Help-P.C Runs @ 100% Then Shuts Off

RaphaelRJ2 · #1 January 14th, 2008, 08:58 AM

P.C Runs @ 100% Then Shuts Off
This is what I see running in my task manager
around the time it shuts off....
"Winlogon.exe 100%"
Sometimes it does not shut down, sometimes I have to just wait until it slows down & then I can resume what I was doing!
I does this every couple of minutes....I say 20-30! Its very annoying....
I'm a music producer so if I'm playing music & Winlogon.exe starts tripping it gets on my nerves....
Sometimes it does it when I play videos on Windows Media player Sometimes....
Ohhh Also When I play some videos....Windows Media player runs @ 100%....This can also slow or shut my P.C down....
I only have 15 processes running & my p.c runs fine until those 2 problems occur....Other than that my P.C runs @ 2-4 Smooth!
Can some body please help me with this?

See If This Helps?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:11 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cocmast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - (no file)
O2 - BHO: (no name) - {4b7fe731-2d1d-4d0b-a446-26d0d3810b0f} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {70E3B535-E876-465E-A436-E09B9F9571E4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7} - (no file)
O2 - BHO: (no name) - {911C4A8E-0F75-4B83-BEB9-02BDDF29D11E} - (no file)
O2 - BHO: (no name) - {9A192026-7E84-4B5B-9F23-C3E96492C5F7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D322410B-9981-D52A-95AB-87D3EDC52FF5} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ray\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O20 - Winlogon Notify: eveneck - eveneck.dll (file missing)
O20 - Winlogon Notify: opnlkhh - opnlkhh.dll (file missing)
O20 - Winlogon Notify: ualapm3 - C:\WINDOWS\
O20 - Winlogon Notify: winoyy32 - C:\WINDOWS\SYSTEM32\winoyy32.dll
O22 - SharedTaskScheduler: {93ac7c30-3878-4eaa-9420-7977285df5b1} - cinnamomum - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Program Files\Streamload\MediaMax XL\StreamloadService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security

**Jintan** · #2 January 16th, 2008, 04:45 AM

An awkward welcome to CTH RaphaelRJ2, as you chose to start new requests impatiently, and it only causes a bunch of extra work for us here. And delays others getting the help they are waiting for.

Infection is showing here. For now let's take one additional different look at things and then start repairs.

Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here.

RaphaelRJ2 · #3 January 16th, 2008, 05:20 AM

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" ["McAfee, Inc"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\McAgent.exe" ["McAfee, Inc"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com"
-> {HKLM...CLSID} = "Octh Class"
\InProcServer32\(Default) = "C:\Program Files\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"]
{0055C089-8582-441B-A0BF-17B458C2A3A8}\(Default) = "IDM Helper"
-> {HKLM...CLSID} = "IDMIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Internet Download Manager\IDMIECC.dll" ["Tonec Inc."]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
-> {HKLM...CLSID} = "eLicense Control"
\InProcServer32\(Default) = "C:\WINDOWS\lcmmfu.cpl" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{A965C8E0-54A7-11D6-BF08-00079500BB23}" = "ZipZag Shell extension"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> eveneck\DLLName = "eveneck.dll" [file not found]
<<!>> opnlkhh\DLLName = "opnlkhh.dll" [file not found]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZipZag\(Default) = "{A965C8E0-54A7-11D6-BF08-00079500BB23}"
-> {HKLM...CLSID} = "ZipZag Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\ZipZag\zipzagcm.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 37
%SystemRoot%\system32\rsvpsp.dll [MS], 38 - 39

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{0E17D5B7-9F5D-4FEE-9DF6-CA6EE38B68A8}\
"ButtonText" = "ieSpell"
"MenuText" = "ieSpell"
"Script" = "res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM" ["Red Egg Software"]

{1606D6F9-9D3B-4AEA-A025-ED5B2FD488E7}\
"MenuText" = "ieSpell Options"
"Script" = "res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM" ["Red Egg Software"]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{D9288080-1BAA-4BC4-9CF8-A92D743DB949}\
"ButtonText" = "Run IMVU"
"Exec" = "C:\Documents and Settings\Ray\Start Menu\Programs\IMVU\Run IMVU.lnk" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll" ["Yahoo! Inc."]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs\
hpzsnt12\Driver = "hpzsnt12.dll" ["HP"]

---------- (launch time: 2008-01-15 22:16:36)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 77 seconds, including 10 seconds for message boxes)

**Jintan** · #4 January 16th, 2008, 05:31 AM

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Post back the C:\ComboFix.txt log as well as a new HijackThis log please.

