Trojan Downloader (Solved)

Unknown · December 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07:20, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Gary Burden\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/winifreda/oqldxtuo.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BA77042-FC93-4AED-B0E8-824979156BA4} (InstallerAX Class) - http://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://conf1.centra.com/trendfund/Install/en/US/CentraDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://terranova.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Dantz Development Corporation - (no file)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 13155 bytes

Kodiac · December 2008

This is the log with normal boot:

Inline Attachment Follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:52:11, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Gary Burden\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/winifreda/oqldxtuo.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BA77042-FC93-4AED-B0E8-824979156BA4} (InstallerAX Class) - http://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://conf1.centra.com/trendfund/Install/en/US/CentraDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://terranova.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Dantz Development Corporation - (no file)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 14314 bytes

Katana · December 2008

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

Kodiac · December 2008

Thanks for your help! My computer has a problem staying booted when running programs but i did get this!

Inline Attachment Follows

Logfile of random's system information tool 1.04 (written by random/random)
Run by Gary Burden at 2008-12-01 18:44:14
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 32 GB (43%) free of 74 GB
Total RAM: 3071 MB (79% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:44:49, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\TPPALDR.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PerSono\perstray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
H:\RSIT.exe
C:\Documents and Settings\Gary Burden\Desktop\Gary Burden.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/winifreda/oqldxtuo.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BA77042-FC93-4AED-B0E8-824979156BA4} (InstallerAX Class) - http://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://conf1.centra.com/trendfund/Install/en/US/CentraDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://terranova.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Dantz Development Corporation - (no file)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 14382 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
HelperObject Class - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll [2005-06-17 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-03-03 5375032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [2005-06-17 131072]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-03-03 5375032]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-06-23 4734976]
"nwiz"=nwiz.exe /install []
"UpdReg"=C:\WINDOWS\Updreg.exe [2000-05-11 90112]
"TPP Auto Loader"=C:\WINDOWS\TPPALDR.EXE [2001-10-05 118784]
"RegistryMechanic"= []
""= []
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [2005-08-24 442455]
"SpyHunter Security Suite"=C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2008-10-08 864256]
"TrojanScanner"=C:\Program Files\Trojan Remover\Trjscan.exe [2008-11-22 1231240]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-08-25 1168264]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"Uniblue SpyEraser"= []
"FreeRAM XP"=C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe [2006-03-22 1591808]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2000-10-11 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2000-10-11 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccExtractorService"=2
"LiveUpdate Notice Service"=3
"LiveUpdate Notice Ex"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Perstray.lnk - C:\Program Files\PerSono\perstray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINDOWS\system32\klogon.dll [2007-08-23 204864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6809e580-a3a7-11d1-9a00-00a0c945b006}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=5F000000
""=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\MIRC\mirc.exe"="C:\Program Files\MIRC\mirc.exe:*:Enabled:mIRC"
"C:\Program Files\eSignal\winros.exe"="C:\Program Files\eSignal\winros.exe:*:Enabled:eSignal Data Manager"
"C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe"="C:\Program Files\Java\j2re1.4.2_04\bin\javaw.exe:*:Enabled:javaw"
"C:\Program Files\Microprose\Grand Prix 3 Demo\GP3.exe"="C:\Program Files\Microprose\Grand Prix 3 Demo\GP3.exe:*:Enabled:GP3"
"C:\Program Files\eSignal\winsig.exe"="C:\Program Files\eSignal\winsig.exe:*:Enabled:ws"
"C:\WINDOWS\system32\jview.exe"="C:\WINDOWS\system32\jview.exe:*:Enabled:MicrosoftÂ® VM Command Line Interpreter"
"C:\Program Files\Real\RealOne Player\realplay.exe"="C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player"
"C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe"="C:\Program Files\Java\j2re1.4.2_06\bin\javaw.exe:*:Enabled:javaw"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox"
"C:\Documents and Settings\Gary Burden\Desktop\EChat.exe"="C:\Documents and Settings\Gary Burden\Desktop\EChat.exe:*:Enabled:EChat"
"C:\WINDOWS\system32\javaw.exe"="C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Documents and Settings\Gary Burden\Desktop\EChat-1.exe"="C:\Documents and Settings\Gary Burden\Desktop\EChat-1.exe:*:Enabled:EChat-1"
"C:\Documents and Settings\Gary Burden\Desktop\EChat-2.exe"="C:\Documents and Settings\Gary Burden\Desktop\EChat-2.exe:*:Enabled:EChat-2"
"C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\ENSIGN\Ensign.exe"="C:\ENSIGN\Ensign.exe:*:Enabled:Ensign Windows"
"C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"="C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe:*:Enabled:The Shield Deluxe 2008"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-12-01 18:44:13 ----D---- C:\rsit
2008-11-30 23:30:01 ----D---- C:\Program Files\XoftSpySE
2008-11-30 15:36:47 ----D---- C:\Program Files\Spyware Doctor
2008-11-30 15:36:47 ----D---- C:\Documents and Settings\Gary Burden\Application Data\PC Tools
2008-11-30 15:30:38 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\UNRAR3.dll
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\unacev2.dll
2008-11-30 15:30:11 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-11-30 15:30:10 ----D---- C:\Documents and Settings\Gary Burden\Application Data\Simply Super Software
2008-11-29 21:42:27 ----A---- C:\WINDOWS\system32\tmp.txt
2008-11-29 21:39:45 ----A---- C:\rapport.txt
2008-11-29 20:59:27 ----D---- C:\Program Files\LimeWire
2008-11-28 23:32:58 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-12 22:52:13 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 22:51:31 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 22:50:25 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-10 23:09:59 ----N---- C:\WINDOWS\system32\msexch35.dll
2008-11-10 23:09:54 ----N---- C:\WINDOWS\system32\msjt4jlt.dll
2008-11-10 23:09:50 ----N---- C:\WINDOWS\system32\msrpfs35.dll
2008-11-10 23:09:48 ----N---- C:\WINDOWS\system32\JETCOMP.exe
2008-11-10 23:09:46 ----N---- C:\WINDOWS\system32\DKSGS.dll
2008-11-10 23:09:39 ----D---- C:\Program Files\PCCW DEMO
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\tls704d.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\tifftek32.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\rdmsys.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\qpro32.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\ipinplus32.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\cmeparse.dll
2008-11-10 23:09:37 ----N---- C:\WINDOWS\system32\NOVA_API.dll
2008-11-10 23:09:37 ----N---- C:\WINDOWS\system32\eNC430SO.dll
2008-11-10 23:09:37 ----N---- C:\WINDOWS\system32\ARWizard.DLL
2008-11-10 23:09:37 ----N---- C:\WINDOWS\system32\ardesign.dll
2008-11-10 23:09:36 ----N---- C:\WINDOWS\system32\vxncom.dll
2008-11-10 23:09:36 ----N---- C:\WINDOWS\system32\vpp201.dll
2008-11-10 23:09:36 ----N---- C:\WINDOWS\system32\vhelper.dll
2008-11-10 23:09:36 ----N---- C:\WINDOWS\system32\vcontrolobject.dll
2008-11-10 23:09:31 ----N---- C:\WINDOWS\system32\GORAS.dll
2008-11-10 23:09:31 ----N---- C:\WINDOWS\system32\Ent1000SO.DLL
2008-11-10 23:09:30 ----N---- C:\WINDOWS\system32\pictplus60.dll
2008-11-10 23:09:30 ----N---- C:\WINDOWS\system32\eNCrypt2100So.dll
2008-11-10 23:09:30 ----N---- C:\WINDOWS\system32\Cmr430so.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMXUtil.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMTIFF.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMSO.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMMICR.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMCO.dll
2008-11-08 12:41:08 ----D---- C:\Documents and Settings\All Users\Application Data\FreeRIP
2008-11-08 12:41:02 ----D---- C:\Program Files\FreeRIP3
2008-11-08 12:39:50 ----A---- C:\freeripmp3.exe
2008-11-08 12:31:49 ----D---- C:\Program Files\ABC Amber Audio Converter

