Virus has returned!!

Nutty110

Here is a Highjack this log
here is the problem I have found.....
Using google, when I hit any of the links using IE it brings up other web sites.
I have to copy and paste into IE the proper site to work...please take a look at my logs.....

Logfile of HijackThis v1.99.1
Scan saved at 10:33:32 PM, on 04/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
C:\Comodo\COMODO Internet Security\cmdagent.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Comodo\COMODO Internet Security\cfp.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\utilities\A-squared Free\a2service.exe
G:\WINDOWS\system32\ctfmon.exe
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\WINDOWS\System32\GEARSec.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe
G:\WINDOWS\System32\HPZipm12.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Ahead\Nero Toolkit\DriveSpeed.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Utilities\uTorrent\uTorrent.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Utilities\Hijackthis\Nutty110.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nforce.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - G:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PSDrvCheck] G:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "G:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON PictureMate PM 240] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE /FU "G:\WINDOWS\TEMP\E_S1EB.tmp" /EF "HKCU"
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\UTILIT~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916728625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160562902890
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - G:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - G:\utilities\A-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - G:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Utilities\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Nutty110

Logfile of HijackThis v1.99.1
Scan saved at 10:10:03 PM, on 04/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
C:\Comodo\COMODO Internet Security\cmdagent.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\utilities\A-squared Free\a2service.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\WINDOWS\System32\GEARSec.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
G:\WINDOWS\System32\HPZipm12.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Comodo\COMODO Internet Security\cfp.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Utilities\Hijackthis\Nutty110.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nforce.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - G:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PSDrvCheck] G:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON PictureMate PM 240] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE /FU "G:\WINDOWS\TEMP\E_S1EB.tmp" /EF "HKCU"
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\UTILIT~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916728625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160562902890
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - G:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - G:\utilities\A-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - G:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Utilities\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: mbamservice - Malwarebytes Corporation - G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Trogan

Hi,

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

Nutty110

GooredFix v1.92 by jpshortstuff
Log created at 22:24 on 07/04/2009 running Option #1 (Randy)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

G:\Program Files\Mozilla Firefox\extensions\{FB7D084C-105C-45EF-AB54-D2D8965DAEEF}

G:\Program Files\Mozilla Firefox\extensions\{F2429810-1DE7-4135-9EAA-38301428FA4D}

G:\Program Files\Mozilla Firefox\extensions\{E68F4966-C73B-437E-8390-CA52D8F1F5DC}

G:\Program Files\Mozilla Firefox\extensions\{D6533EA8-7084-4D78-81EE-9E8584F89178}

G:\Program Files\Mozilla Firefox\extensions\{BC68E6A6-7391-478A-B9CB-AD0205E567AE}

G:\Program Files\Mozilla Firefox\extensions\{BB655501-F7AF-4BEB-9A17-D736BE01503B}

G:\Program Files\Mozilla Firefox\extensions\{B6366353-0E3E-4A41-BEE6-2ED0F4E05E9D}

G:\Program Files\Mozilla Firefox\extensions\{989EBE98-E2BA-48B8-AB36-07F6B4ECE526}

G:\Program Files\Mozilla Firefox\extensions\{8FD2F676-1CA9-4C36-AC89-5C03D3E26D44}

G:\Program Files\Mozilla Firefox\extensions\{85D7BE39-1BE0-4C67-90F5-D6C463054141}

G:\Program Files\Mozilla Firefox\extensions\{806D694A-F3E7-4A17-AED1-E6F842D9824B}

G:\Program Files\Mozilla Firefox\extensions\{62883A1E-96B6-47B7-BFEE-838F50167FDB}

G:\Program Files\Mozilla Firefox\extensions\{6252CF1B-F8F0-4C62-A741-E0D450987C9E}

G:\Program Files\Mozilla Firefox\extensions\{5FD822C9-5A1E-4C03-873C-5B69616FCF24}

G:\Program Files\Mozilla Firefox\extensions\{4F591AA7-F344-416C-9813-A9C914CB4FB9}

G:\Program Files\Mozilla Firefox\extensions\{3244C53C-ECF6-41C7-AE40-8B16568B360B}

G:\Program Files\Mozilla Firefox\extensions\{2431AB0D-BCC2-461D-A32B-6A14B9F5C9F5}

G:\Program Files\Mozilla Firefox\extensions\{1F096D26-91C9-4D9C-972E-326075E08F7E}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\mozilla firefox 3.0.8\extensions]
"Plugins"="G:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\mozilla firefox 3.0.8\extensions]
"Components"="G:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="G:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="G:\Program Files\Real\RealPlayer\browserrecord"


Just to let you know I uninstalled google toolbar and put on yahoo toolbar before there was a response to my problem....It seems as though yahoo search does not redirect sites as google toolbar and search engine. The IE highjack is probably still on my computer but wanted to let you no before you analyze my system. Please let me no if that is alright, I can always put google toolbar back on the computer. I have noticed the logs above using Firefox, I also use IE explorer also.

Trogan

Hi,

Please double-click GooredFix.exe on your Desktop to run it.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
• Make sure all instances of Firefox are closed at this point.
• Type y at the prompt and press Enter again.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Also, post a new HijackThis log.

Nutty110

GooredFix v1.92 by jpshortstuff
Log created at 21:31 on 10/04/2009 running Option #2 (Randy)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====
G:\Program Files\Mozilla Firefox\extensions\{FB7D084C-105C-45EF-AB54-D2D8965DAEEF}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{F2429810-1DE7-4135-9EAA-38301428FA4D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{E68F4966-C73B-437E-8390-CA52D8F1F5DC}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{D6533EA8-7084-4D78-81EE-9E8584F89178}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{BC68E6A6-7391-478A-B9CB-AD0205E567AE}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{BB655501-F7AF-4BEB-9A17-D736BE01503B}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{B6366353-0E3E-4A41-BEE6-2ED0F4E05E9D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{989EBE98-E2BA-48B8-AB36-07F6B4ECE526}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{8FD2F676-1CA9-4C36-AC89-5C03D3E26D44}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{85D7BE39-1BE0-4C67-90F5-D6C463054141}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{806D694A-F3E7-4A17-AED1-E6F842D9824B}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{62883A1E-96B6-47B7-BFEE-838F50167FDB}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{6252CF1B-F8F0-4C62-A741-E0D450987C9E}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{5FD822C9-5A1E-4C03-873C-5B69616FCF24}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{4F591AA7-F344-416C-9813-A9C914CB4FB9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{3244C53C-ECF6-41C7-AE40-8B16568B360B}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{2431AB0D-BCC2-461D-A32B-6A14B9F5C9F5}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
G:\Program Files\Mozilla Firefox\extensions\{1F096D26-91C9-4D9C-972E-326075E08F7E}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\mozilla firefox 3.0.8\extensions]
"Plugins"="G:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\mozilla firefox 3.0.8\extensions]
"Components"="G:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="G:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="G:\Program Files\Real\RealPlayer\browserrecord"

---

Logfile of HijackThis v1.99.1
Scan saved at 9:31:53 PM, on 04/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
C:\Comodo\COMODO Internet Security\cmdagent.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\utilities\A-squared Free\a2service.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\WINDOWS\System32\GEARSec.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
G:\WINDOWS\System32\HPZipm12.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Comodo\COMODO Internet Security\cfp.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\WINDOWS\system32\ctfmon.exe
C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Utilities\Hijackthis\Nutty110.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nforce.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - G:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PSDrvCheck] G:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "G:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON PictureMate PM 240] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE /FU "G:\WINDOWS\TEMP\E_S1EB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\UTILIT~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916728625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160562902890
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - G:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - G:\utilities\A-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - G:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Utilities\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: mbamservice - Malwarebytes Corporation - G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Trogan

Hi,

Please update Malwarebytes and run a full scan. Post the log back here when done.

Nutty110

Malwarebytes' Anti-Malware 1.36
Database version: 1979
Windows 5.1.2600 Service Pack 2

04/13/2009 9:11:23 PM
mbam-log-2009-04-13 (21-11-19).txt

Scan type: Full Scan (C:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 211191
Time elapsed: 1 hour(s), 28 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Mirc\mirc.exe (Backdoor.Bot) -> No action taken.
C:\Comodo\COMODO Internet Security\Quarantine\ms1238839724.exe (Trojan.Proxy) -> No action taken.
G:\WINDOWS\DVD Cover Searcher\uninstall.exe (Trojan.Agent) -> No action taken.
G:\WINDOWS\DVD Cover Searcher Pro\uninstall.exe (Trojan.Agent) -> No action taken.
G:\WINDOWS\Google Earth Pro 4.2\uninstall.exe (Trojan.Agent) -> No action taken.
G:\WINDOWS\system32\1000.exe (Trojan.Downloader) -> No action taken.
G:\WINDOWS\system32\ftp_non_crp.exe (Trojan.Agent) -> No action taken.
G:\WINDOWS\system32\vfhr.exe (Trojan.Downloader) -> No action taken.
G:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0PAJC5AV\ldr[1].exe (Trojan.Downloader) -> No action taken.
G:\WINDOWS\TEMP\ms1239148769.exe (Trojan.Proxy) -> No action taken.
G:\WINDOWS\WinAVI Video Converter 9.0\uninstall.exe (Trojan.Agent) -> No action taken.
G:\WINDOWS\system32\nDler2.exe (Trojan.Agent) -> No action taken.

Trogan

Hi,

Malwarebytes did not remove the infections it found as the log above shows "No action taken".

Please rescan with Malwarebytes, but this time be sure that everything is checked, and click Remove Selected.

Post the new Malwarebytes log along with a new HijackThis log.