RaphaelRJ2 · #5 January 16th, 2008, 06:37 AM

ComboFix 08-01-16.4 - Ray 2008-01-15 23:09:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.265 [GMT -6:00]
Running from: C:\Documents and Settings\Ray\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ray\Application Data\inst.exe
C:\Documents and Settings\Ray\Application Data\macromedia\Flash Player\#SharedObjects\2FNA87XS\www.broadcaster.com
C:\Documents and Settings\Ray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Ray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\{A403F~1
C:\Program Files\Common Files\{A403F~2
C:\Program Files\Common Files\{A403F~3
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.h tml
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.htm l
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn. html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn .html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\Cache\02FB33F7
C:\Program Files\MyWebSearch\bar\Cache\02FB3B8D
C:\Program Files\MyWebSearch\bar\Cache\02FB3D46.bin
C:\Program Files\MyWebSearch\bar\Cache\02FB3F13.bin
C:\Program Files\MyWebSearch\bar\Cache\02FB427A.bin
C:\Program Files\MyWebSearch\bar\Cache\0354B8FA.bin
C:\Program Files\MyWebSearch\bar\Cache\0354BB8F.bin
C:\Program Files\MyWebSearch\bar\Cache\0354BD3E.bin
C:\Program Files\MyWebSearch\bar\Cache\0354BE9D.bin
C:\Program Files\MyWebSearch\bar\Cache\0354C196.bin
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\printview
C:\Program Files\printview\hotlist.dat
C:\Program Files\winpop
C:\Program Files\winupdates
C:\temp\tn3
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\components
C:\WINDOWS\system32\dna403f641.dat
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\sstem~1\s?stem\
C:\WINDOWS\system32\wcpsvtr.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 23:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 05:11 . 2008-01-14 05:11 <DIR> d-------- C:\Program Files\GTA2 DEMO
2008-01-14 04:15 . 2008-01-14 04:43 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\GetRightToGo
2008-01-14 00:59 . 2008-01-14 00:59 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-01-14 00:59 . 2008-01-14 00:59 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-01-13 15:54 . 2008-01-13 16:05 <DIR> d-------- C:\Documents and Settings\Ray\dwhelper
2008-01-13 15:17 . 2008-01-15 07:52 149 --a------ C:\WINDOWS\GetFLV.ini
2008-01-13 15:07 . 2008-01-13 15:07 <DIR> d-------- C:\Program Files\GetFLV
2008-01-13 15:07 . 2007-11-25 07:46 1,462,272 --a------ C:\WINDOWS\system32\vbsgf.dat
2008-01-12 21:21 . 2008-01-14 18:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 21:21 . 2008-01-12 21:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-12 15:07 . 2008-01-12 15:07 <DIR> d-------- C:\Program Files\GameTap
2008-01-12 15:07 . 2008-01-12 15:07 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\GameTap
2008-01-12 15:06 . 2008-01-12 15:06 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\InstallShield
2007-12-26 01:51 . 2007-12-26 01:51 <DIR> d-------- C:\Program Files\DreamStation DXi
2007-12-26 01:30 . 2007-12-26 01:30 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2007-12-23 12:17 . 2003-09-04 10:02 311,295 --a------ C:\WINDOWS\LOOP.exe
2007-12-23 06:20 . 2007-12-23 11:51 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\Vso
2007-12-23 06:20 . 2007-12-23 06:20 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-12-23 06:20 . 2007-12-23 11:51 47,360 --a------ C:\Documents and Settings\Ray\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-16 02:06 --------- d-----w C:\Program Files\Java
2008-01-16 01:45 --------- d-----w C:\Documents and Settings\Ray\Application Data\AVG7
2008-01-15 15:00 --------- d-----w C:\Documents and Settings\Ray\Application Data\Orbit
2008-01-15 01:37 --------- d-----w C:\Program Files\Orbitdownloader
2008-01-13 21:21 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-13 01:49 --------- d-----w C:\Documents and Settings\Ray\Application Data\DMCache
2008-01-12 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-06 17:10 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-12-26 08:35 --------- d-----w C:\Program Files\Native Instruments