======List of files/folders modified in the last 1 months======

2008-12-01 18:44:49 ----D---- C:\temp
2008-12-01 18:44:16 ----D---- C:\WINDOWS\Prefetch
2008-12-01 18:43:24 ----D---- C:\WINDOWS\Temp
2008-12-01 18:42:21 ----D---- C:\Program Files\Mozilla Thunderbird
2008-12-01 18:42:19 ----D---- C:\WINDOWS\system32\drivers
2008-12-01 15:52:39 ----D---- C:\Program Files\Mozilla Firefox
2008-12-01 01:08:59 ----D---- C:\Documents and Settings\All Users\Application Data\PCSecurityShield
2008-12-01 00:51:29 ----D---- C:\WINDOWS\system32
2008-11-30 23:30:31 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-30 23:30:06 ----SD---- C:\WINDOWS\Tasks
2008-11-30 23:30:01 ----D---- C:\Program Files
2008-11-30 16:18:57 ----D---- C:\Program Files\Security Task Manager
2008-11-30 15:30:24 ----D---- C:\Program Files\Trojan Remover
2008-11-30 10:04:50 ----D---- C:\WINDOWS\network diagnostic
2008-11-29 23:44:33 ----D---- C:\Program Files\Enigma Software Group
2008-11-29 21:05:12 ----D---- C:\WINDOWS\system32\config
2008-11-29 21:03:49 ----D---- C:\WINDOWS\system32\wbem
2008-11-29 21:03:46 ----D---- C:\WINDOWS\Registration
2008-11-29 21:02:04 ----D---- C:\WINDOWS
2008-11-29 21:01:35 ----HD---- C:\WINDOWS\inf
2008-11-29 03:07:39 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-24 11:27:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-19 18:33:41 ----D---- C:\Gary's Files
2008-11-13 00:49:00 ----D---- C:\My Music
2008-11-13 00:48:58 ----D---- C:\MIRC trading script_files
2008-11-13 00:48:58 ----D---- C:\Jts
2008-11-13 00:48:55 ----D---- C:\Charts
2008-11-12 22:52:19 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-12 22:51:54 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 22:51:47 ----A---- C:\WINDOWS\imsins.BAK
2008-11-12 22:49:35 ----D---- C:\Config.Msi
2008-11-12 22:49:30 ----SHD---- C:\WINDOWS\Installer
2008-11-12 22:49:25 ----D---- C:\WINDOWS\WinSxS
2008-11-12 10:33:08 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-10 23:09:27 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-08 12:45:00 ----A---- C:\WINDOWS\cdplayer.ini
2008-11-08 12:30:59 ----D---- C:\unzipped
2008-11-07 02:21:49 ----D---- C:\WINDOWS\Help
2008-11-05 00:11:20 ----A---- C:\WINDOWS\NeroDigital.ini
2008-11-03 19:10:25 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [2006-09-12 25244]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2008-04-07 9072]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2008-04-07 9200]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2003-07-26 241280]
R1 hmonitor;hmonitor; \??\C:\WINDOWS\system32\drivers\hmonitor.sys []
R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2008-08-25 66952]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2008-08-25 81288]
R1 klif;Klif; \??\C:\WINDOWS\system32\drivers\klif.sys []
R1 pwd_2K;pwd_2K; C:\WINDOWS\system32\drivers\pwd_2K.sys [2003-07-26 144250]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2003-07-26 206464]
R1 VIAPFD;VIAPFD; C:\WINDOWS\System32\Drivers\VIAPFD.SYS [2001-12-18 3279]
R2 elagopro;GoProto Protocol Driver for LELA; C:\WINDOWS\system32\DRIVERS\elagopro.sys [2007-03-22 28672]
R2 elaunidr;UniDriver for LELA; C:\WINDOWS\system32\DRIVERS\elaunidr.sys [2007-03-22 5376]
R2 GBFSHook;GBFSHook; C:\WINDOWS\system32\drivers\GBFSHook.sys [2002-01-21 15024]
R2 HPFECP13;HPFECP13; C:\WINDOWS\System32\drivers\HPFECP13.SYS [1998-09-24 52800]
R2 IOPort;IOPort; \??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS []
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%; C:\WINDOWS\System32\Drivers\ousbehci.sys [2002-01-31 26752]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver; C:\WINDOWS\System32\DRIVERS\uacflt.sys [2002-05-03 21276]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2001-09-11 110084]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2001-09-11 11036]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2001-09-11 207648]
R3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2003-07-26 25930]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM); C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-10-02 1757928]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2001-09-11 154284]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2004-08-04 606684]
R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2003-07-26 30662]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2005-04-23 28276]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-06-23 1324779]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2001-09-11 186944]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support; C:\WINDOWS\System32\DRIVERS\ousb2hub.sys [2002-01-31 40704]
R3 rtl8139;Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2001-08-23 25434]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2002-06-20 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2002-06-20 39776]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys []
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect); C:\WINDOWS\System32\DRIVERS\LwAdiHid.sys [2002-08-29 20864]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 msgame;Sidewinder HID to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\msgame.sys [2001-08-17 35200]
S3 nm;Network Monitor Driver; C:\WINDOWS\System32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 PCAMPR5;PCAMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCAMPR5.SYS []
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\System32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 TPP300;USB Storage Adapter V3 (TPP); C:\WINDOWS\System32\DRIVERS\TPP300.SYS [2001-10-05 33669]
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WmAdiHid;Logitech WingMan Digital Devices Driver; C:\WINDOWS\system32\drivers\WmAdiHid.sys [2001-11-06 20192]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2002-06-20 5728]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R01000000 papycpu2;papycpu2; C:\WINDOWS\system32\drivers\papycpu2.sys [2001-11-19 1984]
R01000000 papyjoy;papyjoy; C:\WINDOWS\system32\drivers\papyjoy.sys [2001-11-19 1856]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.EXE [1999-12-13 44032]
R2 GBPoll;GBPoll; C:\Program Files\Roxio\GoBack\GBPoll.exe [2002-01-21 507904]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-06-23 73728]
R2 RetroLauncher;Retrospect Launcher; C:\Program Files\Dantz\Retrospect\retrorun.exe [2001-10-25 40960]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-10-09 1079176]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2008-01-23 1251720]
R2 UTSCSI;USBest Service Zero; C:\WINDOWS\system32\UTSCSI.EXE [2006-08-24 45568]
R2 Ventrilo;Ventrilo; C:\Program Files\VentSrv\ventrilo_svc.exe [2005-07-13 65536]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 Retrospect Helper;Retrospect Helper; C:\Program Files\Dantz\Retrospect\rthlpsvc.exe [2001-10-25 53248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 AVP;The Shield Deluxe 2008; C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe [2007-08-23 200768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 136120]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2006-08-20 68096]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

EOF

Katana · December 2008

Information

The following program/s are regarded as either "Rogue", being bundled with "Adware" or having dubious reputations
XoftSpy << Used to be listed as Rogue
I recommend that you remove Via Add/Remove Programs

Registry Cleaners

Re. Uniblue SpeedUpMyPC

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html

Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 2

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Step 3

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

MalwareBytes Log
ComboFix Log
C:\RSIT\Info.txt
How are things running now ?

Kodiac · December 2008

Do you see anything that would make the PC so unstable because running scans is hit and miss before it reboots. Also, the original Trojan came in via Limewire and I removed it. I see that on bootup the registry reloads Limewire and disables Firefox. Just my observations before the next steps!

Kodiac · December 2008

I installed the malwareBytes and it ran for about 8 minutes and rebooted! How do I get around the shutdowns? That was the first thing that happened when the virus launched!

Note: I just ran malware again and it ran for 30 minutes and rebooted. I'm not sure what to do now?

Katana · December 2008

Try step 2 first, and then run MalwareBytes

Kodiac · December 2008

I ran combofix and a background program shut it down. I wasn't able to boot for a few minutes but went back into safe mode and got this.I'm working on Malware now.

