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.3.39/wordjong/wordjong-ob-assets.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187403327421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4396/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Panda Antivirus Online scan......

Incident Status Location
Adware:Adware/Transponder Not disinfected c:\windows\system32\hivtsd.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\System32\jhouw.dll
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\System32\pzjtu.dll
Spyware:spyware/apropos Not disinfected c:\windows\system32\cache\cxtpls_loader.exe
Adware:adware/portalscan Not disinfected c:\windows\system32\winupdt.bin
Adware:adware/comet Not disinfected c:\windows\inf\dm.PNF
Adware:adware/virtualbouncer Not disinfected c:\myPcsearch.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Herbie's Stuff\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
Adware:adware/ncase Not disinfected c:\windows\msbb_gdf.dat
Adware:adware/aurora Not disinfected c:\windows\Nail.exe
Spyware:spyware/new.net Not disinfected c:\windows\NDNuninstall4_88.exe
Spyware:spyware/betterinet Not disinfected c:\windows\susp.ini
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Spyware:spyware/search3 Not disinfected c:\program files\SEARCH3 TOOLBAR
Adware:adware/dyfuca Not disinfected c:\windows\STWSI
Adware:adware/adlogix Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:adware/topmoxie Not disinfected Windows Registry
Spyware:spyware/shopnav Not disinfected Windows Registry
Spyware:Cookie/BestOffersNetworks Not disinfected C:\Documents and Settings\Herbie's Stuff\Cookies\herbie's [email]stuff@bestoffersnetworks[1].txt[/email]
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\Herbie's Stuff\Cookies\herbie's stuff@btg.btgrab[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Herbie's Stuff\Cookies\herbie's [email]stuff@casalemedia[2].txt[/email]
Spyware:Cookie/Twain-Tech Not disinfected C:\Documents and Settings\Herbie's Stuff\Cookies\herbie's [email]stuff@cliks[2].txt[/email]
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Herbie's Stuff\Cookies\herbie's [email]stuff@offeroptimizer[2].txt[/email]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Herbie's Stuff\Cookies\herbie's [email]stuff@revenue[2].txt[/email]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Herbie's Stuff\Cookies\herbie's [email]stuff@searchportal.information[1].txt[/email]
Adware:Adware/Adtomi Not disinfected C:\Documents and Settings\Herbie's Stuff\Local Settings\Temp\6y3i0.sys
Adware:Adware/Adtomi Not disinfected C:\Documents and Settings\Herbie's Stuff\Local Settings\Temp\7zanc.sys
Adware:Adware/Adtomi Not disinfected C:\Documents and Settings\Herbie's Stuff\Local Settings\Temp\q99le.sys
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Herbie's Stuff\Local Settings\Temp\~67486.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Herbie's Stuff\Local Settings\Temp\~784704.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Herbie's Stuff\Local Settings\Temp\~85840.tmp
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Herbie's Stuff\Local Settings\Temporary Internet Files\Content.IE5\M1ID2J65\channels_02[1].gif
Adware:Adware/Adtomi Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\q99le.sys
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THB\aurareco.exe
Adware:Adware/IPInsight Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI1B71.tmp\farmmext.inf
Adware:Adware/IPInsight Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI1B71.tmp\farmmext.ini
Virus:Trj/Downloader.AJK Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI5DEF.tmp\wupdt.exe
Virus:Trj/Imiserv.E Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\THI8BF.tmp\wupdt.exe
Virus:Trojan Horse.AP2 Disinfected C:\Documents and Settings\Owner\Local Settings\Temp\toc_0015.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\tsupdate_4_0_3_9_b2.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U10.tmp
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U1C.tmp
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U1D.tmp
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U21.tmp
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U26.tmp
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U2D.tmp
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U46.tmp
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U64.tmp
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U8.tmp
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\U91.tmp
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\UA.tmp
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\UCQ\aurareco.exe
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\UNS\aurareco.exe
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\VEH\aurareco.exe
Spyware:Spyware/BetterInet Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\WMK\auraupg1.exe
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~10076.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~119553.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~187637.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~273388.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~276781.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~29773.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~302122.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~316634.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~323124.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~324412.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~32531.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~326925.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~330341.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~332042.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~338264.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~341134.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~342753.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~344146.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~347612.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~351053.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~351363.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~353202.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~354955.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~355811.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~359593.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~359846.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~359976.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~365911.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~370209.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~371384.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~373892.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~375580.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~376684.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~37823.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~378356.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~378539.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~379549.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~379708.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~379832.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~379929.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~381730.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~381878.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~383095.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~383444.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~384305.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~385415.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~385546.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~386875.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~397319.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~400701.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~401399.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~404028.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~405791.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~407685.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~408667.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~414115.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~414661.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~415178.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~417302.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~419531.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~425456.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~428521.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~441757.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~446860.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~446961.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~447365.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~447868.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~457138.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~459684.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~462029.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~462833.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~463128.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~465555.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~470415.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~473555.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~477985.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~479748.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~48973.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~494493.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~497383.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~502842.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~503464.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~504847.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~511671.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~516737.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~528423.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~529126.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~5299.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~535805.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~536118.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~537528.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~542810.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~554644.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~565881.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~599466.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~622758.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~636001.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~636534.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~646484.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~647607.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~651732.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~657539.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~66425.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~666290.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~666465.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~668464.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~680420.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~683095.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~689883.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~691343.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~69705.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~705540.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~711869.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~715409.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~726448.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~727418.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~7345.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~741160.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~748680.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~752567.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~756992.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~764559.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~768115.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~769288.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~779708.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~781735.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~793206.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~807355.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~819847.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~835968.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~841892.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~847793.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~848487.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~869841.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~878254.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~894261.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~904359.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~909656.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~912272.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~917405.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~920621.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~927985.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~944884.tmp
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\~974326.tmp
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Spyware:Spyware/New.net Not disinfected C:\My Downloads\newnet.exe
Spyware:Spyware/New.net Not disinfected C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\10309718.asw
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Common Files\qwif\mytsp
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Common Files\qwif\qwifa.exe
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Common Files\qwif\qwifl.exe
Adware:Adware/IST.SideFind Not disinfected C:\Program Files\Common Files\qwif\qwifm.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Adware:Adware/Navenhance Not disinfected C:\Program Files\NavEnhance\DoubleAgent\NetInstaller.exe
Virus:Generic Malware Disinfected C:\Program Files\WildTangent\Components\wtPropertyBag0200.dll
Spyware:Spyware/Search3 Not disinfected C:\WINDOWS\Downloaded Program Files\search3.dll
Virus:Trj/Keyhost.A Disinfected C:\WINDOWS\INF\host.inf
Virus:Trj/Downloader.L Disinfected C:\WINDOWS\INF\susp.inf
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\q99le.sys
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\dkkk0.dll
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\nwcuu.exe
Adware:Adware/Adtomi Not disinfected C:\WINDOWS\SYSTEM32\q99le.sys
Adware:Adware/Transponder Not disinfected C:\WINDOWS\SYSTEM32\qylpejm.exe