Nutty110

Logfile of HijackThis v1.99.1
Scan saved at 10:04:44 PM, on 04/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
C:\Comodo\COMODO Internet Security\cmdagent.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
G:\WINDOWS\system32\spoolsv.exe
G:\utilities\A-squared Free\a2service.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\WINDOWS\System32\GEARSec.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
G:\WINDOWS\System32\HPZipm12.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Comodo\COMODO Internet Security\cfp.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\WINDOWS\system32\ctfmon.exe
C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Utilities\Hijackthis\Nutty110.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nforce.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - G:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PSDrvCheck] G:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "G:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON PictureMate PM 240] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE /FU "G:\WINDOWS\TEMP\E_S1EB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\UTILIT~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916728625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160562902890
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - G:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - G:\utilities\A-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - G:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Utilities\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: mbamservice - Malwarebytes Corporation - G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

---

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 2

04/15/2009 9:12:33 PM
mbam-log-2009-04-15 (21-12-33).txt

Scan type: Full Scan (C:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 211849
Time elapsed: 1 hour(s), 16 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Mirc\mirc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Nutty110

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 2

04/18/2009 8:40:34 AM
mbam-log-2009-04-18 (08-40-34).txt

Scan type: Quick Scan
Objects scanned: 82700
Time elapsed: 17 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d7bf4552-94f1-42bd-f434-3604812c856d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
G:\WINDOWS\system32\jh9fgo4ksdgf.dll (Trojan.Zlob.H) -> Delete on reboot.
G:\WINDOWS\csrss.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
G:\Documents and Settings\Randy\Local Settings\Temp\2594610714.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

---

Logfile of HijackThis v1.99.1
Scan saved at 8:56:05 AM, on 04/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
C:\Comodo\COMODO Internet Security\cmdagent.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Comodo\COMODO Internet Security\cfp.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe
G:\WINDOWS\System32\GEARSec.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
G:\WINDOWS\System32\HPZipm12.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\WINDOWS\explorer.exe
G:\utilities\A-squared Free\a2service.exe
G:\utilities\Malwarebytes' Anti-Malware\mbam.exe
G:\DOCUME~1\Randy\LOCALS~1\Temp\1510050428.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Utilities\Hijackthis\Nutty110.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nforce.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: G:\WINDOWS\system32\jh9fgo4ksdgf.dll - {d7bf4552-94f1-42bd-f434-3604812c856d} - G:\WINDOWS\system32\jh9fgo4ksdgf.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PSDrvCheck] G:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "G:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON PictureMate PM 240] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE /FU "G:\WINDOWS\TEMP\E_S1EB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Diagnostic Manager] G:\DOCUME~1\Randy\LOCALS~1\Temp\1510050428.exe
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\UTILIT~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916728625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160562902890
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - G:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - G:\utilities\A-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - G:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Utilities\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: mbamservice - Malwarebytes Corporation - G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Trogan

Hi,

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)

• Scan Options:

Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:

Select

My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

• Now click on the Save Report As button:
• Change Save as type: to Text file
• Save this as Kaspersky scan to your Desktop

[*]Post the Kaspersky report in your next reply.

Nutty110

Trogan....I am having troubles scanning with Kaspersky Online Scanner as I tryed several times but my computer locks up after several minutes of scanning for viruses.
I cannot give you a Online Scan. Is there something else we could use here....
many thanks Trogan for helping here.....

Trogan

Hi,

Lets try this...

Please open the ESET Online Scanner in Internet Explorer

• Tick the box next to YES, I accept the Terms of Use. and click Start
• Allow the ActiveX control to be installed by Internet Explorer
• Once the ActiveX has finished loading click Start to initialize and update the scanner
• When the Computer scan screen appears, leave Remove found threats UN-checked, but check the box next to Scan unwanted applications. Then click Scan to begin the scan.
• Once complete and the summary page appears, press Start->Run, copy/paste the following command into the box and press OK:
  notepad "C:\Program Files\EsetOnlineScanner\log.txt"
• The log file should now appear in Notepad, copy and paste the contents in your next response.

Once complete, please post the Eset report and a new HijackThis log.

Nutty110

C:\Comodo\COMODO Internet Security\Quarantine\A0097762.exe a variant of Win32/Kryptik.DR trojan
C:\Comodo\COMODO Internet Security\Quarantine\CRYPTE~1.EXE probably a variant of Win32/IRCBot trojan
C:\Comodo\COMODO Internet Security\Quarantine\CRYPTE~1.EXE1 probably a variant of Win32/IRCBot trojan
C:\Comodo\COMODO Internet Security\Quarantine\winlogon.exe a variant of Win32/Kryptik.DR trojan
F:\Appz\Google_Earth_2009\G2008.exe probably a variant of Win32/TrojanDownloader.Small trojan
G:\Documents and Settings\LocalService\protect.dll Win32/Rootkit.Agent.NIZ trojan
G:\Documents and Settings\Randy\Start Menu\Programs\Startup\ChkDisk.dll Win32/Rootkit.Agent.NIZ trojan
G:\Documents and Settings\Randy\protect.dll Win32/Rootkit.Agent.NIZ trojan
G:\QooBox\Quarantine\G\WINDOWS\system32\RXaIlnmp.ini.vir Win32/Adware.Virtumonde.NEO application
G:\QooBox\Quarantine\G\WINDOWS\system32\RXaIlnmp.ini2.vir Win32/Adware.Virtumonde.NEO application
G:\WINDOWS\system32\ActiveScan\pskavs.dll probably a variant of Win32/Agent trojan
G:\WINDOWS\system32\config\systemprofile\protect.dll Win32/Rootkit.Agent.NIZ trojan
G:\WINDOWS\system32\1000.exe Win32/TrojanDownloader.FakeAlert.ABM trojan
G:\WINDOWS\system32\autochk.dll Win32/Rootkit.Agent.NIZ trojan
G:\WINDOWS\system32\dLer.exe a variant of Win32/Injector.LR trojan
G:\WINDOWS\TEMP\jj7vm.exe Win32/TrojanDownloader.Small.NTQ trojan
G:\WINDOWS\TEMP\msb.dll Win32/Rootkit.Agent.NIZ trojan
G:\WINDOWS\TEMP\sjgh4kdg4rg4.exe Win32/TrojanDownloader.Small.NTQ trojan
G:\WINDOWS\TEMP\wr4px.exe Win32/TrojanDownloader.Small.OOG trojan

---

Logfile of HijackThis v1.99.1
Scan saved at 6:41:18 AM, on 04/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
C:\Comodo\COMODO Internet Security\cmdagent.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\utilities\A-squared Free\a2service.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\WINDOWS\System32\GEARSec.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
G:\WINDOWS\System32\HPZipm12.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\WINDOWS\system32\ctfmon.exe
C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
\?\globalroot\G:\WINDOWS\system32\rundll32.exe
G:\WINDOWS\system32\drwtsn32.exe
G:\WINDOWS\system32\drwtsn32.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Utilities\Malwarebytes' Anti-Malware\mbam.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Utilities\Hijackthis\Nutty110.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ca.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nforce.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478d38-c3f9-4efb-9b51-7695eca05670} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PSDrvCheck] G:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "G:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [autochk] rundll32.exe G:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON PictureMate PM 240] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE /FU "G:\WINDOWS\TEMP\E_S1EB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [RegistryMechanic] G:\utilities\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [autochk] rundll32.exe G:\DOCUME~1\Randy\protect.dll,_IWMPEvents@16
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\UTILIT~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916728625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160562902890
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - G:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - G:\utilities\A-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - %fystemRoot%\System32\svchost.exe (file missing)
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Comodo\COMODO Internet Security\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - G:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - G:\Utilities\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: mbamservice - Malwarebytes Corporation - G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Trogan

Hi,

Apologies for the delay.

Please do the following...

1. Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT!!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Nutty110

ComboFix 09-05-06.02 - Randy 05/07/2009 21:08.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.267 [GMT -4:00]
Running from: g:\documents and settings\Randy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\xcrashdump.dat
g:\documents and settings\NetworkService\protect.dll
g:\documents and settings\Randy\Application Data\inst.exe
g:\windows\IE4 Error Log.txt
g:\windows\patch.exe
g:\windows\system32\1000.exe
g:\windows\system32\drivers\ovfsth.sys
g:\windows\system32\drivers\ovfsthmlavjaxehxwvmhjthpppqmwuebwujnbo.sys
g:\windows\system32\ovfsthaotxtokbibokikdxjmbhvdldpemovsnn.dat
g:\windows\system32\ovfsthcnrsvaqeaijaqghyoloddxshamtniyay.db
g:\windows\system32\ovfsthdvyqwicecjkpbaabhwtlxtqhmspmhwwo.dll
g:\windows\system32\ovfsthhlajdjfrcypqdwhjtrorswlwobpifmdf.dat
g:\windows\system32\ovfsthmjwgkrcynpetoiqtoltrsxnoejkcrjxb.dll
g:\windows\system32\ovfsthokecwskfasoetgpctnxyxvtcyrulutib.dll
g:\windows\system32\ovfsthxdtjdndowmenvxxujcaqmwmnappqolap.dll
g:\windows\system32\systeminfo3.dll
g:\windows\system32\tmp.reg
g:\windows\system32\uniq.tll
g:\windows\system32\uuddc32.dll
g:\windows\TEMP\1170727902.exe
g:\windows\TEMP\1476792616.exe
g:\windows\TEMP\1599041922.exe
g:\windows\TEMP\1721134978.exe
g:\windows\TEMP\1930190120.exe
g:\windows\TEMP\196269352.exe
g:\windows\TEMP\2059938040.exe
g:\windows\TEMP\2100444548.exe
g:\windows\TEMP\2127181117.exe
g:\windows\TEMP\2244781790.exe
g:\windows\TEMP\2245094290.exe
g:\windows\TEMP\2296407416.exe
g:\windows\TEMP\2757472130.exe
g:\windows\TEMP\2879565186.exe
g:\windows\TEMP\2925051755.exe
g:\windows\TEMP\300175602.exe
g:\windows\TEMP\318518658.exe
g:\windows\TEMP\3210713384.exe
g:\windows\TEMP\328294.exe
g:\windows\TEMP\3356905312.exe
g:\windows\TEMP\3661923388.exe
g:\windows\TEMP\3667392138.exe
g:\windows\TEMP\3819110888.exe
g:\windows\TEMP\4037995394.exe
g:\windows\TEMP\4160088450.exe
g:\windows\TEMP\440611714.exe
g:\windows\TEMP\649666856.exe
g:\windows\TEMP\732584826.exe
g:\windows\xccwinsys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\Service_ovfsthltkkdulrgaoyrdqjbakrnsmiqjyiudoy

---

\Legacy_ISEXENG

---

\Legacy_ZESOFT


((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))
.