----Inline Attachment Follows

ComboFix 08-12-01.01 - Gary Burden 2008-12-02 9:38:11.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2672 [GMT -5:00]
Running from: H:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run

.
C:\setup.exe
C:\WINDOWS\system32\klogon.dll
C:\WINDOWS\system32\pictplus60.dll
D:\Autorun.inf
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-02 09:13 . 2008-12-02 09:42 53,248 --a

C:\temp\catchme.dll
2008-12-02 09:12 . 2008-12-02 09:12 <DIR> d

C:\temp\WPDNSE
2008-12-01 20:16 . 2008-12-01 20:16 <DIR> d

C:\Documents and Settings\Gary Burden\Application Data\Malwarebytes
2008-12-01 20:16 . 2008-10-22 16:10 38,496 --a

C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-12-01 20:16 . 2008-10-22 16:10 15,504 --a

C:\WINDOWS\system32\drivers\mbam.sys
2008-12-01 20:15 . 2008-12-01 21:48 <DIR> d

C:\Program Files\Malwarebytes' Anti-Malware
2008-12-01 20:15 . 2008-12-01 20:15 <DIR> d

C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-01 18:44 . 2008-12-01 18:45 <DIR> d

C:\rsit
2008-11-30 23:30 . 2008-12-01 00:52 <DIR> d

C:\Program Files\XoftSpySE
2008-11-30 15:37 . 2008-08-25 12:36 81,288 --a

C:\WINDOWS\system32\drivers\iksyssec.sys
2008-11-30 15:37 . 2008-08-25 12:36 66,952 --a

C:\WINDOWS\system32\drivers\iksysflt.sys
2008-11-30 15:37 . 2008-08-25 12:36 40,840 --a

C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-11-30 15:37 . 2008-06-02 16:19 29,576 --a

C:\WINDOWS\system32\drivers\kcom.sys
2008-11-30 15:36 . 2008-12-01 02:34 <DIR> d

C:\Program Files\Spyware Doctor
2008-11-30 15:36 . 2008-11-30 15:36 <DIR> d

C:\Documents and Settings\Gary Burden\Application Data\PC Tools
2008-11-30 15:30 . 2008-11-30 15:30 <DIR> d

C:\Documents and Settings\Gary Burden\Application Data\Simply Super Software
2008-11-30 15:30 . 2008-12-02 09:36 <DIR> d-a

C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-30 15:30 . 2008-11-30 15:30 <DIR> d

C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-11-30 15:30 . 2006-05-25 14:52 162,304 --a

C:\WINDOWS\system32\ztvunrar36.dll
2008-11-30 15:30 . 2003-02-02 19:06 153,088 --a

C:\WINDOWS\system32\UNRAR3.dll
2008-11-30 15:30 . 2005-08-26 00:50 77,312 --a

C:\WINDOWS\system32\ztvunace26.dll
2008-11-30 15:30 . 2002-03-06 00:00 75,264 --a

C:\WINDOWS\system32\unacev2.dll
2008-11-30 15:30 . 2006-06-19 12:01 69,632 --a

C:\WINDOWS\system32\ztvcabinet.dll
2008-11-30 10:07 . 2008-12-02 09:12 <DIR> d

C:\temp\35K3F6OI
2008-11-29 23:44 . 2008-12-02 09:12 <DIR> d

C:\temp\35J84QL2
2008-11-29 21:42 . 2008-11-29 21:57 1,870 --a

C:\WINDOWS\system32\tmp.reg
2008-11-29 20:59 . 2008-11-29 20:59 <DIR> d

C:\Program Files\LimeWire
2008-11-28 17:22 . 2008-12-02 09:12 <DIR> d

C:\temp\plugtmp-2
2008-11-21 21:53 . 2008-11-22 03:28 54,156 --ah

C:\WINDOWS\QTFont.qfn
2008-11-21 21:53 . 2008-11-21 21:53 1,409 --a

C:\WINDOWS\QTFont.for
2008-11-20 11:01 . 2008-11-20 11:01 <DIR> d---s---- C:\temp\Temporary Internet Files
2008-11-20 11:01 . 2008-11-20 11:01 <DIR> d---s---- C:\temp\History
2008-11-20 11:01 . 2008-11-29 22:05 <DIR> d---s---- C:\temp\Cookies
2008-11-11 21:43 . 2008-09-04 12:15 1,106,944

c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2008-11-11 21:43 . 2008-10-24 06:21 455,296

c--- C:\WINDOWS\system32\dllcache\mrxsmb.sys
2008-11-10 23:09 . 2008-11-12 10:32 <DIR> d

C:\Program Files\PCCW DEMO
2008-11-08 12:41 . 2008-11-08 12:41 <DIR> d

C:\Program Files\FreeRIP3
2008-11-08 12:41 . 2008-11-08 12:41 <DIR> d

C:\Documents and Settings\All Users\Application Data\FreeRIP
2008-11-08 12:39 . 2008-11-08 12:40 1,892,336 --a

C:\freeripmp3.exe
2008-11-08 12:31 . 2008-11-08 12:38 <DIR> d

C:\Program Files\ABC Amber Audio Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 23:42

d

w C:\Program Files\Mozilla Thunderbird
2008-12-01 06:08

d

w C:\Documents and Settings\All Users\Application Data\PCSecurityShield
2008-11-30 21:18

d

w C:\Program Files\Security Task Manager
2008-11-30 20:30

d

w C:\Program Files\Trojan Remover
2008-11-30 14:47 1,834,016 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-11-30 04:44

d

w C:\Program Files\Enigma Software Group
2008-11-29 01:47 36,469,024 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-11-24 16:27 492,128 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-11-24 16:27 176,024 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-11-12 15:33

d

w C:\Program Files\Common Files\InstallShield
2008-11-11 04:09

d--h--w C:\Program Files\InstallShield Installation Information
2008-10-30 14:37

d

w C:\Program Files\VDOWNLOADER
2008-10-30 14:35 8,192 ----a-w C:\ntuser.dat
2008-10-29 22:32

d

w C:\Program Files\MSECACHE
2008-10-29 16:15

d

w C:\Documents and Settings\Gary Burden\Application Data\LimeWire
2008-10-29 13:43

d

w C:\Program Files\SourceTec
2008-10-27 04:16

d

w C:\Program Files\Test My Hardware
2008-10-25 05:54

d

w C:\Program Files\Google
2008-10-25 05:53 7,824,960 ----a-w C:\picasa3-setup.exe
2008-10-25 05:46 3,606,725 ----a-w C:\vdownloader.zip
2008-10-24 11:21 455,296

w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-10-24 00:18 2,302,017 ----a-w C:\WINDOWS\system32\GPhotos.scr
2008-10-23 03:44 98,528 ----a-w C:\Documents and Settings\Gary Burden\Application Data\GDIPFONTCACHEV1.DAT
2008-10-16 19:13 202,776 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w C:\WINDOWS\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w C:\WINDOWS\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w C:\WINDOWS\system32\wups.dll
2008-10-13 06:20

d

w C:\Program Files\WinAVI Video Converter
2008-10-13 06:19 4,526,458 ----a-w C:\WinAVI_Video_Converter.exe
2008-09-30 21:43 1,286,152 ----a-w C:\WINDOWS\system32\msxml4.dll
2008-09-15 12:12 1,846,400

w C:\WINDOWS\system32\win32k.sys
2008-09-10 01:14 1,307,648

w C:\WINDOWS\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w C:\WINDOWS\system32\msxml3.dll
2007-12-11 01:49 32

w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2001-10-05 16:53 21,866

w C:\Program Files\Common Files\tppupd2k.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 23:13 1591808]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 17:16 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-06-23 15:24 4734976]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 03:00 90112]
"TPP Auto Loader"="C:\WINDOWS\TPPALDR.EXE" [2001-10-05 11:54 118784]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 06:51 442455]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-10-08 16:30 864256]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-11-22 17:48 1231240]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-08-25 12:36 1168264]
"nwiz"="nwiz.exe" [2003-06-23 15:24 323584 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2002-06-29 15:53:29 524288]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
Perstray.lnk - C:\Program Files\PerSono\perstray.exe [2004-03-05 18:58:51 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccExtractorService"=2 (0x2)
"LiveUpdate Notice Service"=3 (0x3)
"LiveUpdate Notice Ex"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microprose\\Grand Prix 3 Demo\\GP3.exe"=
"C:\\WINDOWS\\system32\\jview.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\javaw.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\ENSIGN\\Ensign.exe"=
"C:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10001:TCP"= 10001:TCP:Ensign Windows

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-06-19 18:54:55 26752]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;C:\WINDOWS\system32\DRIVERS\uacflt.sys [2004-03-05 18:58:52 21276]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-06-19 18:54:55 40704]
S1 hmonitor;hmonitor;\??\C:\WINDOWS\system32\drivers\hmonitor.sys [2008-06-04 10:30:16 10536]
S2 HPFECP13;HPFECP13;C:\WINDOWS\system32\drivers\HPFECP13.SYS [1998-09-24 21:40:24 52800]
S2 IOPort;IOPort;\??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 22:57:18 6144]
S3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-10-02 15:06:30 1757928]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys [2002-07-15 18:17:50 20864]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-12-01 20:16:00 38496]
S3 TPP300;USB Storage Adapter V3 (TPP);C:\WINDOWS\system32\DRIVERS\TPP300.SYS [2002-08-11 21:47:35 33669]
S3 WmAdiHid;Logitech WingMan Digital Devices Driver;C:\WINDOWS\system32\drivers\WmAdiHid.sys [2001-11-06 19:08:50 20192]
S4 hpt3xx;hpt3xx; []
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-29 09:46]

2008-02-29 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-29 09:46]

2008-12-02 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-11-26 15:11]

2008-12-01 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-11-26 15:11]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{F3DF2532-A2CC-48D8-8643-A033AE4FC313} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-Uniblue SpyEraser - (no file)
HKLM-Run-RegistryMechanic - (no file)
ShellExecuteHooks-{6809e580-a3a7-11d1-9a00-00a0c945b006} - (no file)

.