I included the Kaspersky scan log as an attachment, because it couldn't fit into the post.
Your help is greatly appreciated.

Nuppi · August 2007

Hi Edo ,

And welcome Icrontic

First, Which one firewal and antivirus do you want to keep? (only one off boths)

MCAfee AV and FW
Comodo FW
Antivir AV

Please Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Edo · August 2007

I will keep the Antivir AV and the Comodo FW.

Here are the requested logs.....

HijackThis...

Logfile of HijackThis v1.99.1
Scan saved at 5:55:59 PM, on 8/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Herbie's Stuff\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SDWin32 Class - {BB4375FE-A882-4A56-8D99-750578455259} - C:\WINDOWS\System32\pzjtu.dll
O2 - BHO: SDWin32 Class - {D20CE1DA-3B50-459E-91A0-EFAADC0D5734} - C:\WINDOWS\System32\jhouw.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [pujwkhu] c:\windows\system32\oarmcb.exe r
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/omaha/omaha-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.1.34/aces/aces-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/backgammon/backgammon-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.1.27/blackjack/blackjack-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.0.30/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/canasta/canasta-ob-assets.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.95 - http://java.chatstar.net:8000/Java/cs4fs095.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.34/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.51/domino/domino-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.30/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.1.34/greenback/greenback-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.34/harvest/harvest-ob-assets.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.2.1.34/itsoutofhere/itsoutofhere-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.2.1.34/jigsaw/jigsaw-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.2.51/lottso/lottso-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.2.2.51/mlslots/mlslots-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paigow/paigow-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.1.41/freecell/freecell-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.3.36/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.2.1.34/flinger/flinger-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.2.51/pinochle/pinochle-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.2.0.37/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/poppit2/poppit2-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/spider/spider-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/squelchies/squelchies-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.30/holdem/holdem-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.2.0.37/peaks/peaks-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.2.3.36/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.0.37/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.1.34/whackdown/whackdown-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.3.39/wordjong/wordjong-ob-assets.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187403327421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4396/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ComboFix....

ComboFix 07-08-17.2 - "Herbie's Stuff" 2007-08-20 17:29:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.97 [GMT -7:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\APPLIC~1\Hotbar
C:\DOCUME~1\Owner\APPLIC~1\Sskknwrd.dll
C:\WINDOWS\NDNuninstall4_88.exe

((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))

2007-08-20 17:11 51,200 --a

C:\WINDOWS\nircmd.exe
2007-08-18 02:37 <DIR> d

C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-18 02:37 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-17 22:33 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-17 22:25 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Comodo
2007-08-17 22:25 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-17 22:22 <DIR> d

C:\Program Files\Comodo
2007-08-17 20:06 <DIR> d

C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-17 19:14 16 --a

C:\WINDOWS\SYSTEM32\hiwinnager.dat
2007-08-17 19:08 <DIR> d

C:\Program Files\SpywareBlaster
2007-08-17 17:49 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-17 16:06 <DIR> d

C:\Program Files\Lavasoft
2007-08-17 16:05 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-16 19:19 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-08-16 16:48 1,048,576 --ah

C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-17 23:36

d

C:\Program Files\Common Files\qwif
2007-08-17 21:00

d

C:\Program Files\DIGStream
2007-08-17 19:59

d

C:\Program Files\SBC Self Support Tool
2007-08-17 19:50

d

C:\Program Files\Pure Networks
2007-08-17 19:47

d

C:\Program Files\Yahoo!
2007-08-17 19:47

d

C:\Program Files\SEARCH3 TOOLBAR
2007-08-17 19:45

d--h

C:\Program Files\InstallShield Installation Information
2007-08-17 19:24

d

C:\Program Files\Google
2007-08-17 19:13

d

C:\Program Files\America Online 8.0a
2007-08-17 19:07 52736 --a

C:\WINDOWS\Nail.exe
2007-08-17 18:23

d

C:\Program Files\MyWay
2007-08-17 16:10 9344 --a

C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-17 16:10 8320 --a

C:\WINDOWS\system32\drivers\AWRTRD.sys
2003-04-19 07:38 3001 --a--c--- C:\Program Files\INSTALL.LOG

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB4375FE-A882-4A56-8D99-750578455259}]
2004-11-17 17:01 98816 --a

C:\WINDOWS\System32\pzjtu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D20CE1DA-3B50-459E-91A0-EFAADC0D5734}]
2004-11-23 19:52 98816 --a