2009-04-30 10:42 . 2009-04-30 10:42 61440 ----a-w g:\windows\system32\drivers\mqrmerhn.sys
2009-04-30 02:25 . 2009-04-30 02:25

---

d

---

w g:\program files\ESET
2009-04-28 23:30 . 2009-04-29 10:35 77088 --sha-w g:\windows\system32\drivers\fidbox.dat
2009-04-28 23:30 . 2009-04-29 10:35 32 --sha-w g:\windows\system32\drivers\fidbox2.dat
2009-04-28 23:20 . 2009-04-29 00:29

---

d

---

w g:\program files\Common Files\ParetoLogic
2009-04-28 23:20 . 2009-04-29 00:29

---

d

---

w g:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-28 23:20 . 2009-04-28 23:20

---

d

---

w g:\documents and settings\Randy\Local Settings\Application Data\Downloaded Installations
2009-04-21 21:58 . 2009-04-21 21:58

---

d

---

w g:\program files\DVDFab Platinum 4
2009-04-19 05:12 . 2009-04-19 05:12 61440 ----a-w g:\windows\system32\drivers\xjlxs.sys
2009-04-17 19:29 . 2009-04-30 10:43 0 ----a-w g:\windows\system32\drivers\1e735214.sys
2009-04-17 12:28 . 2009-04-17 12:28

---

d-s---w g:\windows\system32\config\systemprofile\UserData
2009-04-16 20:13 . 2009-04-16 20:13

---

d

---

w g:\program files\Common Files\xing shared
2009-04-16 10:32 . 2009-04-16 10:32

---

d

---

w g:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-16 02:24 . 2009-05-01 10:34

---

d

---

w g:\documents and settings\Randy\Application Data\DVD Flick
2009-04-10 21:49 . 2002-12-10 06:20 102439 ----a-w g:\windows\system32\sipr3260.dll
2009-04-10 21:49 . 2006-09-29 16:24 217127 ----a-w g:\windows\system32\drv43260.dll
2009-04-10 21:49 . 2006-09-29 16:25 208935 ----a-w g:\windows\system32\drv33260.dll
2009-04-10 21:49 . 2006-09-29 16:26 176165 ----a-w g:\windows\system32\drv23260.dll
2009-04-10 21:49 . 2007-03-19 00:37 65602 ----a-w g:\windows\system32\cook3260.dll
2009-04-10 21:49 . 2006-05-11 23:21 626688 ----a-w g:\windows\system32\vp7vfw.dll
2009-04-10 21:49 . 2006-05-20 20:16 1184984 ----a-w g:\windows\system32\wvc1dmod.dll
2009-04-10 21:49 . 2009-04-10 21:49

---

d

---

w g:\program files\VSO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 16:33 . 2004-01-06 21:02 81880 ----a-w g:\documents and settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 10:35 . 2009-04-28 23:30 32 --sha-w g:\windows\system32\drivers\fidbox2.idx
2009-04-29 10:35 . 2009-04-28 23:30 3152 --sha-w g:\windows\system32\drivers\fidbox.idx
2009-04-24 00:24 . 2009-04-08 00:14 155 ----a-w g:\windows\system32\SelfDel.bat
2009-04-21 21:58 . 2007-10-31 01:20 47360 ----a-w g:\windows\system32\drivers\pcouffin.sys
2009-04-21 21:58 . 2006-12-27 04:39 47360 ----a-w g:\documents and settings\Randy\Application Data\pcouffin.sys
2009-04-19 14:05 . 2008-03-02 17:39

---

d

---

w g:\program files\Yahoo!
2009-04-19 14:04 . 2003-12-28 04:19

---

d

---

w g:\program files\Google
2009-04-17 08:37 . 2009-04-03 15:30 0 ----a-w g:\windows\system32\drivers\9c0c92a3.sys
2009-04-16 20:13 . 2004-03-31 00:21

---

d

---

w g:\program files\Common Files\Real
2009-04-16 20:12 . 2006-10-01 03:41 348160 ----a-w g:\windows\system32\msvcr71.dll
2009-04-16 20:12 . 2006-10-01 03:41 499712 ----a-w g:\windows\system32\msvcp71.dll
2009-04-06 19:32 . 2008-12-22 04:00 38496 ----a-w g:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-05-10 05:56 15504 ----a-w g:\windows\system32\drivers\mbam.sys
2009-04-05 15:25 . 2004-11-29 02:06 24040 ----a-w g:\windows\TMPG001.TMP
2009-03-30 11:55 . 2009-03-30 11:53

---

d

---

w g:\program files\UBNet
2009-03-25 01:08 . 2009-03-25 01:08 45056 ----a-w g:\windows\system32\dLer.exe
2009-03-24 22:42 . 2009-03-24 22:42 81880 ----a-w g:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-22 14:39 . 2009-03-21 07:34 20234544 ----a-w g:\documents and settings\Randy\Application Data\setup_blazemp.exe
2009-02-27 18:00 . 2008-12-23 15:14 410984 ----a-w g:\windows\system32\deploytk.dll
2009-02-27 17:59 . 2009-02-27 17:59 0 ----a-w g:\windows\system32\REND8.tmp
2009-02-27 17:59 . 2009-02-27 17:59 0 ----a-w g:\windows\system32\REND7.tmp
2009-02-27 17:59 . 2009-02-27 17:59 0 ----a-w g:\windows\system32\REND6.tmp
2009-02-14 02:00 . 2004-07-25 18:00 81880 ----a-w g:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-14 01:36 . 2009-02-14 01:36 188432 ----a-w g:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-13 03:49 . 2009-02-13 03:50 20942005 ----a-w g:\windows\system32\xa193408640.exe
2009-02-13 03:49 . 2009-02-13 03:49 20942005 ----a-w g:\windows\system32\xa193395750.exe
2009-02-09 10:19 . 2002-08-29 02:14 1846272 ----a-w g:\windows\system32\win32k.sys
2004-08-04 07:56 . 2007-04-16 23:48 93184 ----a-w g:\program files\iexplore.exe
2003-08-27 18:19 . 2004-07-25 17:40 36963

---

r g:\program files\Common Files\SM1updtr.dll
2008-01-30 15:10 . 2007-05-06 06:05 131584 ----a-w g:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2001-08-23 12:00 . 2001-08-23 12:00 94784 -csh--w g:\windows\twain.dll
2004-08-04 07:56 . 2001-08-23 12:00 50688 --sh--w g:\windows\twain_32.dll
2004-08-20 03:26 . 2004-08-20 03:26 1216 -csh--w g:\windows\Twunk_16.dll
2004-08-20 03:26 . 2004-08-20 03:26 1216 -csh--w g:\windows\Twunk_32.dll
2004-08-04 07:56 . 2001-08-23 12:00 54784 --sh--w g:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2002-08-29 03:41 413696 --sha-w g:\windows\system32\msvcp60.dll
2004-08-04 07:56 . 2001-08-23 12:00 11776 --sh--w g:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NBJ"="g:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"EPSON PictureMate PM 240"="g:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE" [2006-10-17 143360]
"RegistryMechanic"="g:\utilities\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="g:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Google Desktop Search"="g:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 29744]
"PSDrvCheck"="g:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"ATICCC"="g:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="g:\program files\Java\jre6\bin\jusched.exe" [2009-02-27 148888]
"Malwarebytes' Anti-Malware"="g:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"TkBellExe"="g:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-16 198160]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder 2009.lnk - g:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2009-2-13 237568]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=g:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=g:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\G:^Documents and Settings^Randy^Start Menu^Programs^Startup^Poppy for Windows.lnk]
backup=g:\windows\pss\Poppy for Windows.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"C-DillaCdaC11BA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\Utilities\\InterVideo\\DVD7\\WinDVD.exe"=
"g:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"g:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Utilities\\iTunes\\iTunes.exe"=
"g:\\Utilities\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5757:TCP"= 5757:TCP:Superforge4
"5757:UDP"= 5757:UDP:Superforge4