Supplementary Scan

.
FireFox -: Profile - C:\Documents and Settings\Gary Burden\Application Data\Mozilla\Firefox\Profiles\zpojcoi7.Gary\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\Program Files\Google\Picasa3\npPicasa3.dll
FF -: plugin - C:\Program Files\QuickTime\Plugins\npqtplugin8.dll
.

Kodiac · December 2008

During the scan PC shield blocked pws-blancos. Thought this might help.

Note: Just ran Malware again. It ran for 40 minutes and rebooted. I'll keep trying as I have to wait for a period of time to reboot or the PC justs shuts down? I went into the bios and checked voltages and temps and found no problems. I just can't figure what's shutting the system down.

Kodiac · December 2008

The MalwareBytes scanned for 2 hours and then rebooted. I did a quick scan as below.

Malwarebytes' Anti-Malware 1.30
Database version: 1443
Windows 5.1.2600 Service Pack 3

2008-12-02 15:13:29
mbam-log-2008-12-02 (15-13-14).txt

Scan type: Quick Scan
Objects scanned: 54481
Time elapsed: 14 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Explorer.sav (Heuristics.Reserved.Word.Exploit) -> No action taken.

I then ran Hijack again and got this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:14, on 2008-12-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\Gary Burden\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BA77042-FC93-4AED-B0E8-824979156BA4} (InstallerAX Class) - http://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://conf1.centra.com/trendfund/Install/en/US/CentraDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://terranova.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PsExec (PSEXESVC) - Sysinternals - C:\WINDOWS\PSEXESVC.EXE
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Dantz Development Corporation - (no file)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 13486 bytes

Katana · December 2008

Please do the following, and then try MBAM again

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

KillAll::
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=-
"UpdReg"=-
"SpyHunter Security Suite"=-
"TrojanScanner"=-
"ISTray"=-
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Kodiac · December 2008

I finally got Combofix to run the code after several failures. It went through 50 steps and then rebooted which it continued to do and gave me no chance to log on! I got no log file.

Katana · December 2008

Please post a fresh RSIT log

Kodiac · December 2008

I got logged on and ComboFix reported this:

ComboFix 08-12-01.01 - Gary Burden 2008-12-03 6:29:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2589 [GMT -5:00]
Running from: c:\documents and settings\Gary Burden\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary Burden\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-03 07:33 . 53,248 c:\temp\catchme.dll
2008-12-03 07:31 . 2008-12-03 07:31 <DIR> d

c:\temp\WPDNSE
2008-12-03 07:31 . 2008-12-03 07:31 16,384 --a----t- c:\temp\Perflib_Perfdata_130.dat
2008-12-02 21:41 . 2008-12-03 07:31 <DIR> d

c:\temp\~nsu.tmp
2008-12-01 20:16 . 2008-12-01 20:16 <DIR> d

c:\documents and settings\Gary Burden\Application Data\Malwarebytes
2008-12-01 20:16 . 2008-10-22 16:10 38,496 --a

c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 20:16 . 2008-10-22 16:10 15,504 --a

c:\windows\system32\drivers\mbam.sys
2008-12-01 20:15 . 2008-12-01 21:48 <DIR> d

c:\program files\Malwarebytes' Anti-Malware
2008-12-01 20:15 . 2008-12-01 20:15 <DIR> d

c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 18:44 . 2008-12-01 18:45 <DIR> d

C:\rsit
2008-11-30 23:30 . 2008-12-01 00:52 <DIR> d

c:\program files\XoftSpySE
2008-11-30 15:37 . 2008-08-25 12:36 81,288 --a

c:\windows\system32\drivers\iksyssec.sys
2008-11-30 15:37 . 2008-08-25 12:36 66,952 --a

c:\windows\system32\drivers\iksysflt.sys
2008-11-30 15:37 . 2008-08-25 12:36 40,840 --a

c:\windows\system32\drivers\ikfilesec.sys
2008-11-30 15:37 . 2008-06-02 16:19 29,576 --a

c:\windows\system32\drivers\kcom.sys
2008-11-30 15:36 . 2008-12-02 20:40 <DIR> d

c:\program files\Spyware Doctor
2008-11-30 15:36 . 2008-11-30 15:36 <DIR> d

c:\documents and settings\Gary Burden\Application Data\PC Tools
2008-11-30 15:30 . 2008-11-30 15:30 <DIR> d

c:\documents and settings\Gary Burden\Application Data\Simply Super Software
2008-11-30 15:30 . 2008-12-03 07:33 <DIR> d-a

c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 15:30 . 2008-11-30 15:30 <DIR> d

c:\documents and settings\All Users\Application Data\Simply Super Software
2008-11-30 15:30 . 2006-05-25 14:52 162,304 --a

c:\windows\system32\ztvunrar36.dll
2008-11-30 15:30 . 2003-02-02 19:06 153,088 --a

c:\windows\system32\UNRAR3.dll
2008-11-30 15:30 . 2005-08-26 00:50 77,312 --a

c:\windows\system32\ztvunace26.dll
2008-11-30 15:30 . 2002-03-06 00:00 75,264 --a

c:\windows\system32\unacev2.dll
2008-11-30 15:30 . 2006-06-19 12:01 69,632 --a

c:\windows\system32\ztvcabinet.dll
2008-11-30 10:07 . 2008-12-02 09:12 <DIR> d

c:\temp\35K3F6OI
2008-11-29 23:44 . 2008-12-02 09:12 <DIR> d

c:\temp\35J84QL2
2008-11-29 21:42 . 2008-11-29 21:57 1,870 --a

c:\windows\system32\tmp.reg
2008-11-29 20:59 . 2008-12-02 21:41 <DIR> d

c:\program files\LimeWire
2008-11-28 17:22 . 2008-12-02 09:12 <DIR> d

c:\temp\plugtmp-2
2008-11-21 21:53 . 2008-11-22 03:28 54,156 --ah

c:\windows\QTFont.qfn
2008-11-21 21:53 . 2008-11-21 21:53 1,409 --a

c:\windows\QTFont.for
2008-11-20 11:01 . 2008-11-20 11:01 <DIR> d---s---- c:\temp\Temporary Internet Files
2008-11-20 11:01 . 2008-11-20 11:01 <DIR> d---s---- c:\temp\History
2008-11-20 11:01 . 2008-11-29 22:05 <DIR> d---s---- c:\temp\Cookies
2008-11-11 21:43 . 2008-09-04 12:15 1,106,944

c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 21:43 . 2008-10-24 06:21 455,296

c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 23:09 . 2008-11-12 10:32 <DIR> d

c:\program files\PCCW DEMO
2008-11-08 12:41 . 2008-11-08 12:41 <DIR> d

c:\program files\FreeRIP3
2008-11-08 12:41 . 2008-11-08 12:41 <DIR> d

c:\documents and settings\All Users\Application Data\FreeRIP
2008-11-08 12:39 . 2008-11-08 12:40 1,892,336 --a