C:\WINDOWS\System32\jhouw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-19 07:37]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 16:04]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-17 22:22]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"pujwkhu"="c:\windows\system32\oarmcb.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Kazaa Upgrade Suite3.exe
backup=C:\WINDOWS\pss\Register Kazaa Upgrade Suite3.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1:]
c:\hp\bin\hpdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\abtu]
C:\DOCUME~1\Owner\APPLIC~1\lopsearch.exe -QuieT
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAupdate]
C:\Program Files\NavEnhance\DoubleAgent\DAupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
"C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gjrciyw]
c:\windows\system32\uujadrd.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Silent Service]
C:\Windows\system32\HpSrvUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpScannerFirstBoot]
c:\hp\drivers\scanners\scannerfb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgtqv]
C:\WINDOWS\jgtqv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
"C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\mcafee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
C:\WINDOWS\NCLAUNCH.EXe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpInspector]
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpInspector.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pujwkhu]
c:\windows\system32\oarmcb.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REWARDS NETWORK]
C:\Program Files\Rewards Network\brntray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3apphk]
S3apphk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeSurfingUpdate]
C:\Program Files\SafeSurfing\SSUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateMedia]
C:\Program Files\MediaUpdate\UpdateMedia.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xwqzltu]
c:\windows\system32\wcgvtl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"AOLService"=2 (0x2)
R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 avipbb;avipbb;C:\WINDOWS\System32\DRIVERS\avipbb.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\System32\DRIVERS\DcCam.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\System32\drivers\dcfs2k.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm.sys
S1 Exportit;Exportit;C:\WINDOWS\System32\DRIVERS\exportit.sys
S3 DCamUSBDXGTech;Dual-Mode DSC (Video Camera);C:\WINDOWS\System32\Drivers\GT891x1.SYS
S3 DcFpoint;DcFpoint;C:\WINDOWS\System32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\System32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\System32\DRIVERS\DcPTP.sys
S3 GT890x;Dual-Mode DSC (Still Camera);C:\WINDOWS\System32\Drivers\GT890x.SYS
S3 P101bVID;Creative WebCam;C:\WINDOWS\System32\DRIVERS\P101bVid.sys
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
Contents of the 'Scheduled Tasks' folder
2002-06-06 05:38:59 C:\WINDOWS\Tasks\Registration reminder 1.job - C:\WINDOWS\System32\OOBE\oobebaln.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 17:43:29
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
C:\Program Files\Newahoo!\winsimtf.exe [2368] 0xFF966640
C:\WINDOWS\SYSTEM32\wzcaemon.exe [2424] 0xFFAE5618

scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\wzcaemon.exe
C:\WINDOWS\system32\drivers\ltmmspqm.sys
scan completed successfully
hidden files: 2
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ProsSvc]
"ImagePath"="\??\C:\WINDOWS\System32\drivers\ltmmspqm.sys"
Completion time: 2007-08-20 17:52:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 17:51
--- E O F ---

Nuppi · August 2007

Hi ,

Copy follow lines to notepad

echo off
sc stop McShield
sc stop MCVSRte
sc delete McShield
sc delete MCVSRte

Save it to name service.bat filetype "all files" to the desktop

double click it and if appaers any question answer yes.

Download ATF-Cleaner by Atribune to your desktop.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please Open Notepad and copy and paste quote boxes text:

Folder::
C:\Program Files\mcafee.com
C:\Program Files\MyWay
C:\Program Files\SEARCH3 TOOLBAR

File::
C:\WINDOWS\System32\pzjtu.dll
C:\WINDOWS\System32\jhouw.dll
c:\windows\system32\oarmcb.exe

Save to nameCFScript

Then drag and drop CFScript to ComboFix.exe As shows below.

Combofix will start to reming and scanning

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Reboot your comp .

Please update your Ad-aware.

Do not scan yet.

Please download Lavasofts VX2 cleaner-plug-in From here

Install VX2 Cleaner
Open Ad-Aware SE
Find and go here "Add-ons"
Select VX2 Cleaner-plug-in and click "Run Tool" (before running VX2 -Cleaner, Close Antivir, Its very important.)
Click "OK" When you ready to run this tool and wait
If VX2-Cleaner don't found anything click "Close".

If there found Infection;

Select "Clean"
Reboot .
Scan your comb with Ad-Aware;

Please Do settings showed below:
- Go to Ad-Awaren General settings window
- Select General > Safety & Settings: Check (to green) All three .
- Click Tweak > Cleaning Engine > Unselect "Always try to unload modules before deletion".
Click "Proceed"
Click "Scan Now"
Check line "Search for negligible risk entries"
Check line "Search for low-risk threats"
Do scanning, Full Scan (Perform full system scan) mode.
When ready, select "Next".
Findings, Select "Scan Summary" window.
Check all lines.
Click "Next", and "OK".

Please reboot comp

Repeat scan from VX2-cleaner to end.

Please send a fresh hijackthis log and combofix.txt.

Edo · August 2007

Currently, there is only Ad-Aware 2007 installed on this pc per the instructions in the "Steps to take before posting a HijackThis log" thread.

I don't have Ad-Aware SE installed. When I open 2007, there's nowhere in the program that references the VX2 plugin I installed. Am I doing something wrong? Did I miss an install? I've followed the other steps up to this point and stopped.

Nuppi · August 2007

Hi,

Probably you have to install Ad-aware SE. This Aurora-virus (nail.exe is difficult to remove without it.

Edo · August 2007

I got Ad-Aware SE and continued on with the directions. Here are the requested logs....

HijackThis...

Logfile of HijackThis v1.99.1
Scan saved at 4:54:17 PM, on 8/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Herbie's Stuff\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/omaha/omaha-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.1.34/aces/aces-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/backgammon/backgammon-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.1.27/blackjack/blackjack-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.0.30/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/canasta/canasta-ob-assets.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.95 - http://java.chatstar.net:8000/Java/cs4fs095.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.34/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.51/domino/domino-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.30/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.1.34/greenback/greenback-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.34/harvest/harvest-ob-assets.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.2.1.34/itsoutofhere/itsoutofhere-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.2.1.34/jigsaw/jigsaw-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.2.51/lottso/lottso-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.2.2.51/mlslots/mlslots-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paigow/paigow-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.1.41/freecell/freecell-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.3.36/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.2.1.34/flinger/flinger-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.2.51/pinochle/pinochle-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.2.0.37/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/poppit2/poppit2-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/spider/spider-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/squelchies/squelchies-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.30/holdem/holdem-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.2.0.37/peaks/peaks-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.2.3.36/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.0.37/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.1.34/whackdown/whackdown-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.3.39/wordjong/wordjong-ob-assets.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187403327421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4396/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ComboFix....