2007-12-26 08:25 --------- d-----w C:\Program Files\VstPlugins
2007-12-26 07:51 118,784 -c--a-w C:\WINDOWS\dsdxirmv.exe
2007-12-26 07:30 --------- d-----w C:\Program Files\Cakewalk
2007-12-23 17:55 --------- d-----w C:\Program Files\Kaneva
2007-12-17 19:25 --------- d-----w C:\Documents and Settings\Ray\Application Data\Sony
2007-12-13 04:26 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-12-13 04:25 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sony
2007-12-13 04:24 --------- d-----w C:\Program Files\Sony
2007-12-13 04:22 --------- d-----w C:\Program Files\Sony Setup
2007-12-13 04:18 --------- d-----w C:\Program Files\Thief2
2007-12-13 04:09 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-12-13 04:09 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-12-13 04:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2007-12-13 04:09 --------- d-----w C:\Documents and Settings\Ray\Application Data\Propellerhead Software
2007-12-05 05:33 --------- d-----w C:\Documents and Settings\DontHitDaButtonsHard\Application Data\VersionTracker Pro
2007-11-25 10:28 --------- d-----w C:\Documents and Settings\Ray\Application Data\VersionTracker Pro
2007-11-22 10:39 --------- d-----w C:\Program Files\Edirol
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-19 17:22 15,360 ----a-w C:\WINDOWS\system32\XPLNMon.dll
2007-07-25 03:55 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-25 03:53 25,990,432 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-07-05 03:25 1,903,807 --sha-w C:\WINDOWS\Cursors\3mpalau.ini2
2007-07-04 19:16 1,860,056 --sha-w C:\WINDOWS\Cursors\3mpalau.bak2
2007-07-03 03:41 1,867,986 --sha-w C:\WINDOWS\Cursors\3mpalau.bak1
2007-05-06 09:15 1,399,636 --sha-w C:\WINDOWS\Cursors\3mpalau.tmp
2007-04-16 00:48 42,720 -c--a-w C:\Documents and Settings\Ray\Application Data\GDIPFONTCACHEV1.DAT
2006-04-06 16:18 161 -c--a-w C:\Documents and Settings\Ray\Application Data\internaldb1942.dat
2006-04-04 06:54 620 -c--a-w C:\Program Files\Warez P2P ClientIPGUARD.LOG
2005-03-30 15:04 198 -c--a-w C:\Program Files\mtachat.txt
2007-07-03 03:41 1,867,986 --sha-w C:\WINDOWS\Cursors\3mpalau.bak1
2007-07-04 19:16 1,860,056 --sha-w C:\WINDOWS\Cursors\3mpalau.bak2
2007-07-05 03:25 1,903,807 --sha-w C:\WINDOWS\Cursors\3mpalau.ini2
2005-04-29 08:27 2,169 -csha-w C:\WINDOWS\system32\mmf(2)(2).sys
2005-07-23 21:17 2,169 -csha-w C:\WINDOWS\system32\mmf(2).sys
2005-04-29 02:13 2,169 -csha-w C:\WINDOWS\system32\mmf(3)(2).sys
2005-08-04 19:01 2,169 -csha-w C:\WINDOWS\system32\mmf(3).sys
2005-04-28 01:28 2,169 -csha-w C:\WINDOWS\system32\mmf(4)(2).sys
2005-08-08 07:56 2,169 -csha-w C:\WINDOWS\system32\mmf(4).sys
2005-04-27 20:41 2,169 -csha-w C:\WINDOWS\system32\mmf(5)(2).sys
2005-08-31 12:06 2,169 -csha-w C:\WINDOWS\system32\mmf(5).sys
2005-04-24 01:22 2,169 -csha-w C:\WINDOWS\system32\mmf(6)(2).sys
2005-09-13 13:23 2,169 -csha-w C:\WINDOWS\system32\mmf(6).sys
2007-07-03 20:40 2,169 --sha-w C:\WINDOWS\system32\mmf.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpda te.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent .exe" [2005-09-22 18:29 303104]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-08 12:23 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-08 12:23 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eveneck]
eveneck.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlkhh]
opnlkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ualapm3]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTracker Pro.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\VersionTracker\VersionTracker Pro.lnk
backup=C:\WINDOWS\pss\VersionTracker Pro.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\48ab1819.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ofmo]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 09:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
--a------ 2007-06-27 12:54 1051464 C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
--a------ 2005-07-11 05:51 409600 C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-11 05:33 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)