C:\freeripmp3.exe
2008-11-08 12:31 . 2008-11-08 12:38 <DIR> d

c:\program files\ABC Amber Audio Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 12:34 36,528,160 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-03 12:33 1,837,344 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-03 11:39 493,184 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-03 11:39 176,384 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-03 02:42

d

w c:\program files\Enigma Software Group
2008-12-02 20:15

d

w c:\program files\Mozilla Thunderbird
2008-12-01 06:08

d

w c:\documents and settings\All Users\Application Data\PCSecurityShield
2008-11-30 21:18

d

w c:\program files\Security Task Manager
2008-11-30 20:30

d

w c:\program files\Trojan Remover
2008-11-12 15:33

d

w c:\program files\Common Files\InstallShield
2008-11-11 04:09

d--h--w c:\program files\InstallShield Installation Information
2008-10-30 14:37

d

w c:\program files\VDOWNLOADER
2008-10-30 14:35 8,192 ----a-w C:\ntuser.dat
2008-10-29 22:32

d

w c:\program files\MSECACHE
2008-10-29 16:15

d

w c:\documents and settings\Gary Burden\Application Data\LimeWire
2008-10-29 13:43

d

w c:\program files\SourceTec
2008-10-27 04:16

d

w c:\program files\Test My Hardware
2008-10-25 05:54

d

w c:\program files\Google
2008-10-25 05:53 7,824,960 ----a-w C:\picasa3-setup.exe
2008-10-25 05:46 3,606,725 ----a-w C:\vdownloader.zip
2008-10-24 11:21 455,296

w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 00:18 2,302,017 ----a-w c:\windows\system32\GPhotos.scr
2008-10-23 03:44 98,528 ----a-w c:\documents and settings\Gary Burden\Application Data\GDIPFONTCACHEV1.DAT
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-13 06:20

d

w c:\program files\WinAVI Video Converter
2008-10-13 06:19 4,526,458 ----a-w C:\WinAVI_Video_Converter.exe
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400

w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648

w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2007-12-11 01:49 32

w c:\documents and settings\All Users\Application Data\ezsid.dat
2001-10-05 16:53 21,866

w c:\program files\Common Files\tppupd2k.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 1591808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Uniblue SpyEraser"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"nwiz"="nwiz.exe" [2003-06-23 c:\windows\system32\nwiz.exe]
"RegistryMechanic"="" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GoBack.lnk - c:\program files\Roxio\GoBack\GBTray.exe [2002-06-29 524288]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Perstray.lnk - c:\program files\PerSono\perstray.exe [2004-03-05 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccExtractorService"=2 (0x2)
"LiveUpdate Notice Service"=3 (0x3)
"LiveUpdate Notice Ex"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microprose\\Grand Prix 3 Demo\\GP3.exe"=
"c:\\WINDOWS\\system32\\jview.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\ENSIGN\\Ensign.exe"=
"c:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10001:TCP"= 10001:TCP:Ensign Windows

R1 hmonitor;hmonitor;\??\c:\windows\system32\drivers\hmonitor.sys [2008-06-04 10536]
R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFECP13.SYS [1998-09-24 52800]
R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\Drivers\ousbehci.sys [2002-06-19 26752]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\DRIVERS\uacflt.sys [2004-03-05 21276]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);c:\windows\system32\drivers\e10kx2k.sys [2001-10-02 1757928]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2002-06-19 40704]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\DRIVERS\LwAdiHid.sys [2002-07-15 20864]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\DRIVERS\TPP300.SYS [2002-08-11 33669]
S3 WmAdiHid;Logitech WingMan Digital Devices Driver;c:\windows\system32\drivers\WmAdiHid.sys [2001-11-06 20192]
S4 hpt3xx;hpt3xx; []
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-29 09:46]

2008-02-29 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-29 09:46]

2008-12-03 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-11-26 15:11]

2008-12-01 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-11-26 15:11]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{F3DF2532-A2CC-48D8-8643-A033AE4FC313} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
ShellExecuteHooks-{6809e580-a3a7-11d1-9a00-00a0c945b006} - (no file)

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 07:31:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.

Other Running Processes

.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Roxio\GoBack\GBPoll.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\program files\Spyware Doctor\pctsAuxs.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Spyware Doctor\pctsTray.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\UTSCSI.EXE
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\windows\system32\MsPMSPSv.exe
c:\combofix\hidec.exe
c:\combofix\Catchme.tmp
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-12-03 7:39:24 - machine was rebooted [Gary Burden]
ComboFix-quarantined-files.txt 2008-12-03 12:39:05

Pre-Run: 34,418,425,856 bytes free
Post-Run: 34,394,152,960 bytes free

209 --- E O F --- 2008-11-13 03:56:38

Katana · December 2008

Please update MalwareBytes, and try running a full scan.
Please post the contents of C:\RSIT\info.txt also

Kodiac · December 2008

I still can't run a full scan in MalwareBytes, it has to be quick. Every since the virus launched my PC reboots at random. After a couple of reboots it won't even let me logon to Safe Mode! Any ideas?

Here's the report, I'll have to do RSIT when I can.

Malwarebytes' Anti-Malware 1.30
Database version: 1443
Windows 5.1.2600 Service Pack 3

12/3/2008 10:11:46 AM
mbam-log-2008-12-03 (10-11-29).txt

Scan type: Quick Scan
Objects scanned: 55461
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Explorer.sav (Heuristics.Reserved.Word.Exploit) -> No action taken.

Kodiac · December 2008

Logfile of random's system information tool 1.04 (written by random/random)
Run by Gary Burden at 2008-12-03 10:59:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 33 GB (44%) free of 74 GB
Total RAM: 3071 MB (83% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:12, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Gary Burden\Desktop\RSIT.exe
C:\Program Files\trend micro\Gary Burden.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GARY BURDEN\Application Data\Mozilla\Profiles\default\cbc1i1l4.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Perstray.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BA77042-FC93-4AED-B0E8-824979156BA4} (InstallerAX Class) - http://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://conf1.centra.com/trendfund/Install/en/US/CentraDownloader.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://terranova.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Dantz Development Corporation - (no file)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

--
End of file - 14071 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
HelperObject Class - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll [2005-06-17 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-03-03 5375032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [2005-06-17 131072]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-03-03 5375032]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"nwiz"=nwiz.exe /install []
"TPP Auto Loader"=C:\WINDOWS\TPPALDR.EXE [2001-10-05 118784]
"RegistryMechanic"= []
"Motive SmartBridge"=C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe [2005-08-24 442455]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-08-25 1168264]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpyEraser"= []
"FreeRAM XP"=C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe [2006-03-22 1591808]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"EasyLinkAdvisor"=C:\Program Files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2000-10-11 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2000-10-11 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccExtractorService"=2
"LiveUpdate Notice Service"=3
"LiveUpdate Notice Ex"=3