ComboFix 07-08-17.2 - "Herbie's Stuff" 2007-08-22 16:56:52.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.74 [GMT -7:00]

((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))

2007-08-22 06:43 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Lavasoft
2007-08-20 17:11 51,200 --a

C:\WINDOWS\nircmd.exe
2007-08-18 02:37 <DIR> d

C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-18 02:37 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-17 22:33 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-17 22:25 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Comodo
2007-08-17 22:25 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-17 22:22 <DIR> d

C:\Program Files\Comodo
2007-08-17 20:06 <DIR> d

C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-17 19:08 <DIR> d

C:\Program Files\SpywareBlaster
2007-08-17 17:49 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-17 16:06 <DIR> d

C:\Program Files\Lavasoft
2007-08-17 16:05 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-16 19:19 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-08-16 16:48 1,048,576 --ah

C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-22 16:07

d

C:\Program Files\Common Files\qwif
2007-08-17 21:00

d

C:\Program Files\DIGStream
2007-08-17 19:59

d

C:\Program Files\SBC Self Support Tool
2007-08-17 19:50

d

C:\Program Files\Pure Networks
2007-08-17 19:47

d

C:\Program Files\Yahoo!
2007-08-17 19:45

d--h

C:\Program Files\InstallShield Installation Information
2007-08-17 19:24

d

C:\Program Files\Google
2007-08-17 19:13

d

C:\Program Files\America Online 8.0a
2007-08-17 16:10 9344 --a

C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-17 16:10 8320 --a

C:\WINDOWS\system32\drivers\AWRTRD.sys
2003-04-19 07:38 3001 --a--c--- C:\Program Files\INSTALL.LOG

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-04-19 07:37]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 22:26]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52]
"IPInSightMonitor 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 02:52]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-05-10 16:04]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-17 22:22]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Kazaa Upgrade Suite3.exe
backup=C:\WINDOWS\pss\Register Kazaa Upgrade Suite3.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1:]
c:\hp\bin\hpdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\abtu]
C:\DOCUME~1\Owner\APPLIC~1\lopsearch.exe -QuieT
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAupdate]
C:\Program Files\NavEnhance\DoubleAgent\DAupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
"C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gjrciyw]
c:\windows\system32\uujadrd.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Silent Service]
C:\Windows\system32\HpSrvUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpScannerFirstBoot]
c:\hp\drivers\scanners\scannerfb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgtqv]
C:\WINDOWS\jgtqv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
"C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\mcafee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
C:\WINDOWS\NCLAUNCH.EXe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpInspector]
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpInspector.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pujwkhu]
c:\windows\system32\oarmcb.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REWARDS NETWORK]
C:\Program Files\Rewards Network\brntray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3apphk]
S3apphk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeSurfingUpdate]
C:\Program Files\SafeSurfing\SSUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateMedia]
C:\Program Files\MediaUpdate\UpdateMedia.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xwqzltu]
c:\windows\system32\wcgvtl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"AOLService"=2 (0x2)
R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 avipbb;avipbb;C:\WINDOWS\System32\DRIVERS\avipbb.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\System32\DRIVERS\DcCam.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\System32\drivers\dcfs2k.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm.sys
S1 Exportit;Exportit;C:\WINDOWS\System32\DRIVERS\exportit.sys
S3 DCamUSBDXGTech;Dual-Mode DSC (Video Camera);C:\WINDOWS\System32\Drivers\GT891x1.SYS
S3 DcFpoint;DcFpoint;C:\WINDOWS\System32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\System32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\System32\DRIVERS\DcPTP.sys
S3 GT890x;Dual-Mode DSC (Still Camera);C:\WINDOWS\System32\Drivers\GT890x.SYS
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys
S3 P101bVID;Creative WebCam;C:\WINDOWS\System32\DRIVERS\P101bVid.sys

Contents of the 'Scheduled Tasks' folder
2002-06-06 05:38:59 C:\WINDOWS\Tasks\Registration reminder 1.job - C:\WINDOWS\System32\OOBE\oobebaln.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-22 17:04:05
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
C:\Program Files\Newahoo!\winsimtf.exe [2556] 0xFF467610
C:\WINDOWS\SYSTEM32\wzcaemon.exe [2544] 0xFF466928

scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ProsSvc]
"ImagePath"="\??\C:\WINDOWS\System32\drivers\ltmmspqm.sys"
Completion time: 2007-08-22 17:06:02
C:\ComboFix-quarantined-files.txt ... 2007-08-22 17:05
C:\ComboFix2.txt ... 2007-08-21 14:52
C:\ComboFix3.txt ... 2007-08-20 17:52
--- E O F ---

Nuppi · August 2007

Hi, good work, Nail.exe is gone

Scan with hijack and check:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe

Close all other programs and click fix checked.

Boot comp.

Find where is that file :

wmplayer.exe

Please visit Virustotal
* Click the Browse... button
* Navigate to the file wmplayer.exe
* Click the Open button
* Click the Send button
* Copy and paste the results back here

Do same to those two files :

C:\Program Files\Newahoo!\winsimtf.exe
C:\WINDOWS\SYSTEM32\wzcaemon.exe

Send all results and a fresh hijack log

Edo · August 2007

Here are the requested results and log....

VirusTotal scans

wmplayer.exe......

Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.23 -
AntiVir 7.4.1.63 2007.08.23 -
Authentium 4.93.8 2007.08.23 -
Avast 4.7.1029.0 2007.08.23 -
AVG 7.5.0.484 2007.08.23 -
BitDefender 7.2 2007.08.24 -
CAT-QuickHeal 9.00 2007.08.23 -
ClamAV 0.91 2007.08.24 -
DrWeb 4.33 2007.08.23 -
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5083 2007.08.24 -
Ewido 4.0 2007.08.23 -
FileAdvisor 1 2007.08.24 -
Fortinet 2.91.0.0 2007.08.23 -
F-Prot 4.3.2.48 2007.08.23 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.23 -
Kaspersky 4.0.2.24 2007.08.24 -
McAfee 5104 2007.08.23 -
Microsoft 1.2803 2007.08.24 -
NOD32v2 2481 2007.08.24 -
Norman 5.80.02 2007.08.23 -
Panda 9.0.0.4 2007.08.24 -
Prevx1 V2 2007.08.24 -
Rising 19.37.32.00 2007.08.23 -
Sophos 4.20.0 2007.08.24 -
Sunbelt 2.2.907.0 2007.08.24 -
Symantec 10 2007.08.24 -
TheHacker 6.1.8.172 2007.08.23 -
VBA32 3.12.2.3 2007.08.23 -
VirusBuster 4.3.26:9 2007.08.23 -
Webwasher-Gateway 6.0.1 2007.08.23 -

Additional information
File size: 520192 bytes
MD5: 8364d385a09085230fa2fde25f492dc3
SHA1: d9875a94229b8bed486dc7c6e648a50c189f4160

winsimtf.exe.....

Antivirus;Version;Last Update;Result
AhnLab-V3;2007.8.22.0;2007.08.23;-
AntiVir;7.4.1.63;2007.08.23;-
Authentium;4.93.8;2007.08.23;-
Avast;4.7.1029.0;2007.08.23;-
AVG;7.5.0.484;2007.08.23;-
BitDefender;7.2;2007.08.24;-
CAT-QuickHeal;9.00;2007.08.23;-
ClamAV;0.91;2007.08.24;-
DrWeb;4.33;2007.08.23;-
eSafe;7.0.15.0;2007.08.23;-
eTrust-Vet;31.1.5083;2007.08.24;-
Ewido;4.0;2007.08.23;-
FileAdvisor;1;2007.08.24;-
Fortinet;2.91.0.0;2007.08.23;-
F-Prot;4.3.2.48;2007.08.23;-
F-Secure;6.70.13030.0;2007.08.24;-
Ikarus;T3.1.1.12;2007.08.23;-
Kaspersky;4.0.2.24;2007.08.24;-
McAfee;5104;2007.08.23;-
Microsoft;1.2803;2007.08.24;-
NOD32v2;2481;2007.08.24;-
Norman;5.80.02;2007.08.23;-
Panda;9.0.0.4;2007.08.24;-
Prevx1;V2;2007.08.24;-
Rising;19.37.32.00;2007.08.23;-
Sophos;4.20.0;2007.08.24;-
Sunbelt;2.2.907.0;2007.08.24;-
Symantec;10;2007.08.24;-
TheHacker;6.1.8.172;2007.08.23;-
VBA32;3.12.2.3;2007.08.23;-
VirusBuster;4.3.26:9;2007.08.23;-
Webwasher-Gateway;6.0.1;2007.08.23;-

Additional information
File size: 27880 bytes
MD5: 3e640b527d9f5b97e85889ca6ea7ba2f
SHA1: f335efb35193683a2a8f7edffc7b9bab881c2ea1

wzcaemon.exe.....

Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.23 -
AntiVir 7.4.1.63 2007.08.23 -
Authentium 4.93.8 2007.08.23 -
Avast 4.7.1029.0 2007.08.23 -
AVG 7.5.0.484 2007.08.23 -
BitDefender 7.2 2007.08.24 -
CAT-QuickHeal 9.00 2007.08.23 -
ClamAV 0.91 2007.08.24 -
DrWeb 4.33 2007.08.23 -
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5083 2007.08.24 -
Ewido 4.0 2007.08.23 -
FileAdvisor 1 2007.08.24 -
Fortinet 2.91.0.0 2007.08.23 -
F-Prot 4.3.2.48 2007.08.23 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.23 -
Kaspersky 4.0.2.24 2007.08.24 -
McAfee 5104 2007.08.23 -
Microsoft 1.2803 2007.08.24 -
NOD32v2 2481 2007.08.24 -
Norman 5.80.02 2007.08.23 -
Panda 9.0.0.4 2007.08.24 -
Prevx1 V2 2007.08.24 -
Rising 19.37.32.00 2007.08.23 -
Sophos 4.20.0 2007.08.24 -
Sunbelt 2.2.907.0 2007.08.24 -
Symantec 10 2007.08.24 -
TheHacker 6.1.8.172 2007.08.23 -
VBA32 3.12.2.3 2007.08.23 -
VirusBuster 4.3.26:9 2007.08.23 -
Webwasher-Gateway 6.0.1 2007.08.23 -

Additional information
File size: 24670 bytes
MD5: 9bee291e052d0b915c9fe257ed6bee08
SHA1: 57c97d035f1e0f6c99975e5190465b8f2d4443ab

I wasn't able to find the last 2 files by the path you specified, so I did a regular windows search on the file names. It showed that both files were located in C:\WINDOWS\Prefetch, and no other files on the pc with those names.

HijackThis.....

Logfile of HijackThis v1.99.1
Scan saved at 4:33:05 PM, on 8/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Herbie's Stuff\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/omaha/omaha-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.1.34/aces/aces-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/backgammon/backgammon-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.1.27/blackjack/blackjack-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.0.30/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/canasta/canasta-ob-assets.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.95 - http://java.chatstar.net:8000/Java/cs4fs095.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.34/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.51/domino/domino-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.30/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.1.34/greenback/greenback-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.34/harvest/harvest-ob-assets.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.2.1.34/itsoutofhere/itsoutofhere-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.2.1.34/jigsaw/jigsaw-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.2.51/lottso/lottso-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.2.2.51/mlslots/mlslots-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paigow/paigow-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.1.41/freecell/freecell-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.3.36/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.2.1.34/flinger/flinger-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.2.51/pinochle/pinochle-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.2.0.37/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/poppit2/poppit2-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/spider/spider-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/squelchies/squelchies-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.30/holdem/holdem-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.2.0.37/peaks/peaks-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.2.3.36/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.0.37/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.1.34/whackdown/whackdown-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.3.39/wordjong/wordjong-ob-assets.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187403327421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4396/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Nuppi · August 2007

Hi

scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\wzcaemon.exe
C:\WINDOWS\system32\drivers\ltmmspqm.sys
scan completed successfully
hidden files: 2

Those are hidden files

Probably they are god too

But lets check if we can

Go to virustotal back and copy those lines to box :

C:\WINDOWS\system32\wzcaemon.exe
C:\WINDOWS\system32\drivers\ltmmspqm.sys

Please send reports

Edo · August 2007

Those specified paths didn't work with VirusTotal. Should I do a search on the files?