S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2003-11-03 16:31]
S3 MmedFilter;MmedFilter;C:\WINDOWS\system32\Drivers\ MmedFilter.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cf6eecb0-7e66-11dc-832e-00022d84df7a}]
\Shell\AutoRun\command - C:\Documents and Settings\Ray\LapNet\LapNetWizard.exe

*Newly Created Service* - PROCEXP90
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 23:22:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-15 23:26:24
ComboFix-quarantined-files.txt 2008-01-16 05:26:20
.
2008-01-10 05:19:38 --- E O F ---

RaphaelRJ2 · #6 January 16th, 2008, 06:38 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:33 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cocmast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ray\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O20 - Winlogon Notify: eveneck - eveneck.dll (file missing)
O20 - Winlogon Notify: opnlkhh - opnlkhh.dll (file missing)
O20 - Winlogon Notify: ualapm3 - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Program Files\Streamload\MediaMax XL\StreamloadService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10631 bytes

**Jintan** · #7 January 16th, 2008, 04:48 PM

That removed a good bit, but more to go. There is so much recent use/install of different downloading softwares it is hard to tell friend from foe there, so a caution to perhaps be more cautious about tiraling things.

Be sure to again temporarily disable any protective software when running the scan tools we use here.

Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\Cursors\3mpalau.ini2
C:\WINDOWS\Cursors\3mpalau.bak2
C:\WINDOWS\Cursors\3mpalau.bak1
C:\WINDOWS\Cursors\3mpalau.tmp
C:\Program Files\Warez P2P ClientIPGUARD.LOG
C:\WINDOWS\Cursors\3mpalau.bak1
C:\WINDOWS\Cursors\3mpalau.bak2
C:\WINDOWS\Cursors\3mpalau.ini2
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eveneck]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlkhh]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ualapm3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\48ab1819.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ofmo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]

Save this as "CFScript"

(include the "quotation marks" with the name)

Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------

Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log along with with ComboFix log and a new HijackThis log please.

RaphaelRJ2 · #8 January 17th, 2008, 12:36 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 16, 2008 5:27:50 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/01/2008
Kaspersky Anti-Virus database records: 513295
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\