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Perstray.lnk - C:\Program Files\PerSono\perstray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINDOWS\system32\klogon.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
""=
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Microprose\Grand Prix 3 Demo\GP3.exe"="C:\Program Files\Microprose\Grand Prix 3 Demo\GP3.exe:*:Enabled:GP3"
"C:\WINDOWS\system32\jview.exe"="C:\WINDOWS\system32\jview.exe:*:Enabled:MicrosoftÂ® VM Command Line Interpreter"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox"
"C:\WINDOWS\system32\javaw.exe"="C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\ENSIGN\Ensign.exe"="C:\ENSIGN\Ensign.exe:*:Enabled:Ensign Windows"
"C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"="C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe:*:Enabled:The Shield Deluxe 2008"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.js - open - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-12-03 10:59:47 ----D---- C:\Program Files\trend micro
2008-12-03 07:39:34 ----D---- C:\WINDOWS\temp
2008-12-03 07:39:29 ----A---- C:\ComboFix.txt
2008-12-03 06:27:22 ----D---- C:\ComboFix
2008-12-02 09:03:16 ----A---- C:\Boot.bak
2008-12-02 09:02:58 ----RASHD---- C:\cmdcons
2008-12-02 09:01:16 ----A---- C:\WINDOWS\zip.exe
2008-12-02 09:01:16 ----A---- C:\WINDOWS\VFIND.exe
2008-12-02 09:01:16 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-02 09:01:16 ----A---- C:\WINDOWS\SWSC.exe
2008-12-02 09:01:16 ----A---- C:\WINDOWS\SWREG.exe
2008-12-02 09:01:16 ----A---- C:\WINDOWS\sed.exe
2008-12-02 09:01:16 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-02 09:01:16 ----A---- C:\WINDOWS\grep.exe
2008-12-02 09:01:16 ----A---- C:\WINDOWS\fdsv.exe
2008-12-02 09:01:10 ----D---- C:\WINDOWS\ERDNT
2008-12-02 09:01:09 ----D---- C:\Qoobox
2008-12-01 20:16:08 ----D---- C:\Documents and Settings\Gary Burden\Application Data\Malwarebytes
2008-12-01 20:15:58 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-01 20:15:58 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-01 18:44:13 ----D---- C:\rsit
2008-11-30 23:30:01 ----D---- C:\Program Files\XoftSpySE
2008-11-30 15:36:47 ----D---- C:\Program Files\Spyware Doctor
2008-11-30 15:36:47 ----D---- C:\Documents and Settings\Gary Burden\Application Data\PC Tools
2008-11-30 15:30:38 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\UNRAR3.dll
2008-11-30 15:30:18 ----A---- C:\WINDOWS\system32\unacev2.dll
2008-11-30 15:30:11 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-11-30 15:30:10 ----D---- C:\Documents and Settings\Gary Burden\Application Data\Simply Super Software
2008-11-29 21:42:27 ----A---- C:\WINDOWS\system32\tmp.txt
2008-11-29 21:39:45 ----A---- C:\rapport.txt
2008-11-29 20:59:27 ----D---- C:\Program Files\LimeWire
2008-11-28 23:32:58 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-12 22:52:13 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 22:51:31 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 22:50:25 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-10 23:09:59 ----N---- C:\WINDOWS\system32\msexch35.dll
2008-11-10 23:09:54 ----N---- C:\WINDOWS\system32\msjt4jlt.dll
2008-11-10 23:09:50 ----N---- C:\WINDOWS\system32\msrpfs35.dll
2008-11-10 23:09:48 ----N---- C:\WINDOWS\system32\JETCOMP.exe
2008-11-10 23:09:46 ----N---- C:\WINDOWS\system32\DKSGS.dll
2008-11-10 23:09:39 ----D---- C:\Program Files\PCCW DEMO
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\tls704d.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\tifftek32.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\rdmsys.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\qpro32.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\ipinplus32.dll
2008-11-10 23:09:38 ----N---- C:\WINDOWS\system32\cmeparse.dll
2008-11-10 23:09:37 ----N---- C:\WINDOWS\system32\NOVA_API.dll
2008-11-10 23:09:37 ----N---- C:\WINDOWS\system32\eNC430SO.dll
2008-11-10 23:09:37 ----N---- C:\WINDOWS\system32\ARWizard.DLL
2008-11-10 23:09:37 ----N---- C:\WINDOWS\system32\ardesign.dll
2008-11-10 23:09:36 ----N---- C:\WINDOWS\system32\vxncom.dll
2008-11-10 23:09:36 ----N---- C:\WINDOWS\system32\vpp201.dll
2008-11-10 23:09:36 ----N---- C:\WINDOWS\system32\vhelper.dll
2008-11-10 23:09:36 ----N---- C:\WINDOWS\system32\vcontrolobject.dll
2008-11-10 23:09:31 ----N---- C:\WINDOWS\system32\GORAS.dll
2008-11-10 23:09:31 ----N---- C:\WINDOWS\system32\Ent1000SO.DLL
2008-11-10 23:09:30 ----N---- C:\WINDOWS\system32\eNCrypt2100So.dll
2008-11-10 23:09:30 ----N---- C:\WINDOWS\system32\Cmr430so.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMXUtil.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMTIFF.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMSO.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMMICR.dll
2008-11-10 23:09:29 ----N---- C:\WINDOWS\system32\RDMCO.dll
2008-11-08 12:41:08 ----D---- C:\Documents and Settings\All Users\Application Data\FreeRIP
2008-11-08 12:41:02 ----D---- C:\Program Files\FreeRIP3
2008-11-08 12:39:50 ----A---- C:\freeripmp3.exe
2008-11-08 12:31:49 ----D---- C:\Program Files\ABC Amber Audio Converter

======List of files/folders modified in the last 1 months======

2008-12-03 11:00:13 ----D---- C:\temp
2008-12-03 10:59:47 ----D---- C:\Program Files
2008-12-03 10:58:56 ----D---- C:\WINDOWS\system32\drivers
2008-12-03 10:11:57 ----D---- C:\Program Files\Mozilla Thunderbird
2008-12-03 07:39:57 ----D---- C:\WINDOWS\system32
2008-12-03 07:39:34 ----D---- C:\WINDOWS
2008-12-03 07:33:22 ----A---- C:\WINDOWS\system.ini
2008-12-03 06:33:54 ----D---- C:\Program Files\Common Files
2008-12-03 06:33:53 ----D---- C:\WINDOWS\AppPatch
2008-12-03 06:28:31 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-02 21:42:31 ----D---- C:\Program Files\Enigma Software Group
2008-12-02 16:00:28 ----D---- C:\Gary's Files
2008-12-02 09:13:46 ----D---- C:\WINDOWS\Prefetch
2008-12-02 09:09:59 ----D---- C:\WINDOWS\system32\config
2008-12-02 09:03:16 ----RASH---- C:\boot.ini
2008-12-01 15:52:39 ----D---- C:\Program Files\Mozilla Firefox
2008-12-01 01:08:59 ----D---- C:\Documents and Settings\All Users\Application Data\PCSecurityShield
2008-11-30 23:30:31 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-30 23:30:06 ----SD---- C:\WINDOWS\Tasks
2008-11-30 16:18:57 ----D---- C:\Program Files\Security Task Manager
2008-11-30 15:30:24 ----D---- C:\Program Files\Trojan Remover
2008-11-30 10:04:50 ----D---- C:\WINDOWS\network diagnostic
2008-11-29 21:03:49 ----D---- C:\WINDOWS\system32\wbem
2008-11-29 21:03:46 ----D---- C:\WINDOWS\Registration
2008-11-29 21:01:35 ----HD---- C:\WINDOWS\inf
2008-11-29 03:07:39 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-13 00:49:00 ----D---- C:\My Music
2008-11-13 00:48:58 ----D---- C:\MIRC trading script_files
2008-11-13 00:48:58 ----D---- C:\Jts
2008-11-13 00:48:55 ----D---- C:\Charts
2008-11-12 22:52:19 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-12 22:51:54 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 22:51:47 ----A---- C:\WINDOWS\imsins.BAK
2008-11-12 22:49:35 ----D---- C:\Config.Msi
2008-11-12 22:49:30 ----SHD---- C:\WINDOWS\Installer
2008-11-12 22:49:25 ----D---- C:\WINDOWS\WinSxS
2008-11-12 10:33:08 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-10 23:09:27 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-08 12:45:00 ----A---- C:\WINDOWS\cdplayer.ini
2008-11-08 12:30:59 ----D---- C:\unzipped
2008-11-07 02:21:49 ----D---- C:\WINDOWS\Help
2008-11-05 00:11:20 ----A---- C:\WINDOWS\NeroDigital.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2008-04-13 37760]
R1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [2006-09-12 25244]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2008-04-07 9072]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2008-04-07 9200]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2003-07-26 241280]
R1 hmonitor;hmonitor; \??\C:\WINDOWS\system32\drivers\hmonitor.sys []
R1 IKSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2008-08-25 66952]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2008-08-25 81288]
R1 klif;Klif; \??\C:\WINDOWS\system32\drivers\klif.sys []
R1 pwd_2K;pwd_2K; C:\WINDOWS\system32\drivers\pwd_2K.sys [2003-07-26 144250]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\system32\drivers\UdfReadr_xp.sys [2003-07-26 206464]
R1 VIAPFD;VIAPFD; C:\WINDOWS\System32\Drivers\VIAPFD.SYS [2001-12-18 3279]
R2 elagopro;GoProto Protocol Driver for LELA; C:\WINDOWS\system32\DRIVERS\elagopro.sys [2007-03-22 28672]
R2 elaunidr;UniDriver for LELA; C:\WINDOWS\system32\DRIVERS\elaunidr.sys [2007-03-22 5376]
R2 GBFSHook;GBFSHook; C:\WINDOWS\system32\drivers\GBFSHook.sys [2002-01-21 15024]
R2 HPFECP13;HPFECP13; C:\WINDOWS\System32\drivers\HPFECP13.SYS [1998-09-24 52800]
R2 IOPort;IOPort; \??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS []
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%; C:\WINDOWS\System32\Drivers\ousbehci.sys [2002-01-31 26752]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\System32\PfModNT.sys []
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver; C:\WINDOWS\System32\DRIVERS\uacflt.sys [2002-05-03 21276]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2001-09-11 110084]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2001-09-11 11036]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2001-09-11 207648]
R3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2003-07-26 25930]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM); C:\WINDOWS\system32\drivers\e10kx2k.sys [2001-10-02 1757928]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2001-09-11 154284]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2004-08-04 606684]
R3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2003-07-26 30662]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2005-04-23 28276]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-06-23 1324779]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2001-09-11 186944]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support; C:\WINDOWS\System32\DRIVERS\ousb2hub.sys [2002-01-31 40704]
R3 rtl8139;Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2001-08-23 25434]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2002-06-20 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2002-06-20 39776]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys []
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 hidgame;Microsoft Hid to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\hidgame.sys [2001-08-17 8576]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect); C:\WINDOWS\System32\DRIVERS\LwAdiHid.sys [2002-08-29 20864]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 msgame;Sidewinder HID to Joystick Port Enabler; C:\WINDOWS\System32\DRIVERS\msgame.sys [2001-08-17 35200]
S3 nm;Network Monitor Driver; C:\WINDOWS\System32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 PCAMPR5;PCAMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCAMPR5.SYS []
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\System32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 TPP300;USB Storage Adapter V3 (TPP); C:\WINDOWS\System32\DRIVERS\TPP300.SYS [2001-10-05 33669]
S3 TSP;TSP; \??\C:\WINDOWS\system32\drivers\klif.sys []
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WmAdiHid;Logitech WingMan Digital Devices Driver; C:\WINDOWS\system32\drivers\WmAdiHid.sys [2001-11-06 20192]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2002-06-20 5728]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R01000000 papycpu2;papycpu2; C:\WINDOWS\system32\drivers\papycpu2.sys [2001-11-19 1984]
R01000000 papyjoy;papyjoy; C:\WINDOWS\system32\drivers\papyjoy.sys [2001-11-19 1856]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.EXE [1999-12-13 44032]
R2 GBPoll;GBPoll; C:\Program Files\Roxio\GoBack\GBPoll.exe [2002-01-21 507904]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2001-02-23 270336]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-06-23 73728]
R2 RetroLauncher;Retrospect Launcher; C:\Program Files\Dantz\Retrospect\retrorun.exe [2001-10-25 40960]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-10-09 1079176]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2008-01-23 1251720]
R2 UTSCSI;USBest Service Zero; C:\WINDOWS\system32\UTSCSI.EXE [2006-08-24 45568]
R2 Ventrilo;Ventrilo; C:\Program Files\VentSrv\ventrilo_svc.exe [2005-07-13 65536]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\System32\MsPMSPSv.exe [2000-06-26 53520]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 Retrospect Helper;Retrospect Helper; C:\Program Files\Dantz\Retrospect\rthlpsvc.exe [2001-10-25 53248]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 AVP;The Shield Deluxe 2008; C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe [2007-08-23 200768]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-07 136120]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2006-08-20 68096]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