Nuppi · August 2007

Please Open Notepad and copy and paste quote boxes text:

Collect::
C:\WINDOWS\system32\wzcaemon.exe
C:\WINDOWS\system32\drivers\ltmmspqm.sys

Save to nameCFScript

Then drag and drop CFScript to ComboFix.exe As shows below.

Combofix will start to reming and scanning

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Reboot your comp and send contens off combofix.txt file to responce.

Send a fresh hijackthis log too

Edo · August 2007

Here are the requested logs....

HijackThis....

Logfile of HijackThis v1.99.1
Scan saved at 13:23, on 2007-08-27
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Herbie's Stuff\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/omaha/omaha-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.1.34/aces/aces-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/backgammon/backgammon-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.1.27/blackjack/blackjack-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.0.30/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/canasta/canasta-ob-assets.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.95 - http://java.chatstar.net:8000/Java/cs4fs095.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.34/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.51/domino/domino-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.30/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.1.34/greenback/greenback-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.34/harvest/harvest-ob-assets.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.2.1.34/itsoutofhere/itsoutofhere-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.2.1.34/jigsaw/jigsaw-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.2.51/lottso/lottso-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.2.2.51/mlslots/mlslots-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paigow/paigow-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.1.41/freecell/freecell-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.3.36/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.2.1.34/flinger/flinger-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.2.51/pinochle/pinochle-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.2.0.37/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/poppit2/poppit2-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/spider/spider-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/squelchies/squelchies-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.30/holdem/holdem-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.2.0.37/peaks/peaks-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.2.3.36/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.0.37/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.1.34/whackdown/whackdown-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.3.39/wordjong/wordjong-ob-assets.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187403327421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4396/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ComboFix.....

ComboFix 07-08-17.2 - "Herbie's Stuff" 2007-08-27 13:11:43.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.101 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Herbie's Stuff\Desktop\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((( Files Created from 2007-07-27 to 2007-08-27 )))))))))))))))))))))))))))))))

2007-08-24 00:13 44,416 --a

C:\WINDOWS\SYSTEM32\drivers\stream.sys
2007-08-23 15:59 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Template
2007-08-22 06:43 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Lavasoft
2007-08-20 17:11 51,200 --a

C:\WINDOWS\nircmd.exe
2007-08-18 02:37 <DIR> d

C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-18 02:37 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-17 22:33 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-17 22:25 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Comodo
2007-08-17 22:25 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-17 22:22 <DIR> d

C:\Program Files\Comodo
2007-08-17 20:06 <DIR> d

C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-17 19:08 <DIR> d

C:\Program Files\SpywareBlaster
2007-08-17 17:49 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-17 16:06 <DIR> d

C:\Program Files\Lavasoft
2007-08-17 16:05 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-16 19:19 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-08-16 16:48 1,048,576 --ah

C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-24 00:25

d--h

C:\Program Files\InstallShield Installation Information
2007-08-24 00:18

d

C:\Program Files\Common Files\InstallShield
2007-08-24 00:17

d

C:\Program Files\WinMX
2007-08-24 00:14

d

C:\Program Files\Hasbro Interactive
2007-08-24 00:13

d

C:\Program Files\Creative
2007-08-24 00:08

d

C:\Program Files\Common Files\Real
2007-08-24 00:07

d

C:\Program Files\QuickTime
2007-08-24 00:07

d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Real
2007-08-24 00:02

d

C:\Program Files\MusicMatch
2007-08-24 00:00

d

C:\Program Files\MSN Gaming Zone
2007-08-23 23:58

d

C:\Program Files\Microsoft Money
2007-08-23 23:53

d

C:\Program Files\InterActual
2007-08-23 23:41

d

C:\Program Files\Yahoo! Games
2007-08-23 23:40

d

C:\Program Files\BroadJump
2007-08-23 23:39

d

C:\Program Files\ArcSoft
2007-08-23 23:35

d

C:\Program Files\AIM95
2007-08-23 23:24

d

C:\Program Files\Common Files\AOL
2007-08-23 15:53

d

C:\Program Files\nba
2007-08-22 16:07

d

C:\Program Files\Common Files\qwif
2007-08-17 19:59

d

C:\Program Files\SBC Self Support Tool
2007-08-17 19:50

d

C:\Program Files\Pure Networks
2007-08-17 19:47

d

C:\Program Files\Yahoo!
2007-08-17 19:24

d

C:\Program Files\Google
2007-08-17 16:10 9344 --a

C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-17 16:10 8320 --a

C:\WINDOWS\system32\drivers\AWRTRD.sys
2003-04-19 07:38 3001 --a--c--- C:\Program Files\INSTALL.LOG