Scan Statistics:
Total number of scanned objects: 14782
Number of viruses found: 1
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 00:18:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ray\Application Data\Mozilla\Firefox\Profiles\45fjg4sp.default\cer t8.db Object is locked skipped
C:\Documents and Settings\Ray\Application Data\Mozilla\Firefox\Profiles\45fjg4sp.default\his tory.dat Object is locked skipped
C:\Documents and Settings\Ray\Application Data\Mozilla\Firefox\Profiles\45fjg4sp.default\key 3.db Object is locked skipped
C:\Documents and Settings\Ray\Application Data\Mozilla\Firefox\Profiles\45fjg4sp.default\par ent.lock Object is locked skipped
C:\Documents and Settings\Ray\Application Data\Mozilla\Firefox\Profiles\45fjg4sp.default\sea rch.sqlite Object is locked skipped
C:\Documents and Settings\Ray\Application Data\Mozilla\Firefox\Profiles\45fjg4sp.default\url classifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ray\Application Data\Sun\Java\Deployment\cache\6.0\28\8d22ddc-452d5ff8/BaaaaBaa.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Ray\Application Data\Sun\Java\Deployment\cache\6.0\28\8d22ddc-452d5ff8 ZIP: infected - 1 skipped
C:\Documents and Settings\Ray\Application Data\Sun\Java\Deployment\cache\6.0\53\33cb4475-2e625f01 Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Ray\Application Data\Sun\Java\Deployment\cache\6.0\57\5889f2f9-2b61cbf6 Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Ray\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\ja va.class-2275b795-7d30de5a.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Ray\Cookies\index.dat Object is locked skipped

Scan was interrupted by user!
P.S.....I had to end it because my P.C Shut off around 70%
the last two times I scanned & it still had the same stats....
Number of viruses found: 1
Number of infected objects: 5