EOF

Katana · December 2008

OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Files )

:Files
C:\WINDOWS\Explorer.sav
:Commands
[Purity]
[EmptyTemp]

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Kodiac · December 2008

After running I couldn't copy the results because the file wouldn't respond. I rebooted in safe mode and wrote the results into notepad and here it is:

==============Files===============
File/Folder C:\Windows\Explorer.sav not found
============Command==============
User's Temp Folder emptied
User's Temporary Internet Files folder emptied
User's Internet Explorer cache folder emptied
Local Service Temp folder emptied
Local Service Temporary Internet Files folder emptied
Windows Temp folder emptied

After reboot in Safe Mode again I got this:

Files moved on Reboot...
File C:\temp\Perflib_Perfdata_7b4.dat not found!
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat not found!

Are we getting there?

Katana · December 2008

Information

Are we getting there?

Untill we get a scan to complete without your machine rebooting, I have no idea how far we have got

Step 1
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below

Please visit this webpage for instructions on using ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofix

ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3

[*] You must download it to and run it from your Desktop

[*] Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

[*] Double click combofix.exe & follow the prompts.

[*] When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log

[*] Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

Step 2

Malwarebytes' Anti-Malware

Start MalwareBytes AntiMalware
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
When the update is complete, select the Scanner tab
Select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 3

Please Download GMER to your desktop

Download GMER and extract it to your desktop.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Combofix Log
MBAM Log
GMER Log
How are things running now ?

Kodiac · December 2008

I was able to scan ComboFix in regular mode. Tried MalwareBytes and it shut down so I booted in safe mode. It ran for 2 hours before shutting down and still just found the two infected items that were found in the quick scan. I will try again later and then the GMER.

ComboFix 08-12-03.04 - Gary Burden 2008-12-04 10:57:45.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2699 [GMT -5:00]
Running from: c:\documents and settings\Gary Burden\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 11:03 . 2008-12-04 11:03 53,248 --a

c:\temp\catchme.dll
2008-12-04 10:58 . 2008-12-04 10:58 <DIR> d

c:\temp\WPDNSE
2008-12-04 10:55 . 2008-12-04 10:55 16,384 --a----t- c:\temp\Perflib_Perfdata_284.dat
2008-12-03 14:32 . 2008-12-03 14:32 <DIR> d

C:\_OTMoveIt
2008-12-03 10:59 . 2008-12-03 11:00 <DIR> d

c:\program files\trend micro
2008-12-01 20:16 . 2008-12-01 20:16 <DIR> d

c:\documents and settings\Gary Burden\Application Data\Malwarebytes
2008-12-01 20:16 . 2008-10-22 16:10 38,496 --a

c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 20:16 . 2008-10-22 16:10 15,504 --a

c:\windows\system32\drivers\mbam.sys
2008-12-01 20:15 . 2008-12-01 21:48 <DIR> d

c:\program files\Malwarebytes' Anti-Malware
2008-12-01 20:15 . 2008-12-01 20:15 <DIR> d

c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 18:44 . 2008-12-01 18:45 <DIR> d

C:\rsit
2008-11-30 23:30 . 2008-12-01 00:52 <DIR> d

c:\program files\XoftSpySE
2008-11-30 15:37 . 2008-08-25 12:36 81,288 --a

c:\windows\system32\drivers\iksyssec.sys
2008-11-30 15:37 . 2008-08-25 12:36 66,952 --a

c:\windows\system32\drivers\iksysflt.sys
2008-11-30 15:37 . 2008-08-25 12:36 40,840 --a

c:\windows\system32\drivers\ikfilesec.sys
2008-11-30 15:37 . 2008-06-02 16:19 29,576 --a

c:\windows\system32\drivers\kcom.sys
2008-11-30 15:36 . 2008-12-03 08:55 <DIR> d

c:\program files\Spyware Doctor
2008-11-30 15:36 . 2008-11-30 15:36 <DIR> d

c:\documents and settings\Gary Burden\Application Data\PC Tools
2008-11-30 15:30 . 2008-11-30 15:30 <DIR> d

c:\documents and settings\Gary Burden\Application Data\Simply Super Software
2008-11-30 15:30 . 2008-12-04 10:55 <DIR> d-a

c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 15:30 . 2008-11-30 15:30 <DIR> d

c:\documents and settings\All Users\Application Data\Simply Super Software
2008-11-30 15:30 . 2006-05-25 14:52 162,304 --a

c:\windows\system32\ztvunrar36.dll
2008-11-30 15:30 . 2003-02-02 19:06 153,088 --a

c:\windows\system32\UNRAR3.dll
2008-11-30 15:30 . 2005-08-26 00:50 77,312 --a

c:\windows\system32\ztvunace26.dll
2008-11-30 15:30 . 2002-03-06 00:00 75,264 --a

c:\windows\system32\unacev2.dll
2008-11-30 15:30 . 2006-06-19 12:01 69,632 --a

c:\windows\system32\ztvcabinet.dll
2008-11-29 21:42 . 2008-11-29 21:57 1,870 --a

c:\windows\system32\tmp.reg
2008-11-21 21:53 . 2008-11-22 03:28 54,156 --ah

c:\windows\QTFont.qfn
2008-11-21 21:53 . 2008-11-21 21:53 1,409 --a

c:\windows\QTFont.for
2008-11-11 21:43 . 2008-09-04 12:15 1,106,944

c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 21:43 . 2008-10-24 06:21 455,296

c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 23:09 . 2008-11-12 10:32 <DIR> d

c:\program files\PCCW DEMO
2008-11-08 12:41 . 2008-11-08 12:41 <DIR> d

c:\program files\FreeRIP3
2008-11-08 12:41 . 2008-11-08 12:41 <DIR> d

c:\documents and settings\All Users\Application Data\FreeRIP
2008-11-08 12:39 . 2008-11-08 12:40 1,892,336 --a