R1 kid_sys;Kensington Input Devices Class filter driver;g:\windows\system32\drivers\KID_SYS.sys [11/21/2004 1:41 AM 11920]
R2 DLPortIO;DLPORTIO;g:\windows\DLPORTIO.sys [01/12/2008 11:43 AM 3584]
R2 mbamservice;mbamservice;g:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe [04/22/2008 7:53 PM 179856]
R3 Dvd43;Dvd43;g:\windows\system32\drivers\Dvd43.sys [10/30/2007 9:30 PM 26048]
R3 EPPSCSIx;EPPSCSI Driver;g:\windows\system32\drivers\eppscan.sys [01/31/2004 11:57 PM 105124]
R3 mbamprotector;mbamprotector;g:\windows\system32\drivers\mbam.sys [05/10/2008 1:56 AM 15504]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;g:\windows\system32\drivers\SMC1211.sys [07/11/2001 11:06 AM 23153]
S0 xmasbus;xmasbus;g:\windows\system32\DRIVERS\xmasbus.sys --> g:\windows\system32\DRIVERS\xmasbus.sys [?]
S0 xmasscsi;xmasscsi;g:\windows\system32\Drivers\xmasscsi.sys --> g:\windows\system32\Drivers\xmasscsi.sys [?]
S1 1e735214;1e735214;g:\windows\system32\drivers\1e735214.sys [04/17/2009 3:29 PM 0]
S1 9c0c92a3;9c0c92a3;g:\windows\system32\drivers\9c0c92a3.sys [04/03/2009 11:30 AM 0]
S1 oxmf;OXPCI Bus enumerator;g:\windows\system32\drivers\oxmf.sys [03/04/2007 1:53 PM 15872]
S1 oxser;OX16C95x Serial port driver;g:\windows\system32\drivers\oxser.sys [03/04/2007 1:53 PM 50048]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;g:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe --> g:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [?]
S2 SOFTLOK;SOFTLOK; [x]
S3 DtvAudio;DtvAudio;g:\windows\system32\drivers\DtvAudio.sys [09/27/2005 9:02 PM 9216]
S3 DtvVideo;DtvVideo;g:\windows\system32\drivers\DtvVideo.sys [09/27/2005 9:02 PM 23680]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;g:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/06/2007 2:04 AM 29744]
S3 ntxpgp;Gravis Xperience GamePort device driver;g:\windows\system32\drivers\ntxpgp.sys [11/21/2004 1:41 AM 240188]
S3 Oxmfuf;Filter driver for OX16PCI954 ports;g:\windows\system32\drivers\oxmfuf.sys [03/04/2007 1:53 PM 4992]
S3 VPNET;DTVNet Ethernet Controller;g:\windows\system32\drivers\DTVNet.sys [09/27/2005 9:01 PM 18192]
.
Contents of the 'Scheduled Tasks' folder

2009-05-07 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-05-07 g:\windows\Tasks\Malwarebytes' Scheduled Scan for Randy.job
- g:\utilities\Malwarebytes' Anti-Malware\mbam.exe [2008-04-22 19:32]

2009-05-07 g:\windows\Tasks\Malwarebytes' Scheduled Update for Randy.job
- g:\utilities\Malwarebytes' Anti-Malware\mbam.exe [2008-04-22 19:32]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Windows Resurections - g:\windows\TEMP\wr4px.exe
HKU-Default-Run-uidenhiufgsduiazghs - g:\windows\TEMP\ddvv4g.exe
HKU-Default-Run-Diagnostic Manager - g:\windows\TEMP\2127181117.exe


.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.nforce.nl
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search
IE: E&xport to Microsoft Excel - g:\utilit~1\MICROS~1\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://g:\windows\Java\classes\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://g:\windows\Java\classes\xmldso.cab
DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - g:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\default.kps\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://netforbeginners.about.com/gi/dynamic/offsite.htm?zi=1/XJ&sdn=netforbeginners&zu=http%3A%2F%2Fwww.torrentscan.com%2F
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: g:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: g:\utilities\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: g:\utilities\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 21:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D77D8070-1B9B-3032-1EDE-A5E747C4FDE6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abalkdoalmceibnldgbhcmjlhgafaoaied"=hex:65,62,61,6c,6e,66,68,69,65,70,68,62,
68,6c,6d,6f,6d,66,6c,66,64,6f,6c,6f,63,62,6f,6e,62,66,63,6d,65,63,63,65,6e,\
"bbalkdoalmceibnldgogdmoiopfhbfhfjkgh"=hex:61,62,6a,6d,65,64,65,6d,68,64,69,6d,
68,69,63,68,6d,64,62,64,68,67,6b,6e,62,6f,65,68,69,65,69,6e,69,70,00,65

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|9*8*5*3**àý8«T€Èÿ*¨
£‚ÿÿÿÿ¨šƒ|ào|\Main Window]
"WP"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,84,00,00,00,ae,00,00,00,01,03,00,00,05,03,00,00

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýì*þá|*ðý8«T€Èÿ* Mþÿÿÿÿ¨šƒ|ào|]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýì*þá|*ðý8«T€Èÿ* Mþÿÿÿÿ¨šƒ|ào|\Main Window]
"WP"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,16,00,00,00,1d,00,00,00,93,02,00,00,74,02,00,00

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýù*þá|*Àý8«T€Èÿ* @¢‚ÿÿÿÿ¨šƒ|ào|]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýþá|*@ý8«T€Èÿ*Èð%ƒÿÿÿÿ¨šƒ|ào|]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýþá|*ðý8«T€Èÿ*ˆ*ÿÿÿÿÿ¨šƒ|ào|]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f6,2d,a8,b6,8e,
32,15,f4,e2,63,26,f1,3f,c8,ff,68,7b,da,f4,a4,3c,73,94,d6,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,3a,62,23,c8,d9,
f0,a0,fa,6a,9c,d6,61,af,45,84,18,5e,a4,58,fb,db,f7,b4,4e,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,78,51,20,29,9a,
d8,7f,cd,ff,7c,85,e0,43,d4,0e,fe,c3,b7,26,ab,80,be,33,5c,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,86,80,38,ab,a5,
2c,35,50,86,8c,21,01,be,91,eb,e7,c5,28,16,d6,b5,44,2d,a8,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,28,0a,24,a0,37,
98,6a,b2,f5,1d,4d,73,a8,13,5c,05,ab,a0,f2,40,af,7f,89,33,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,84,72,10,3b,16,
d6,c4,3a,df,20,58,62,78,6b,cf,c8,fe,03,b1,c6,2b,3a,71,3f,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,bd,ae,48,85,20,
cc,d3,8c,fb,a7,78,e6,12,2f,9a,ea,c7,2d,fc,ce,f1,4f,70,bc,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,68,e6,fb,d0,10,
24,40,19,01,3a,48,fc,e8,04,4a,f1,e8,57,1b,d6,25,26,e3,96,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,c1,42,61,fc,74,
46,75,c2,f6,0f,4e,58,98,5b,89,c9,21,51,c0,82,af,d1,55,c6,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,90,2e,e2,c7,15,
df,53,d4,3d,ce,ea,26,2d,45,aa,78,bd,c1,59,07,b0,9d,0b,be,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,d8,bb,52,7c,63,
53,66,ab,2a,b7,cc,b5,b9,7f,41,e7,f2,c4,c4,d8,b3,e3,62,13,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,61,d1,38,27,2d,
94,55,69,6c,43,2d,1e,aa,22,2f,9c,f2,f2,b1,5b,43,64,7f,56,6c,43,2d,1e,aa,22,\
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(680)
g:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2764)
g:\windows\system32\WPDShServiceObj.dll
g:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.

---

Other Running Processes

---

.
g:\windows\system32\ati2evxx.exe
g:\utilities\Lavasoft\Ad-Aware\aawservice.exe
g:\windows\system32\ati2evxx.exe
g:\utilities\A-squared Free\a2service.exe
g:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
g:\windows\system32\gearsec.exe
g:\program files\Java\jre6\bin\jqs.exe
g:\windows\system32\HPZipm12.exe
g:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
g:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-05-08 21:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-08 01:23
ComboFix2.txt 2008-04-20 21:46
ComboFix3.txt 2008-03-26 00:43

Pre-Run: 4,171,613,184 bytes free
Post-Run: 4,823,920,640 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

Current=2 Default=2 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
394 --- E O F --- 2009-03-18 07:05

Trogan

Hi,

Please do the following...

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

• Double-click ATF Cleaner.exe to open it.
• Under Main select the following:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program

2. Open Notepad and copy/paste the text in the Quote Box below into it:

File::
G:\Documents and Settings\LocalService\protect.dll
G:\Documents and Settings\Randy\Start Menu\Programs\Startup\ChkDisk.dll
G:\Documents and Settings\Randy\protect.dll
G:\WINDOWS\system32\config\systemprofile\protect.dll
G:\WINDOWS\system32\1000.exe
G:\WINDOWS\system32\autochk.dll
G:\WINDOWS\system32\dLer.exe
G:\WINDOWS\TEMP\jj7vm.exe
G:\WINDOWS\TEMP\msb.dll
G:\WINDOWS\TEMP\sjgh4kdg4rg4.exe
G:\WINDOWS\TEMP\wr4px.exe
g:\windows\system32\drivers\mqrmerhn.sys
g:\windows\system32\drivers\xjlxs.sys
g:\windows\system32\drivers\1e735214.sys

Save this as CFScript.txt to your Desktop



Referring to the picture above, drag CFScript.txt into ComboFix.exe

3. This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Nutty110

I did the above but after dragging CFScript over ComboFix a popup screen is telling me that "Windows cannot access the specified device, path or file. You may not have the appropiate permissions to access the item."

ComboFix after running is returning the above in quotes!!

Nutty110

I had to uninstall comodo Internet Security to make ComboFix work.
So here is the ComboFix.txt and a new highjack this log.

---

ComboFix 09-05-09.05 - Randy 05/14/2009 20:59.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.229 [GMT -4:00]
Running from: g:\documents and settings\Randy\Desktop\ComboFix.exe
Command switches used :: g:\documents and settings\Randy\Desktop\CFScript.txt.txt
.