RaphaelRJ2 · #9 January 17th, 2008, 12:37 AM

ComboFix 08-01-16.4 - Ray 2008-01-15 23:09:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.265 [GMT -6:00]
Running from: C:\Documents and Settings\Ray\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ray\Application Data\inst.exe
C:\Documents and Settings\Ray\Application Data\macromedia\Flash Player\#SharedObjects\2FNA87XS\www.broadcaster.com
C:\Documents and Settings\Ray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Ray\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\{A403F~1
C:\Program Files\Common Files\{A403F~2
C:\Program Files\Common Files\{A403F~3
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.h tml
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.htm l
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn. html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn .html
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\Cache\02FB33F7
C:\Program Files\MyWebSearch\bar\Cache\02FB3B8D
C:\Program Files\MyWebSearch\bar\Cache\02FB3D46.bin
C:\Program Files\MyWebSearch\bar\Cache\02FB3F13.bin
C:\Program Files\MyWebSearch\bar\Cache\02FB427A.bin
C:\Program Files\MyWebSearch\bar\Cache\0354B8FA.bin
C:\Program Files\MyWebSearch\bar\Cache\0354BB8F.bin
C:\Program Files\MyWebSearch\bar\Cache\0354BD3E.bin
C:\Program Files\MyWebSearch\bar\Cache\0354BE9D.bin
C:\Program Files\MyWebSearch\bar\Cache\0354C196.bin
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\printview
C:\Program Files\printview\hotlist.dat
C:\Program Files\winpop
C:\Program Files\winupdates
C:\temp\tn3
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\components
C:\WINDOWS\system32\dna403f641.dat
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msvcsv60.dll
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\sstem~1\s?stem\
C:\WINDOWS\system32\wcpsvtr.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 23:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 05:11 . 2008-01-14 05:11 <DIR> d-------- C:\Program Files\GTA2 DEMO
2008-01-14 04:15 . 2008-01-14 04:43 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\GetRightToGo
2008-01-14 00:59 . 2008-01-14 00:59 0 --ah----- C:\WINDOWS\SwSys2.bmp
2008-01-14 00:59 . 2008-01-14 00:59 0 --ah----- C:\WINDOWS\SwSys1.bmp
2008-01-13 15:54 . 2008-01-13 16:05 <DIR> d-------- C:\Documents and Settings\Ray\dwhelper
2008-01-13 15:17 . 2008-01-15 07:52 149 --a------ C:\WINDOWS\GetFLV.ini
2008-01-13 15:07 . 2008-01-13 15:07 <DIR> d-------- C:\Program Files\GetFLV
2008-01-13 15:07 . 2007-11-25 07:46 1,462,272 --a------ C:\WINDOWS\system32\vbsgf.dat
2008-01-12 21:21 . 2008-01-14 18:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 21:21 . 2008-01-12 21:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-12 15:07 . 2008-01-12 15:07 <DIR> d-------- C:\Program Files\GameTap
2008-01-12 15:07 . 2008-01-12 15:07 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\GameTap
2008-01-12 15:06 . 2008-01-12 15:06 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\InstallShield
2007-12-26 01:51 . 2007-12-26 01:51 <DIR> d-------- C:\Program Files\DreamStation DXi
2007-12-26 01:30 . 2007-12-26 01:30 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2007-12-23 12:17 . 2003-09-04 10:02 311,295 --a------ C:\WINDOWS\LOOP.exe
2007-12-23 06:20 . 2007-12-23 11:51 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\Vso
2007-12-23 06:20 . 2007-12-23 06:20 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-12-23 06:20 . 2007-12-23 11:51 47,360 --a------ C:\Documents and Settings\Ray\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-16 02:06 --------- d-----w C:\Program Files\Java
2008-01-16 01:45 --------- d-----w C:\Documents and Settings\Ray\Application Data\AVG7
2008-01-15 15:00 --------- d-----w C:\Documents and Settings\Ray\Application Data\Orbit
2008-01-15 01:37 --------- d-----w C:\Program Files\Orbitdownloader
2008-01-13 21:21 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-13 01:49 --------- d-----w C:\Documents and Settings\Ray\Application Data\DMCache
2008-01-12 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-06 17:10 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-12-26 08:35 --------- d-----w C:\Program Files\Native Instruments