C:\freeripmp3.exe
2008-11-08 12:31 . 2008-11-08 12:38 <DIR> d

c:\program files\ABC Amber Audio Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 16:03 36,581,920 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-04 14:42 1,839,904 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-03 20:17

d

w c:\program files\Mozilla Thunderbird
2008-12-03 11:39 493,184 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-03 11:39 176,384 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-03 02:42

d

w c:\program files\Enigma Software Group
2008-12-01 06:08

d

w c:\documents and settings\All Users\Application Data\PCSecurityShield
2008-11-30 21:18

d

w c:\program files\Security Task Manager
2008-11-30 20:30

d

w c:\program files\Trojan Remover
2008-11-12 15:33

d

w c:\program files\Common Files\InstallShield
2008-11-11 04:09

d--h--w c:\program files\InstallShield Installation Information
2008-10-30 14:37

d

w c:\program files\VDOWNLOADER
2008-10-30 14:35 8,192 ----a-w C:\ntuser.dat
2008-10-29 22:32

d

w c:\program files\MSECACHE
2008-10-29 16:15

d

w c:\documents and settings\Gary Burden\Application Data\LimeWire
2008-10-29 13:43

d

w c:\program files\SourceTec
2008-10-27 04:16

d

w c:\program files\Test My Hardware
2008-10-25 05:54

d

w c:\program files\Google
2008-10-25 05:53 7,824,960 ----a-w C:\picasa3-setup.exe
2008-10-25 05:46 3,606,725 ----a-w C:\vdownloader.zip
2008-10-24 11:21 455,296

w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 00:18 2,302,017 ----a-w c:\windows\system32\GPhotos.scr
2008-10-23 03:44 98,528 ----a-w c:\documents and settings\Gary Burden\Application Data\GDIPFONTCACHEV1.DAT
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-13 06:20

d

w c:\program files\WinAVI Video Converter
2008-10-13 06:19 4,526,458 ----a-w C:\WinAVI_Video_Converter.exe
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400

w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648

w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2007-12-11 01:49 32

w c:\documents and settings\All Users\Application Data\ezsid.dat
2001-10-05 16:53 21,866

w c:\program files\Common Files\tppupd2k.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 1591808]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"Uniblue SpyEraser"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPP Auto Loader"="c:\windows\TPPALDR.EXE" [2001-10-05 118784]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"nwiz"="nwiz.exe" [2003-06-23 c:\windows\system32\nwiz.exe]
"RegistryMechanic"="" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GoBack.lnk - c:\program files\Roxio\GoBack\GBTray.exe [2002-06-29 524288]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Perstray.lnk - c:\program files\PerSono\perstray.exe [2004-03-05 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ccExtractorService"=2 (0x2)
"LiveUpdate Notice Service"=3 (0x3)
"LiveUpdate Notice Ex"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microprose\\Grand Prix 3 Demo\\GP3.exe"=
"c:\\WINDOWS\\system32\\jview.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\ENSIGN\\Ensign.exe"=
"c:\\Program Files\\PCSecurityShield\\The Shield Deluxe 2008\\avp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10001:TCP"= 10001:TCP:Ensign Windows

R1 hmonitor;hmonitor;\??\c:\windows\system32\drivers\hmonitor.sys [2008-06-04 10536]
R2 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFECP13.SYS [1998-09-24 52800]
R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\Drivers\ousbehci.sys [2002-06-19 26752]
R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\DRIVERS\uacflt.sys [2004-03-05 21276]
R3 emu10kx;Creative EMU10K1/EMU10K2 Audio Driver (WDM);c:\windows\system32\drivers\e10kx2k.sys [2001-10-02 1757928]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2002-06-19 40704]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\DRIVERS\LwAdiHid.sys [2002-07-15 20864]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-01 38496]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-11-30 356920]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\DRIVERS\TPP300.SYS [2002-08-11 33669]
S3 WmAdiHid;Logitech WingMan Digital Devices Driver;c:\windows\system32\drivers\WmAdiHid.sys [2001-11-06 20192]
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-29 09:46]

2008-02-29 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-29 09:46]

2008-12-04 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-11-26 15:11]

2008-12-01 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2008-11-26 15:11]
.
.

Supplementary Scan

.
uStart Page = www.google.com
mStart Page = www.google.com
uInternet Settings,ProxyOverride = 127.0.0.1
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O16 -: Microsoft XML Parser for Java - c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\installerAX.ini - c:\windows\Downloaded Program Files\installerAX.dll
O16 -: {6BA77042-FC93-4AED-B0E8-824979156BA4}
hxxp://chevy.a.content.maven.net/mvms/vfs/chevy/chevylive/live/install/installerAX.cab
c:\windows\Downloaded Program Files\installerAX.inf

c:\windows\Downloaded Program Files\tsccinst.dll - O16 -: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5}
hxxp://www.techsmith.com/codec/tsccinst.cab
c:\windows\Downloaded Program Files\tsccinst.inf

O16 -: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - hxxp://conf1.centra.com/trendfund/Install/en/US/CentraDownloader.cab

c:\windows\Downloaded Program Files\dwnldr.dll - O16 -: {CA034DCC-A580-4333-B52F-15F98C42E04C}
hxxps://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
c:\windows\Downloaded Program Files\dwnldr.inf
FireFox -: Profile - c:\documents and settings\Gary Burden\Application Data\Mozilla\Firefox\Profiles\zpojcoi7.Gary\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Google\Picasa3\npPicasa3.dll
FF -: plugin - c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 11:03:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-12-04 11:06:52
ComboFix-quarantined-files.txt 2008-12-04 16:05:32
ComboFix2.txt 2008-12-03 12:39:29

Pre-Run: 34,467,192,832 bytes free
Post-Run: 34,442,387,456 bytes free

216 --- E O F --- 2008-11-13 03:56:38

Katana · December 2008

Hi Kodiac,

Looking at your logs, there doesn't appear to be anything left that would be causing a shutdown.

I suspect that the problem is overheating, is this a laptop or a tower ?

Kodiac · December 2008

It's a tower and I've had it shut down in the distant past when the cpu overheats but not reboot. When the Trojan launched, reboot was the first thing it did. I went into the bios and watched temps and voltages but that was with nothing running. My cpu fan is working properly. I'll investigate further.

Question: What about the 2 infected files MalwareBytes flagged?

Katana · December 2008

The explorer file that MBAM flagged isn't there, (OTMI didn't find it)
the other item is just an adware dross reg entry, that wouldn't cause a reboot problem.
have you installed any new parts recently ?

Let's see if stopping a couple of programs will help
( by the way, why do you have FreeRAM XP Pro installed ?)

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Please reboot now

Now try scanning with MBAM.

Kodiac · December 2008

I had the computer running in regular mode with just the normal processes running. I went in to run what you said and when I clicked MY COMPUTER to access the flash drive it rebooted. I hit delete and went into the bios and the cpu temp was in the green. I haven't a clue. These type of problems never existed before the Trojan. It was a very stable machine. I ran a lot of graphic software like Photoshop as well as many other programs and never had an automatic reboot. Could the Trojan have caused the instability?

Katana · December 2008

Kodiac wrote:

Could the Trojan have caused the instability?

It's possible

Let's see if we can get an online scan without it rebooting

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Kodiac · December 2008

Katana,

Thanks for all of your help! It seems my rebooting problem may have been a RAM problem but with your help I think we've resolved the Malware problem. The tower is now in a technician's hands for hardware tests.

Again, thanks for your expertise and patience,

Kodiac

Katana · December 2008

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.

Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

Open OTMoveIt Click Cleanup,
it will now connect to the internet and get a list of files to delete.
When a box pops up click YES.

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

Happy surfing K'

Glad we could be of assistance! This topic is now closed.

If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

Trojan Downloader (Solved)

Comments