((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-11 02:11 . 2009-05-12 00:56

---

d

---

w G:\32788R22FWJFW.4.tmp
2009-05-11 02:05 . 2009-05-11 02:11

---

d

---

w G:\32788R22FWJFW.3.tmp
2009-05-11 02:04 . 2009-05-11 02:05

---

d

---

w G:\32788R22FWJFW.2.tmp
2009-05-09 14:06 . 2009-05-11 02:04

---

d

---

w G:\32788R22FWJFW.1.tmp
2009-05-09 06:53 . 2009-05-09 14:06

---

d

---

w G:\32788R22FWJFW.0.tmp
2009-05-08 01:53 . 2009-03-06 14:44 283648 -c----w g:\windows\system32\dllcache\pdh.dll
2009-05-08 01:53 . 2005-07-26 04:39 60416 -c----w g:\windows\system32\dllcache\colbact.dll
2009-05-08 01:53 . 2009-02-09 10:20 399360 -c----w g:\windows\system32\dllcache\rpcss.dll
2009-05-08 01:53 . 2009-02-06 17:14 110592 -c----w g:\windows\system32\dllcache\services.exe
2009-05-08 01:53 . 2009-02-09 10:20 473088 -c----w g:\windows\system32\dllcache\fastprox.dll
2009-05-08 01:53 . 2009-02-06 16:39 227840 -c----w g:\windows\system32\dllcache\wmiprvse.exe
2009-05-08 01:53 . 2009-02-09 10:20 453120 -c----w g:\windows\system32\dllcache\wmiprvsd.dll
2009-04-30 10:42 . 2009-04-30 10:42 61440 ----a-w g:\windows\system32\drivers\mqrmerhn.sys
2009-04-30 02:25 . 2009-04-30 02:25

---

d

---

w g:\program files\ESET
2009-04-28 23:30 . 2009-04-29 10:35 77088 --sha-w g:\windows\system32\drivers\fidbox.dat
2009-04-28 23:30 . 2009-04-29 10:35 32 --sha-w g:\windows\system32\drivers\fidbox2.dat
2009-04-28 23:20 . 2009-04-29 00:29

---

d

---

w g:\program files\Common Files\ParetoLogic
2009-04-28 23:20 . 2009-04-29 00:29

---

d

---

w g:\documents and settings\All Users\Application Data\ParetoLogic
2009-04-28 23:20 . 2009-04-28 23:20

---

d

---

w g:\documents and settings\Randy\Local Settings\Application Data\Downloaded Installations
2009-04-21 21:58 . 2009-04-21 21:58

---

d

---

w g:\program files\DVDFab Platinum 4
2009-04-19 05:12 . 2009-04-19 05:12 61440 ----a-w g:\windows\system32\drivers\xjlxs.sys
2009-04-17 19:29 . 2009-04-30 10:43 0 ----a-w g:\windows\system32\drivers\1e735214.sys
2009-04-17 12:28 . 2009-04-17 12:28

---

d-s---w g:\windows\system32\config\systemprofile\UserData
2009-04-16 20:13 . 2009-04-16 20:13

---

d

---

w g:\program files\Common Files\xing shared
2009-04-16 10:32 . 2009-04-16 10:32

---

d

---

w g:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-04-16 02:24 . 2009-05-01 10:34

---

d

---

w g:\documents and settings\Randy\Application Data\DVD Flick

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 00:54 . 2008-05-03 14:10

---

d

---

w g:\program files\COMODO
2009-05-10 18:36 . 2008-03-02 17:39

---

d

---

w g:\program files\Yahoo!
2009-05-09 14:29 . 2003-12-28 04:19

---

d

---

w g:\program files\Google
2009-05-02 16:33 . 2004-01-06 21:02 81880 ----a-w g:\documents and settings\Randy\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 10:35 . 2009-04-28 23:30 32 --sha-w g:\windows\system32\drivers\fidbox2.idx
2009-04-29 10:35 . 2009-04-28 23:30 3152 --sha-w g:\windows\system32\drivers\fidbox.idx
2009-04-24 00:24 . 2009-04-08 00:14 155 ----a-w g:\windows\system32\SelfDel.bat
2009-04-21 21:58 . 2007-10-31 01:20 47360 ----a-w g:\windows\system32\drivers\pcouffin.sys
2009-04-21 21:58 . 2006-12-27 04:39 47360 ----a-w g:\documents and settings\Randy\Application Data\pcouffin.sys
2009-04-18 01:50 . 2009-05-09 06:27 220312 ----a-w g:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2009-04-17 08:37 . 2009-04-03 15:30 0 ----a-w g:\windows\system32\drivers\9c0c92a3.sys
2009-04-16 20:13 . 2004-03-31 00:21

---

d

---

w g:\program files\Common Files\Real
2009-04-16 20:12 . 2006-10-01 03:41 348160 ----a-w g:\windows\system32\msvcr71.dll
2009-04-16 20:12 . 2006-10-01 03:41 499712 ----a-w g:\windows\system32\msvcp71.dll
2009-04-10 21:49 . 2009-04-10 21:49

---

d

---

w g:\program files\VSO
2009-04-06 19:32 . 2008-12-22 04:00 38496 ----a-w g:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-05-10 05:56 15504 ----a-w g:\windows\system32\drivers\mbam.sys
2009-04-05 15:25 . 2004-11-29 02:06 24040 ----a-w g:\windows\TMPG001.TMP
2009-03-30 11:55 . 2009-03-30 11:53

---

d

---

w g:\program files\UBNet
2009-03-24 22:42 . 2009-03-24 22:42 81880 ----a-w g:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-22 14:39 . 2009-03-21 07:34 20234544 ----a-w g:\documents and settings\Randy\Application Data\setup_blazemp.exe
2009-03-06 14:44 . 2002-08-29 03:41 283648 ----a-w g:\windows\system32\pdh.dll
2009-02-27 18:00 . 2008-12-23 15:14 410984 ----a-w g:\windows\system32\deploytk.dll
2009-02-27 17:59 . 2009-02-27 17:59 0 ----a-w g:\windows\system32\REND8.tmp
2009-02-27 17:59 . 2009-02-27 17:59 0 ----a-w g:\windows\system32\REND7.tmp
2009-02-27 17:59 . 2009-02-27 17:59 0 ----a-w g:\windows\system32\REND6.tmp
2009-02-20 08:30 . 2006-06-23 15:33 659456 ----a-w g:\windows\system32\wininet.dll
2009-02-20 08:30 . 2006-03-02 23:50 81920 ----a-w g:\windows\system32\ieencode.dll
2009-02-14 02:00 . 2004-07-25 18:00 81880 ----a-w g:\documents and settings\Randy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-14 01:36 . 2009-02-14 01:36 188432 ----a-w g:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2004-08-04 07:56 . 2007-04-16 23:48 93184 ----a-w g:\program files\iexplore.exe
2003-08-27 18:19 . 2004-07-25 17:40 36963