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-17 22:22]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Kazaa Upgrade Suite3.exe
backup=C:\WINDOWS\pss\Register Kazaa Upgrade Suite3.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1:]
c:\hp\bin\hpdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\abtu]
C:\DOCUME~1\Owner\APPLIC~1\lopsearch.exe -QuieT
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAupdate]
C:\Program Files\NavEnhance\DoubleAgent\DAupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
"C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gjrciyw]
c:\windows\system32\uujadrd.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Silent Service]
C:\Windows\system32\HpSrvUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpScannerFirstBoot]
c:\hp\drivers\scanners\scannerfb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgtqv]
C:\WINDOWS\jgtqv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
"C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
C:\Program Files\mcafee.com\Agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\Program Files\mcafee.com\Agent\mcupdate.exe /embedding
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
C:\WINDOWS\NCLAUNCH.EXe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpInspector]
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpInspector.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pujwkhu]
c:\windows\system32\oarmcb.exe r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REWARDS NETWORK]
C:\Program Files\Rewards Network\brntray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3apphk]
S3apphk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeSurfingUpdate]
C:\Program Files\SafeSurfing\SSUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateMedia]
C:\Program Files\MediaUpdate\UpdateMedia.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\mcafee.com\VSO\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xwqzltu]
c:\windows\system32\wcgvtl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"AOLService"=2 (0x2)
R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 avipbb;avipbb;C:\WINDOWS\System32\DRIVERS\avipbb.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\System32\DRIVERS\DcCam.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\System32\drivers\dcfs2k.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm.sys
S1 Exportit;Exportit;C:\WINDOWS\System32\DRIVERS\exportit.sys
S3 DCamUSBDXGTech;Dual-Mode DSC (Video Camera);C:\WINDOWS\System32\Drivers\GT891x1.SYS
S3 DcFpoint;DcFpoint;C:\WINDOWS\System32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\System32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\System32\DRIVERS\DcPTP.sys
S3 GT890x;Dual-Mode DSC (Still Camera);C:\WINDOWS\System32\Drivers\GT890x.SYS
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys
S3 P101bVID;Creative WebCam;C:\WINDOWS\System32\DRIVERS\P101bVid.sys

Contents of the 'Scheduled Tasks' folder
2002-06-06 05:38:59 C:\WINDOWS\Tasks\Registration reminder 1.job - C:\WINDOWS\System32\OOBE\oobebaln.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-27 13:17:06
Windows 5.1.2600 Service Pack 1 NTFS

What's with the smiley's? I didn't add those.....

Nuppi · August 2007

HI,

Same reason, i don't know, sometimes text changes to smileys

It's nothing

Please Open Notepad and copy and paste quote boxes text:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gjrciyw]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgtqv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pujwkhu]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xwqzltu]

Save to nameCFScript

Then drag and drop CFScript to ComboFix.exe As shows below.

Combofix will start to reming and scanning

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Reboot your comp and send contens off combofix.txt file to responce.

Send a fresh hijackthis log too

Edo · August 2007

Here are the requested logs.....

HijackThis....

Logfile of HijackThis v1.99.1
Scan saved at 6:48:51 AM, on 8/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Herbie's Stuff\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: 6th Street Omaha Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/omaha/omaha-ob-assets.cab
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.1.34/aces/aces-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/alibaba-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/backgammon/backgammon-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.1.27/blackjack/blackjack-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://game1.pogo.com/applet-6.2.0.30/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.2.1.27/canasta/canasta-ob-assets.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.95 - http://java.chatstar.net:8000/Java/cs4fs095.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.2.3.36/cribbage/cribbage-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.2.1.34/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.2.2.51/domino/domino-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.30/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://game1.pogo.com/applet-6.2.1.34/greenback/greenback-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.1.34/harvest/harvest-ob-assets.cab
O16 - DPF: Its Outta Here 2 by pogo - http://game1.pogo.com/applet-6.2.1.34/itsoutofhere/itsoutofhere-ob-assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.2.1.34/jigsaw/jigsaw-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.2.1.27/gin/gin-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.2.51/lottso/lottso-ob-assets.cab
O16 - DPF: Multiline Slots by pogo - http://game1.pogo.com/applet-6.2.2.51/mlslots/mlslots-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/paigow/paigow-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.1.41/freecell/freecell-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.3.36/waterwheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.2.1.34/flinger/flinger-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.2.2.51/pinochle/pinochle-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.2.0.37/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.34/poppit2/poppit2-ob-assets.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz2-ob-assets.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-6.2.0.30/slots/showbiz-ob-assets.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.1.41/spades/spades-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/spider/spider-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/squelchies/squelchies-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.30/holdem/holdem-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.2.0.37/peaks/peaks-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game1.pogo.com/applet-6.2.3.36/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.2.0.37/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.2.1.34/whackdown/whackdown-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.3.39/wordjong/wordjong-ob-assets.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187403327421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4396/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ComboFix....

ComboFix 07-08-17.2 - "Herbie's Stuff" 2007-08-28 6:23:48.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.81 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Herbie's Stuff\Desktop\CFScript.txt
* Created a new restore point

((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-28 )))))))))))))))))))))))))))))))

2007-08-24 00:13 44,416 --a

C:\WINDOWS\SYSTEM32\drivers\stream.sys
2007-08-23 15:59 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Template
2007-08-22 06:43 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Lavasoft
2007-08-20 17:11 51,200 --a

C:\WINDOWS\nircmd.exe
2007-08-18 02:37 <DIR> d

C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-18 02:37 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-17 22:33 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-08-17 22:25 <DIR> d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Comodo
2007-08-17 22:25 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-08-17 22:22 <DIR> d

C:\Program Files\Comodo
2007-08-17 20:06 <DIR> d

C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-17 19:08 <DIR> d

C:\Program Files\SpywareBlaster
2007-08-17 17:49 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-17 16:06 <DIR> d

C:\Program Files\Lavasoft
2007-08-17 16:05 <DIR> d

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-16 19:19 <DIR> d

C:\Program Files\Common Files\Wise Installation Wizard
2007-08-16 16:48 1,048,576 --ah