2007-12-26 08:25 --------- d-----w C:\Program Files\VstPlugins
2007-12-26 07:51 118,784 -c--a-w C:\WINDOWS\dsdxirmv.exe
2007-12-26 07:30 --------- d-----w C:\Program Files\Cakewalk
2007-12-23 17:55 --------- d-----w C:\Program Files\Kaneva
2007-12-17 19:25 --------- d-----w C:\Documents and Settings\Ray\Application Data\Sony
2007-12-13 04:26 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-12-13 04:25 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sony
2007-12-13 04:24 --------- d-----w C:\Program Files\Sony
2007-12-13 04:22 --------- d-----w C:\Program Files\Sony Setup
2007-12-13 04:18 --------- d-----w C:\Program Files\Thief2
2007-12-13 04:09 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-12-13 04:09 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-12-13 04:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2007-12-13 04:09 --------- d-----w C:\Documents and Settings\Ray\Application Data\Propellerhead Software
2007-12-05 05:33 --------- d-----w C:\Documents and Settings\DontHitDaButtonsHard\Application Data\VersionTracker Pro
2007-11-25 10:28 --------- d-----w C:\Documents and Settings\Ray\Application Data\VersionTracker Pro
2007-11-22 10:39 --------- d-----w C:\Program Files\Edirol
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-19 17:22 15,360 ----a-w C:\WINDOWS\system32\XPLNMon.dll
2007-07-25 03:55 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-25 03:53 25,990,432 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-07-05 03:25 1,903,807 --sha-w C:\WINDOWS\Cursors\3mpalau.ini2
2007-07-04 19:16 1,860,056 --sha-w C:\WINDOWS\Cursors\3mpalau.bak2
2007-07-03 03:41 1,867,986 --sha-w C:\WINDOWS\Cursors\3mpalau.bak1
2007-05-06 09:15 1,399,636 --sha-w C:\WINDOWS\Cursors\3mpalau.tmp
2007-04-16 00:48 42,720 -c--a-w C:\Documents and Settings\Ray\Application Data\GDIPFONTCACHEV1.DAT
2006-04-06 16:18 161 -c--a-w C:\Documents and Settings\Ray\Application Data\internaldb1942.dat
2006-04-04 06:54 620 -c--a-w C:\Program Files\Warez P2P ClientIPGUARD.LOG
2005-03-30 15:04 198 -c--a-w C:\Program Files\mtachat.txt
2007-07-03 03:41 1,867,986 --sha-w C:\WINDOWS\Cursors\3mpalau.bak1
2007-07-04 19:16 1,860,056 --sha-w C:\WINDOWS\Cursors\3mpalau.bak2
2007-07-05 03:25 1,903,807 --sha-w C:\WINDOWS\Cursors\3mpalau.ini2
2005-04-29 08:27 2,169 -csha-w C:\WINDOWS\system32\mmf(2)(2).sys
2005-07-23 21:17 2,169 -csha-w C:\WINDOWS\system32\mmf(2).sys
2005-04-29 02:13 2,169 -csha-w C:\WINDOWS\system32\mmf(3)(2).sys
2005-08-04 19:01 2,169 -csha-w C:\WINDOWS\system32\mmf(3).sys
2005-04-28 01:28 2,169 -csha-w C:\WINDOWS\system32\mmf(4)(2).sys
2005-08-08 07:56 2,169 -csha-w C:\WINDOWS\system32\mmf(4).sys
2005-04-27 20:41 2,169 -csha-w C:\WINDOWS\system32\mmf(5)(2).sys
2005-08-31 12:06 2,169 -csha-w C:\WINDOWS\system32\mmf(5).sys
2005-04-24 01:22 2,169 -csha-w C:\WINDOWS\system32\mmf(6)(2).sys
2005-09-13 13:23 2,169 -csha-w C:\WINDOWS\system32\mmf(6).sys
2007-07-03 20:40 2,169 --sha-w C:\WINDOWS\system32\mmf.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpda te.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent .exe" [2005-09-22 18:29 303104]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-08 12:23 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-08 12:23 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eveneck]
eveneck.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlkhh]
opnlkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ualapm3]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTracker Pro.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\VersionTracker\VersionTracker Pro.lnk
backup=C:\WINDOWS\pss\VersionTracker Pro.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\48ab1819.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ofmo]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 09:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
--a------ 2007-06-27 12:54 1051464 C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
--a------ 2005-07-11 05:51 409600 C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-11 05:33 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)