---

r g:\program files\Common Files\SM1updtr.dll
2008-01-30 15:10 . 2007-05-06 06:05 131584 ----a-w g:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2001-08-23 12:00 . 2001-08-23 12:00 94784 -csh--w g:\windows\twain.dll
2004-08-04 07:56 . 2001-08-23 12:00 50688 --sh--w g:\windows\twain_32.dll
2004-08-20 03:26 . 2004-08-20 03:26 1216 -csh--w g:\windows\Twunk_16.dll
2004-08-20 03:26 . 2004-08-20 03:26 1216 -csh--w g:\windows\Twunk_32.dll
2004-08-04 07:56 . 2001-08-23 12:00 54784 --sh--w g:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2002-08-29 03:41 413696 --sha-w g:\windows\system32\msvcp60.dll
2004-08-04 07:56 . 2001-08-23 12:00 11776 --sh--w g:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-08_01.17.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-15 00:55 . 2009-05-15 00:55 16384 g:\windows\TEMP\Perflib_Perfdata_21c.dat
- 2005-03-09 07:10 . 2007-07-27 13:41 26488 g:\windows\system32\spupdsvc.exe
+ 2005-03-09 07:10 . 2008-07-09 07:38 26488 g:\windows\system32\spupdsvc.exe
+ 2008-06-01 12:32 . 2007-11-30 12:39 17272 g:\windows\system32\spmsg.dll
- 2008-06-01 12:32 . 2007-11-30 11:18 17272 g:\windows\system32\spmsg.dll
+ 2002-08-29 03:41 . 2009-02-03 20:08 55808 g:\windows\system32\secur32.dll
- 2002-08-29 03:41 . 2004-08-04 07:56 55808 g:\windows\system32\secur32.dll
+ 2001-08-23 12:00 . 2009-02-06 16:54 35328 g:\windows\system32\sc.exe
- 2002-08-29 03:41 . 2008-10-16 10:37 39424 g:\windows\system32\pngfilt.dll
+ 2002-08-29 03:41 . 2009-02-20 08:30 39424 g:\windows\system32\pngfilt.dll
+ 2001-08-23 12:00 . 2009-05-09 06:21 68084 g:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2009-03-22 20:39 68084 g:\windows\system32\perfc009.dat
+ 2006-01-10 18:15 . 2008-06-12 14:16 91648 g:\windows\system32\mtxoci.dll
+ 2006-03-01 19:44 . 2008-06-12 14:16 66560 g:\windows\system32\mtxclu.dll
- 2006-03-01 19:44 . 2006-03-01 19:42 66560 g:\windows\system32\mtxclu.dll
- 2003-12-28 06:52 . 2004-08-04 07:56 58880 g:\windows\system32\msdtclog.dll
+ 2003-12-28 06:52 . 2008-06-12 14:16 58880 g:\windows\system32\msdtclog.dll
+ 2001-08-23 12:00 . 2009-02-20 08:30 16384 g:\windows\system32\jsproxy.dll
- 2001-08-23 12:00 . 2008-10-16 10:37 16384 g:\windows\system32\jsproxy.dll
+ 2004-08-26 14:53 . 2009-02-20 08:30 96256 g:\windows\system32\inseng.dll
- 2004-08-26 14:53 . 2008-10-16 10:37 96256 g:\windows\system32\inseng.dll
- 2006-03-02 23:50 . 2008-10-16 10:37 55808 g:\windows\system32\extmgr.dll
+ 2006-03-02 23:50 . 2009-02-20 08:30 55808 g:\windows\system32\extmgr.dll
+ 2009-02-03 20:08 . 2009-02-03 20:08 55808 g:\windows\system32\dllcache\secur32.dll
+ 2001-08-23 12:00 . 2009-02-06 16:54 35328 g:\windows\system32\dllcache\sc.exe
- 2007-01-04 13:36 . 2008-10-16 10:37 39424 g:\windows\system32\dllcache\pngfilt.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 39424 g:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 91648 g:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 66560 g:\windows\system32\dllcache\mtxclu.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 58880 g:\windows\system32\dllcache\msdtclog.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 16384 g:\windows\system32\dllcache\jsproxy.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 16384 g:\windows\system32\dllcache\jsproxy.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 96256 g:\windows\system32\dllcache\inseng.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 96256 g:\windows\system32\dllcache\inseng.dll
+ 2009-02-20 08:30 . 2009-02-20 08:30 81920 g:\windows\system32\dllcache\ieencode.dll
+ 2007-01-04 10:36 . 2009-02-19 09:58 18432 g:\windows\system32\dllcache\iedw.exe
- 2007-01-04 10:36 . 2008-10-15 09:45 18432 g:\windows\system32\dllcache\iedw.exe
+ 2007-01-04 13:36 . 2009-02-20 08:30 55808 g:\windows\system32\dllcache\extmgr.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 55808 g:\windows\system32\dllcache\extmgr.dll
- 2005-05-17 00:43 . 2008-10-15 14:00 351744 g:\windows\system32\xpsp3res.dll
+ 2005-05-17 00:43 . 2009-02-19 09:47 351744 g:\windows\system32\xpsp3res.dll
- 2004-12-25 06:38 . 2004-08-04 07:56 351232 g:\windows\system32\winhttp.dll
+ 2004-12-25 06:38 . 2008-12-16 12:47 351232 g:\windows\system32\winhttp.dll
+ 2003-12-28 06:51 . 2009-02-06 16:39 227840 g:\windows\system32\wbem\wmiprvse.exe
+ 2003-12-28 06:51 . 2009-02-09 10:20 453120 g:\windows\system32\wbem\wmiprvsd.dll
+ 2003-12-28 06:51 . 2009-02-09 10:20 473088 g:\windows\system32\wbem\fastprox.dll
+ 2006-08-31 00:42 . 2009-02-20 08:30 616448 g:\windows\system32\urlmon.dll
- 2005-08-31 22:49 . 2008-10-16 10:37 474112 g:\windows\system32\shlwapi.dll
+ 2005-08-31 22:49 . 2009-02-20 08:30 474112 g:\windows\system32\shlwapi.dll
+ 2001-08-23 12:00 . 2009-02-06 17:14 110592 g:\windows\system32\services.exe
+ 2006-01-10 18:15 . 2009-02-09 10:20 399360 g:\windows\system32\rpcss.dll
+ 2004-01-31 22:47 . 2009-05-09 06:29 226320 g:\windows\system32\Restore\rstrlog.dat
- 2001-08-23 12:00 . 2009-03-22 20:39 433824 g:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2009-05-09 06:21 433824 g:\windows\system32\perfh009.dat
+ 2002-08-29 03:40 . 2009-02-09 10:20 714752 g:\windows\system32\ntdll.dll
+ 2002-08-29 03:41 . 2009-02-20 08:30 532480 g:\windows\system32\mstime.dll
- 2002-08-29 03:41 . 2008-10-16 10:37 532480 g:\windows\system32\mstime.dll
- 2002-08-29 03:41 . 2008-10-16 10:37 146432 g:\windows\system32\msrating.dll
+ 2002-08-29 03:41 . 2009-02-20 08:30 146432 g:\windows\system32\msrating.dll
+ 2002-08-29 03:41 . 2009-02-20 08:30 449024 g:\windows\system32\mshtmled.dll
- 2002-08-29 03:41 . 2008-10-16 10:37 449024 g:\windows\system32\mshtmled.dll
+ 2004-12-25 06:54 . 2008-06-12 14:16 161792 g:\windows\system32\msdtcuiu.dll
+ 2004-12-25 06:54 . 2008-06-12 14:16 956928 g:\windows\system32\msdtctm.dll
+ 2004-12-25 06:54 . 2008-06-12 14:16 428032 g:\windows\system32\msdtcprx.dll
+ 2002-08-29 03:41 . 2009-02-09 10:20 723456 g:\windows\system32\lsasrv.dll
+ 2002-08-29 03:41 . 2009-03-21 14:18 986112 g:\windows\system32\kernel32.dll
- 2005-02-18 16:43 . 2008-10-16 10:37 251392 g:\windows\system32\iepeers.dll
+ 2005-02-18 16:43 . 2009-02-20 08:30 251392 g:\windows\system32\iepeers.dll
+ 2002-08-29 03:40 . 2009-02-20 08:30 205312 g:\windows\system32\dxtrans.dll
- 2002-08-29 03:40 . 2008-10-16 10:37 205312 g:\windows\system32\dxtrans.dll
- 2002-08-29 03:40 . 2008-10-16 10:37 357888 g:\windows\system32\dxtmsft.dll
+ 2002-08-29 03:40 . 2009-02-20 08:30 357888 g:\windows\system32\dxtmsft.dll
+ 2006-03-02 23:47 . 2008-04-21 10:02 215552 g:\windows\system32\dllcache\wordpad.exe
+ 2007-01-04 13:37 . 2009-02-20 08:30 659456 g:\windows\system32\dllcache\wininet.dll
- 2007-01-04 13:37 . 2008-10-16 10:37 659456 g:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:47 . 2008-12-16 12:47 351232 g:\windows\system32\dllcache\winhttp.dll
+ 2007-01-25 12:48 . 2009-02-20 08:30 616448 g:\windows\system32\dllcache\urlmon.dll
- 2007-01-04 13:37 . 2008-10-16 10:37 474112 g:\windows\system32\dllcache\shlwapi.dll
+ 2007-01-04 13:37 . 2009-02-20 08:30 474112 g:\windows\system32\dllcache\shlwapi.dll
+ 2002-08-29 03:40 . 2009-02-09 10:20 714752 g:\windows\system32\dllcache\ntdll.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 532480 g:\windows\system32\dllcache\mstime.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 532480 g:\windows\system32\dllcache\mstime.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 146432 g:\windows\system32\dllcache\msrating.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 146432 g:\windows\system32\dllcache\msrating.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 449024 g:\windows\system32\dllcache\mshtmled.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 449024 g:\windows\system32\dllcache\mshtmled.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 161792 g:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 956928 g:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:16 . 2008-06-12 14:16 428032 g:\windows\system32\dllcache\msdtcprx.dll
+ 2006-08-17 12:28 . 2009-02-09 10:20 723456 g:\windows\system32\dllcache\lsasrv.dll
+ 2006-07-05 10:55 . 2009-03-21 14:18 986112 g:\windows\system32\dllcache\kernel32.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 251392 g:\windows\system32\dllcache\iepeers.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 251392 g:\windows\system32\dllcache\iepeers.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 205312 g:\windows\system32\dllcache\dxtrans.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 205312 g:\windows\system32\dllcache\dxtrans.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 357888 g:\windows\system32\dllcache\dxtmsft.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 357888 g:\windows\system32\dllcache\dxtmsft.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 151040 g:\windows\system32\dllcache\cdfview.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 151040 g:\windows\system32\dllcache\cdfview.dll
+ 2002-08-29 03:40 . 2009-02-09 10:20 616960 g:\windows\system32\dllcache\advapi32.dll
- 2002-08-29 03:40 . 2004-08-04 07:56 616960 g:\windows\system32\dllcache\advapi32.dll
+ 2004-12-07 22:43 . 2009-02-20 08:30 151040 g:\windows\system32\cdfview.dll
- 2004-12-07 22:43 . 2008-10-16 10:37 151040 g:\windows\system32\cdfview.dll
- 2002-08-29 03:40 . 2004-08-04 07:56 616960 g:\windows\system32\advapi32.dll
+ 2002-08-29 03:40 . 2009-02-09 10:20 616960 g:\windows\system32\advapi32.dll
+ 2006-09-04 06:23 . 2009-03-02 23:52 1495552 g:\windows\system32\shdocvw.dll
- 2007-02-11 23:00 . 2008-05-07 05:18 1287680 g:\windows\system32\quartz.dll
+ 2007-02-11 23:00 . 2008-12-20 22:43 1287680 g:\windows\system32\quartz.dll
+ 2002-08-29 02:03 . 2009-02-06 17:24 2180480 g:\windows\system32\ntoskrnl.exe
- 2002-08-29 01:04 . 2008-08-14 09:22 2057728 g:\windows\system32\ntkrnlpa.exe
+ 2002-08-29 01:04 . 2009-02-06 16:49 2057728 g:\windows\system32\ntkrnlpa.exe
+ 2005-11-22 21:49 . 2009-02-20 08:30 3059712 g:\windows\system32\mshtml.dll
+ 2006-09-04 06:08 . 2009-03-02 23:52 1495552 g:\windows\system32\dllcache\shdocvw.dll
+ 2007-12-21 21:51 . 2008-12-20 22:43 1287680 g:\windows\system32\dllcache\quartz.dll
- 2007-12-21 21:51 . 2008-05-07 05:18 1287680 g:\windows\system32\dllcache\quartz.dll
+ 2006-12-19 14:17 . 2009-02-06 17:24 2180480 g:\windows\system32\dllcache\ntoskrnl.exe
+ 2006-12-19 12:55 . 2009-02-06 16:49 2015744 g:\windows\system32\dllcache\ntkrpamp.exe
- 2006-12-19 12:55 . 2008-08-14 09:22 2015744 g:\windows\system32\dllcache\ntkrpamp.exe
+ 2006-12-19 12:55 . 2009-02-06 16:49 2057728 g:\windows\system32\dllcache\ntkrnlpa.exe
- 2006-12-19 12:55 . 2008-08-14 09:22 2057728 g:\windows\system32\dllcache\ntkrnlpa.exe
+ 2006-12-19 14:15 . 2009-02-06 17:22 2136064 g:\windows\system32\dllcache\ntkrnlmp.exe
- 2006-12-19 14:15 . 2008-08-14 09:58 2136064 g:\windows\system32\dllcache\ntkrnlmp.exe
+ 2007-01-04 13:36 . 2009-02-20 08:30 3059712 g:\windows\system32\dllcache\mshtml.dll
+ 2002-08-29 03:40 . 2009-02-20 08:30 1054208 g:\windows\system32\dllcache\danim.dll
- 2002-08-29 03:40 . 2008-10-16 10:37 1054208 g:\windows\system32\dllcache\danim.dll
+ 2007-01-04 13:36 . 2009-02-20 08:30 1023488 g:\windows\system32\dllcache\browseui.dll
- 2007-01-04 13:36 . 2008-10-16 10:37 1023488 g:\windows\system32\dllcache\browseui.dll
+ 2002-08-29 03:40 . 2009-02-20 08:30 1054208 g:\windows\system32\danim.dll
- 2002-08-29 03:40 . 2008-10-16 10:37 1054208 g:\windows\system32\danim.dll
+ 2006-09-04 06:23 . 2009-02-20 08:30 1023488 g:\windows\system32\browseui.dll
- 2006-09-04 06:23 . 2008-10-16 10:37 1023488 g:\windows\system32\browseui.dll
+ 2005-03-02 00:59 . 2009-02-06 17:24 2180480 g:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:34 . 2008-08-14 09:22 2015744 g:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2005-03-02 00:34 . 2009-02-06 16:49 2015744 g:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:34 . 2008-08-14 09:22 2057728 g:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2005-03-02 00:34 . 2009-02-06 16:49 2057728 g:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-03-02 00:57 . 2008-08-14 09:58 2136064 g:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2005-03-02 00:57 . 2009-02-06 17:22 2136064 g:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2005-05-13 14:43 . 2009-05-07 07:16 24699336 g:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="g:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"NBJ"="g:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-02-10 1937408]
"EPSON PictureMate PM 240"="g:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE" [2006-10-17 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="g:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Google Desktop Search"="g:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-30 29744]
"PSDrvCheck"="g:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"ATICCC"="g:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="g:\program files\Java\jre6\bin\jusched.exe" [2009-02-27 148888]
"Malwarebytes' Anti-Malware"="g:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"TkBellExe"="g:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-16 198160]
"Google Quick Search Box"="g:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-09 68592]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminder 2009.lnk - g:\windows\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2009-2-13 237568]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=g:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\G:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=g:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\G:^Documents and Settings^Randy^Start Menu^Programs^Startup^Poppy for Windows.lnk]
backup=g:\windows\pss\Poppy for Windows.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"C-DillaCdaC11BA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\Utilities\\InterVideo\\DVD7\\WinDVD.exe"=
"g:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"g:\\Program Files\\MSN Messenger\\livecall.exe"=
"g:\\Utilities\\iTunes\\iTunes.exe"=
"g:\\Utilities\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5757:TCP"= 5757:TCP:Superforge4
"5757:UDP"= 5757:UDP:Superforge4