C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-08-16 16:48 <DIR> d

C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-27 09:51

d

C:\Program Files\Newahoo!
2007-08-24 00:25

d--h

C:\Program Files\InstallShield Installation Information
2007-08-24 00:18

d

C:\Program Files\Common Files\InstallShield
2007-08-24 00:17

d

C:\Program Files\WinMX
2007-08-24 00:14

d

C:\Program Files\Hasbro Interactive
2007-08-24 00:13

d

C:\Program Files\Creative
2007-08-24 00:08

d

C:\Program Files\Common Files\Real
2007-08-24 00:07

d

C:\Program Files\QuickTime
2007-08-24 00:07

d

C:\DOCUME~1\HERBIE~1\APPLIC~1\Real
2007-08-24 00:02

d

C:\Program Files\MusicMatch
2007-08-24 00:00

d

C:\Program Files\MSN Gaming Zone
2007-08-23 23:58

d

C:\Program Files\Microsoft Money
2007-08-23 23:53

d

C:\Program Files\InterActual
2007-08-23 23:41

d

C:\Program Files\Yahoo! Games
2007-08-23 23:40

d

C:\Program Files\BroadJump
2007-08-23 23:39

d

C:\Program Files\ArcSoft
2007-08-23 23:35

d

C:\Program Files\AIM95
2007-08-23 23:24

d

C:\Program Files\Common Files\AOL
2007-08-23 15:53

d

C:\Program Files\nba
2007-08-22 16:07

d

C:\Program Files\Common Files\qwif
2007-08-17 19:59

d

C:\Program Files\SBC Self Support Tool
2007-08-17 19:50

d

C:\Program Files\Pure Networks
2007-08-17 19:47

d

C:\Program Files\Yahoo!
2007-08-17 19:24

d

C:\Program Files\Google
2007-08-17 16:10 9344 --a

C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-17 16:10 8320 --a

C:\WINDOWS\system32\drivers\AWRTRD.sys
2003-04-19 07:38 3001 --a--c--- C:\Program Files\INSTALL.LOG

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-08-17 22:22]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\Program Files\Microsoft Works\WkDetect.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Date Manager.lnk
backup=C:\WINDOWS\pss\Date Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Register Kazaa Upgrade Suite3.exe
backup=C:\WINDOWS\pss\Register Kazaa Upgrade Suite3.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1:]
c:\hp\bin\hpdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\abtu]
C:\DOCUME~1\Owner\APPLIC~1\lopsearch.exe -QuieT
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM95\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAupdate]
C:\Program Files\NavEnhance\DoubleAgent\DAupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer4_in_1]
"C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Silent Service]
C:\Windows\system32\HpSrvUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpScannerFirstBoot]
c:\hp\drivers\scanners\scannerfb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
C:\HP\KBD\KBD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
"C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
c:\Program Files\Microsoft Works\WkDetect.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCLaunch]
C:\WINDOWS\NCLAUNCH.EXe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Omnipage]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpInspector]
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpInspector.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REWARDS NETWORK]
C:\Program Files\Rewards Network\brntray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3apphk]
S3apphk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeSurfingUpdate]
C:\Program Files\SafeSurfing\SSUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateMedia]
C:\Program Files\MediaUpdate\UpdateMedia.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
C:\Program Files\Yahoo!\browser\ybrwicon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zero Knowledge Freedom]
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KodakCCS"=2 (0x2)
"AOLService"=2 (0x2)
R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 avipbb;avipbb;C:\WINDOWS\System32\DRIVERS\avipbb.sys
R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\System32\DRIVERS\DcCam.sys
R1 ProsSvc;ProsSvc;\??\C:\WINDOWS\System32\drivers\ltmmspqm.sys
R1 ssmdrv;ssmdrv;C:\WINDOWS\System32\DRIVERS\ssmdrv.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\System32\drivers\dcfs2k.sys
R3 trid3d;trid3d;C:\WINDOWS\System32\DRIVERS\trid3dm.sys
S1 Exportit;Exportit;C:\WINDOWS\System32\DRIVERS\exportit.sys
S3 DCamUSBDXGTech;Dual-Mode DSC (Video Camera);C:\WINDOWS\System32\Drivers\GT891x1.SYS
S3 DcFpoint;DcFpoint;C:\WINDOWS\System32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\System32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\System32\DRIVERS\DcPTP.sys
S3 GT890x;Dual-Mode DSC (Still Camera);C:\WINDOWS\System32\Drivers\GT890x.SYS
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys
S3 P101bVID;Creative WebCam;C:\WINDOWS\System32\DRIVERS\P101bVid.sys

Contents of the 'Scheduled Tasks' folder
2002-06-06 05:38:59 C:\WINDOWS\Tasks\Registration reminder 1.job - C:\WINDOWS\System32\OOBE\oobebaln.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-28 06:30:11
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-08-28 6:31:54
C:\ComboFix-quarantined-files.txt ... 2007-08-28 06:31
--- E O F ---

Nuppi · August 2007

Logs looks good

How about problem ?

Edo · August 2007

The pc is working superbly! Is it safe to say that it's virus free now? If so, should I upgrade it to SP2?

Nuppi · August 2007

Hi, good to hear

Absolutely, update now because it's should be clean now

here some tips to be clean :

#
Now that you're clean, here are some tips how to stay clean.
#

#
-> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
#
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
#

#
-> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
#
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.
#

#
-> Use CCleaner -> http://www.ccleaner.com
#
Download and install CCleaner. Clean your registry and temporary files with it regularly.
#

#
-> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
#
Download and install Ad-Aware. Update it and scan your computer regularly with it.
#

#
-> Use Ewido -> http://www.ewido.net/en
#
Download and install Ewido. Update it and scan your computer regularly with it.
#

#
-> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
#
SpywareBlaster will prevent spyware from being installed to your computer.
#

#
-> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
#
This prevents your computer from connecting to harmful sites.
#

#
-> Change your browser to Firefox -> http://www.mozilla.org
#
Firefox is faster, safer and quicker browser than Internet Explorer.
#

#
-> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
#
Visit Windows Update regularly.
#

#
-> Keep your antivirus and firewall up-to-date
#
Scan your computer regularly with your antivirus.
#

#
-> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
#
So how did I get infected in the first place?
#

#
Stay clean

#

#

Edo · August 2007

Thanks for all of your help Nuppi. You've been a tremendous help with this pc. This is why I always come here if I have an issue.

jmoney3457 · August 2007

thread resolved & now closed..if you (original topic starter) need this thread reopened please PM 1 of the spyware mods or admin:)

Root Kits, Viruses, and the kitchen sink

Comments