R1 kid_sys;Kensington Input Devices Class filter driver;g:\windows\system32\drivers\KID_SYS.sys [11/21/2004 1:41 AM 11920]
R2 DLPortIO;DLPORTIO;g:\windows\DLPORTIO.sys [01/12/2008 11:43 AM 3584]
R2 mbamservice;mbamservice;g:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe [04/22/2008 7:53 PM 179856]
R3 Dvd43;Dvd43;g:\windows\system32\drivers\Dvd43.sys [10/30/2007 9:30 PM 26048]
R3 EPPSCSIx;EPPSCSI Driver;g:\windows\system32\drivers\eppscan.sys [01/31/2004 11:57 PM 105124]
R3 mbamprotector;mbamprotector;g:\windows\system32\drivers\mbam.sys [05/10/2008 1:56 AM 15504]
R3 SMC1211;SMC EZ Card 10/100 PCI (SMC1211 Series) NT 5.0 Driver;g:\windows\system32\drivers\SMC1211.sys [07/11/2001 11:06 AM 23153]
S0 xmasbus;xmasbus;g:\windows\system32\DRIVERS\xmasbus.sys --> g:\windows\system32\DRIVERS\xmasbus.sys [?]
S0 xmasscsi;xmasscsi;g:\windows\system32\Drivers\xmasscsi.sys --> g:\windows\system32\Drivers\xmasscsi.sys [?]
S1 1e735214;1e735214;g:\windows\system32\drivers\1e735214.sys [04/17/2009 3:29 PM 0]
S1 9c0c92a3;9c0c92a3;g:\windows\system32\drivers\9c0c92a3.sys [04/03/2009 11:30 AM 0]
S1 oxmf;OXPCI Bus enumerator;g:\windows\system32\drivers\oxmf.sys [03/04/2007 1:53 PM 15872]
S1 oxser;OX16C95x Serial port driver;g:\windows\system32\drivers\oxser.sys [03/04/2007 1:53 PM 50048]
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;g:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe --> g:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [?]
S2 SOFTLOK;SOFTLOK; [x]
S3 DtvAudio;DtvAudio;g:\windows\system32\drivers\DtvAudio.sys [09/27/2005 9:02 PM 9216]
S3 DtvVideo;DtvVideo;g:\windows\system32\drivers\DtvVideo.sys [09/27/2005 9:02 PM 23680]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;g:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/06/2007 2:04 AM 29744]
S3 ntxpgp;Gravis Xperience GamePort device driver;g:\windows\system32\drivers\ntxpgp.sys [11/21/2004 1:41 AM 240188]
S3 Oxmfuf;Filter driver for OX16PCI954 ports;g:\windows\system32\drivers\oxmfuf.sys [03/04/2007 1:53 PM 4992]
S3 VPNET;DTVNet Ethernet Controller;g:\windows\system32\drivers\DTVNet.sys [09/27/2005 9:01 PM 18192]
.
Contents of the 'Scheduled Tasks' folder

2009-05-14 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-05-12 g:\windows\Tasks\Malwarebytes' Scheduled Scan for Randy.job
- g:\utilities\Malwarebytes' Anti-Malware\mbam.exe [2008-04-22 19:32]

2009-05-12 g:\windows\Tasks\Malwarebytes' Scheduled Update for Randy.job
- g:\utilities\Malwarebytes' Anti-Malware\mbam.exe [2008-04-22 19:32]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.nforce.nl
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &eBay Search
IE: E&xport to Microsoft Excel - g:\utilit~1\MICROS~1\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - g:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://g:\windows\Java\classes\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://g:\windows\Java\classes\xmldso.cab
DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - g:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\default.kps\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://netforbeginners.about.com/gi/dynamic/offsite.htm?zi=1/XJ&sdn=netforbeginners&zu=http%3A%2F%2Fwww.torrentscan.com%2F
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: g:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: g:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: g:\utilities\DivX\DivX Content Uploader\npUpload.dll
FF - plugin: g:\utilities\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 21:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D77D8070-1B9B-3032-1EDE-A5E747C4FDE6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abalkdoalmceibnldgbhcmjlhgafaoaied"=hex:65,62,61,6c,6e,66,68,69,65,70,68,62,
68,6c,6d,6f,6d,66,6c,66,64,6f,6c,6f,63,62,6f,6e,62,66,63,6d,65,63,63,65,6e,\
"bbalkdoalmceibnldgogdmoiopfhbfhfjkgh"=hex:61,62,6a,6d,65,64,65,6d,68,64,69,6d,
68,69,63,68,6d,64,62,64,68,67,6b,6e,62,6f,65,68,69,65,69,6e,69,70,00,65

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|9*8*5*3**àý8«T€Èÿ*¨
£‚ÿÿÿÿ¨šƒ|ào|\Main Window]
"WP"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,84,00,00,00,ae,00,00,00,01,03,00,00,05,03,00,00

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýì*þá|*ðý8«T€Èÿ* Mþÿÿÿÿ¨šƒ|ào|]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýì*þá|*ðý8«T€Èÿ* Mþÿÿÿÿ¨šƒ|ào|\Main Window]
"WP"=hex:2c,00,00,00,02,00,00,00,03,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,16,00,00,00,1d,00,00,00,93,02,00,00,74,02,00,00

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýù*þá|*Àý8«T€Èÿ* @¢‚ÿÿÿÿ¨šƒ|ào|]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýþá|*@ý8«T€Èÿ*Èð%ƒÿÿÿÿ¨šƒ|ào|]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2000478354-1563985344-839522115-1003\Software\ðÿ*×o|`Ýþá|*ðý8«T€Èÿ*ˆ*ÿÿÿÿÿ¨šƒ|ào|]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f6,2d,a8,b6,8e,
32,15,f4,e2,63,26,f1,3f,c8,ff,68,7b,da,f4,a4,3c,73,94,d6,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,3a,62,23,c8,d9,
f0,a0,fa,6a,9c,d6,61,af,45,84,18,5e,a4,58,fb,db,f7,b4,4e,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,78,51,20,29,9a,
d8,7f,cd,ff,7c,85,e0,43,d4,0e,fe,c3,b7,26,ab,80,be,33,5c,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,86,80,38,ab,a5,
2c,35,50,86,8c,21,01,be,91,eb,e7,c5,28,16,d6,b5,44,2d,a8,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,28,0a,24,a0,37,
98,6a,b2,f5,1d,4d,73,a8,13,5c,05,ab,a0,f2,40,af,7f,89,33,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,84,72,10,3b,16,
d6,c4,3a,df,20,58,62,78,6b,cf,c8,fe,03,b1,c6,2b,3a,71,3f,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,bd,ae,48,85,20,
cc,d3,8c,fb,a7,78,e6,12,2f,9a,ea,c7,2d,fc,ce,f1,4f,70,bc,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,68,e6,fb,d0,10,
24,40,19,01,3a,48,fc,e8,04,4a,f1,e8,57,1b,d6,25,26,e3,96,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,c1,42,61,fc,74,
46,75,c2,f6,0f,4e,58,98,5b,89,c9,21,51,c0,82,af,d1,55,c6,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,90,2e,e2,c7,15,
df,53,d4,3d,ce,ea,26,2d,45,aa,78,bd,c1,59,07,b0,9d,0b,be,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,d8,bb,52,7c,63,
53,66,ab,2a,b7,cc,b5,b9,7f,41,e7,f2,c4,c4,d8,b3,e3,62,13,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="g:\\WINDOWS\\System32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,61,d1,38,27,2d,
94,55,69,6c,43,2d,1e,aa,22,2f,9c,f2,f2,b1,5b,43,64,7f,56,6c,43,2d,1e,aa,22,\
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(676)
g:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2256)
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-15 21:07
ComboFix-quarantined-files.txt 2009-05-15 01:07
ComboFix2.txt 2009-05-08 01:24
ComboFix3.txt 2008-04-20 21:46
ComboFix4.txt 2008-03-26 00:43

Pre-Run: 4,135,890,944 bytes free
Post-Run: 4,116,956,160 bytes free

Current=2 Default=2 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
462 --- E O F --- 2009-05-14 10:03

---

Logfile of HijackThis v1.99.1
Scan saved at 9:11:19 PM, on 05/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\system32\ctfmon.exe
G:\utilities\A-squared Free\a2service.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\WINDOWS\system32\devldr32.exe
G:\WINDOWS\System32\GEARSec.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
G:\WINDOWS\System32\HPZipm12.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\WINDOWS\explorer.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Utilities\Hijackthis\Nutty110.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfohump.com/index.php?switchto=nfos&menu=sections&sectionid=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nforce.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PSDrvCheck] G:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "G:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Quick Search Box] "G:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON PictureMate PM 240] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE /FU "G:\WINDOWS\TEMP\E_S1EB.tmp" /EF "HKCU"
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\UTILIT~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916728625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160562902890
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - G:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - G:\utilities\A-squared Free\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - G:\utilities\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEARSecurity - GEAR Software - G:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Utilities\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: mbamservice - Malwarebytes Corporation - G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Trogan

Hi,

I'd like some files scanned please.

• Using Internet Explorer, gGo to VirusTotal
• Copy and paste the following file path into the Search Box in the middle of the page:
  • g:\windows\system32\drivers\xjlxs.sys
• Now click on the Send File button
  • NOTE:
  • If you come to the "File has already been analysed:" page, select "Reanalyse file now" to get a fresh scan.
• Save a copy of the Anti-Virus results only. Post the results in your next reply.

Please do the same for the following file:

G:\windows\system32\drivers\1e735214.sys

Nutty110

File xjlxs.sys received on 05.17.2009 22:52:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 9/40 (22.5%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.17 -
AhnLab-V3 5.0.0.2 2009.05.16 Win-Trojan/Avenger.61440
AntiVir 7.9.0.168 2009.05.17 -
Antiy-AVL 2.0.3.1 2009.05.15 -
Authentium 5.1.2.4 2009.05.17 -
Avast 4.8.1335.0 2009.05.17 -
AVG 8.5.0.336 2009.05.17 -
BitDefender 7.2 2009.05.17 -
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.16 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.17 -
eSafe 7.0.17.0 2009.05.17 Win32.Banker
eTrust-Vet 31.6.6508 2009.05.16 -
F-Prot 4.4.4.56 2009.05.17 -
F-Secure 8.0.14470.0 2009.05.16 -
Fortinet 3.117.0.0 2009.05.17 PossibleThreat
GData 19 2009.05.17 -
Ikarus T3.1.1.49.0 2009.05.17 -
K7AntiVirus 7.10.737 2009.05.16 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.05.17 -
McAfee 5618 2009.05.17 -
McAfee+Artemis 5618 2009.05.17 -
McAfee-GW-Edition 6.7.6 2009.05.17 -
Microsoft 1.4602 2009.05.17 -
NOD32 4081 2009.05.17 -
Norman 6.01.05 2009.05.16 W32/Agent.HHSF
nProtect 2009.1.8.0 2009.05.17 -
Panda 10.0.0.14 2009.05.17 Rootkit/Agent.LNB
PCTools 4.4.2.0 2009.05.17 Trojan-PWS.Bancos.PWN
Prevx 3.0 2009.05.17 -
Rising 21.29.62.00 2009.05.17 -
Sophos 4.41.0 2009.05.17 -
Sunbelt 3.2.1858.2 2009.05.17 Trojan-PWS.Bancos.PWN
Symantec 1.4.4.12 2009.05.17 -
TheHacker 6.3.4.1.326 2009.05.17 -
TrendMicro 8.950.0.1092 2009.05.15 -
VBA32 3.12.10.5 2009.05.17 -
ViRobot 2009.5.15.1737 2009.05.15 Hoax..Agent.61440
VirusBuster 4.6.5.0 2009.05.17 -

---

The G:\windows\system32\drivers\1e735214.sys file is 0 bytes in length so VirusTotal will not scan a file at 0 bytes long.

Trogan

Hi

1. Run HijackThis and click on Open the Misc Tools section.
Click on delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

g:\windows\system32\drivers\xjlxs.sys

When you are asked "Do you want to restart your computer now?", click NO.
Repeat these steps for the following file(s) and this time, when you reach the end, click OK:

G:\windows\system32\drivers\1e735214.sys

Your PC MUST reboot to delete the files!

2. Please run a new scan with ESET Online Scanner and post the log back here.

Nutty110

Eset Online Scanner log file.

G:\QooBox\Quarantine\G\Documents and Settings\NetworkService\protect.dll.vir Win32/Rootkit.Agent.NIZ trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\system32\ovfsthdvyqwicecjkpbaabhwtlxtqhmspmhwwo.dll.vir Win32/Olmarik.GR trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\system32\ovfsthmjwgkrcynpetoiqtoltrsxnoejkcrjxb.dll.vir Win32/Olmarik.GR trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\system32\ovfsthokecwskfasoetgpctnxyxvtcyrulutib.dll.vir Win32/Olmarik.GR trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\system32\RXaIlnmp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\system32\RXaIlnmp.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\1170727902.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\1476792616.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\1599041922.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\1721134978.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\1930190120.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\196269352.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\2100444548.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\2127181117.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\2296407416.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\2757472130.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\2879565186.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\2925051755.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\300175602.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\318518658.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\3210713384.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\328294.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\3356905312.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\3661923388.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\3667392138.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\3819110888.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\4037995394.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\4160088450.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\440611714.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\649666856.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\QooBox\Quarantine\G\WINDOWS\TEMP\732584826.exe.vir a variant of Win32/Kryptik.PA trojan cleaned by deleting - quarantined
G:\System Volume Information\_restore{C3A0D580-10C5-40FC-933A-4AA07734DCA8}\RP376\A0132392.dll Win32/Rootkit.Agent.NIZ trojan cleaned by deleting - quarantined
G:\System Volume Information\_restore{C3A0D580-10C5-40FC-933A-4AA07734DCA8}\RP376\A0132393.dll Win32/Rootkit.Agent.NIZ trojan cleaned by deleting - quarantined
G:\System Volume Information\_restore{C3A0D580-10C5-40FC-933A-4AA07734DCA8}\RP377\A0132397.dll Win32/Olmarik.GR trojan cleaned by deleting - quarantined
G:\System Volume Information\_restore{C3A0D580-10C5-40FC-933A-4AA07734DCA8}\RP377\A0132398.dll Win32/Olmarik.GR trojan cleaned by deleting - quarantined
G:\System Volume Information\_restore{C3A0D580-10C5-40FC-933A-4AA07734DCA8}\RP377\A0132399.dll Win32/Olmarik.GR trojan cleaned by deleting - quarantined
G:\System Volume Information\_restore{C3A0D580-10C5-40FC-933A-4AA07734DCA8}\RP377\A0132427.dll Win32/Rootkit.Agent.NIZ trojan cleaned by deleting - quarantined

Trogan

Hi,

Please post a new HijackThis log, and let me know how the computer is running.

Nutty110

Hi Trogan.....
Well I updated to IE 8 a few weeks ago. It seems to be running a little more stable, Google now redirects properely. Please check my latest Highjack this log.
Many thanks for all the hard work that you and your team do at this site, It has surely helped me more than once. Let me no if everything is clean?



Logfile of HijackThis v1.99.1
Scan saved at 6:02:34 PM, on 06/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
G:\WINDOWS\System32\GEARSec.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\HPZipm12.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\COMODO\COMODO Internet Security\cfp.exe
G:\WINDOWS\system32\ctfmon.exe
G:\WINDOWS\System32\svchost.exe
C:\Hallmark Card Studio 2009\Planner\PLNRnote.exe
G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
G:\WINDOWS\system32\devldr32.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Windows Live\Mail\wlmail.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Utilities\Hijackthis\Nutty110.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478d38-c3f9-4efb-9b51-7695eca05670} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - G:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PSDrvCheck] G:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "G:\utilities\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Quick Search Box] "G:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [COMODO Internet Security] "G:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "G:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON PictureMate PM 240] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBCA.EXE /FU "G:\WINDOWS\TEMP\E_S1EB.tmp" /EF "HKCU"
O4 - Global Startup: Event Planner Reminder 2009.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\UTILIT~1\MICROS~1\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136916728625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160562902890
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {7530bfb8-7293-4d34-9923-61a11451afc5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com//games/v47/h2hpool/h2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - G:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - G:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - G:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - G:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - G:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: GEARSecurity - GEAR Software - G:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Utilities\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - G:\Program Files\Java\jre6\bin\jqs.exe" -service -config "G:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: mbamservice - Malwarebytes Corporation - G:\utilities\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - G:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - G:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Trogan

Hi,

Everything looks good now.

We need to uninstall ComboFix.

Click Start > Run > type 'combofix /u' > press OK. This will uninstall Combofix.

You should also delete GooredFix.

Let me know if I can help with anything else, or if we can mark this resolved.

Nutty110

thanks mark it resolved.