S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2003-11-03 16:31]
S3 MmedFilter;MmedFilter;C:\WINDOWS\system32\Drivers\ MmedFilter.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cf6eecb0-7e66-11dc-832e-00022d84df7a}]
\Shell\AutoRun\command - C:\Documents and Settings\Ray\LapNet\LapNetWizard.exe

*Newly Created Service* - PROCEXP90
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 23:22:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-15 23:26:24
ComboFix-quarantined-files.txt 2008-01-16 05:26:20
.
2008-01-10 05:19:38 --- E O F ---

RaphaelRJ2 · #10 January 17th, 2008, 12:37 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:33 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cocmast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download linked FLV with GetFLV - C:\Program Files\GetFLV\iemenu\DownloadLinkFLV.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ray\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Streamload Service (StreamloadService) - Streamload - C:\Program Files\Streamload\MediaMax XL\StreamloadService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 10500 bytes

**Jintan** · #11 January 17th, 2008, 03:55 AM

Doesn't look like you ran the CFScript part - only the straight ComboFix scan again. Did you have trouble doing that step? If perhaps it was just overlooked go ahead and run it now and post the new ComboFix log from it please.

RaphaelRJ2 · #12 January 17th, 2008, 11:46 AM

ComboFix 08-01-16.4 - Ray 2008-01-17 4:28:47.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.278 [GMT -6:00]
Running from: C:\Documents and Settings\Ray\My Documents\Downloads\P.C Real Virus ****\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 03:11 . 2008-01-17 03:11 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\iLike
2008-01-17 03:09 . 2008-01-17 03:09 <DIR> d-------- C:\Program Files\iLike
2008-01-16 13:06 . 2008-01-16 13:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-16 13:06 . 2008-01-16 13:06 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-15 23:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 05:11 . 2008-01-14 05:11 <DIR> d-------- C:\Program Files\GTA2 DEMO
2008-01-14 04:15 . 2008-01-14 04:43 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\GetRightToGo
2008-01-13 15:54 . 2008-01-13 16:05 <DIR> d-------- C:\Documents and Settings\Ray\dwhelper
2008-01-13 15:17 . 2008-01-16 00:41 210 --a------ C:\WINDOWS\GetFLV.ini
2008-01-13 15:07 . 2008-01-13 15:07 <DIR> d-------- C:\Program Files\GetFLV
2008-01-13 15:07 . 2007-11-25 07:46 1,462,272 --a------ C:\WINDOWS\system32\vbsgf.dat
2008-01-12 21:21 . 2008-01-14 18:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 21:21 . 2008-01-12 21:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-12 15:07 . 2008-01-12 15:07 <DIR> d-------- C:\Program Files\GameTap
2008-01-12 15:07 . 2008-01-12 15:07 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\GameTap
2008-01-12 15:06 . 2008-01-12 15:06 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\InstallShield
2007-12-26 01:51 . 2007-12-26 01:51 <DIR> d-------- C:\Program Files\DreamStation DXi
2007-12-26 01:30 . 2007-12-26 01:30 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2007-12-23 12:17 . 2003-09-04 10:02 311,295 --a------ C:\WINDOWS\LOOP.exe
2007-12-23 06:20 . 2007-12-23 11:51 <DIR> d-------- C:\Documents and Settings\Ray\Application Data\Vso
2007-12-23 06:20 . 2007-12-23 06:20 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-12-23 06:20 . 2007-12-23 11:51 47,360 --a------ C:\Documents and Settings\Ray\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-17 09:09 --------- d-----w C:\Program Files\iTunes
2008-01-16 22:31 --------- d-----w C:\Documents and Settings\Ray\Application Data\AVG7
2008-01-16 08:32 --------- d-----w C:\Documents and Settings\Ray\Application Data\Orbit
2008-01-16 02:06 --------- d-----w C:\Program Files\Java
2008-01-15 01:37 --------- d-----w C:\Program Files\Orbitdownloader
2008-01-13 21:21 --------- dc--a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-13 01:49 --------- d-----w C:\Documents and Settings\Ray\Application Data\DMCache
2008-01-12 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-06 17:10 --------- d-----w C:\Program Files\SP2 Connection Patcher
2007-12-26 08:35 --------- d-----w C:\Program Files\Native Instruments
2007-12-26 08:25 --------- d-----w C:\Program Files\VstPlugins
2007-12-26 07:51 118,784 -c--a-w C:\WINDOWS\dsdxirmv.exe
2007-12-26 07:30 --------- d-----w C:\Program Files\Cakewalk
2007-12-23 17:55 --------- d-----w C:\Program Files\Kaneva
2007-12-17 19:25 --------- d-----w C:\Documents and Settings\Ray\Application Data\Sony
2007-12-13 04:26 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-12-13 04:25 --------- dc----w C:\Documents and Settings\All Users\Application Data\Sony
2007-12-13 04:24 --------- d-----w C:\Program Files\Sony
2007-12-13 04:22 --------- d-----w C:\Program Files\Sony Setup
2007-12-13 04:18 --------- d-----w C:\Program Files\Thief2
2007-12-13 04:09 233,472 ----a-w C:\WINDOWS\system32\REX Shared Library.dll
2007-12-13 04:09 225,280 ----a-w C:\WINDOWS\system32\ReWire.dll
2007-12-13 04:09 --------- dc----w C:\Documents and Settings\All Users\Application Data\Propellerhead Software
2007-12-13 04:09 --------- d-----w C:\Documents and Settings\Ray\Application Data\Propellerhead Software
2007-12-05 05:33 --------- d-----w C:\Documents and Settings\DontHitDaButtonsHard\Application Data\VersionTracker Pro
2007-11-25 10:28 --------- d-----w C:\Documents and Settings\Ray\Application Data\VersionTracker Pro
2007-11-22 10:39 --------- d-----w C:\Program Files\Edirol
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-19 17:22 15,360 ----a-w C:\WINDOWS\system32\XPLNMon.dll
2007-07-25 03:55 3,655,608 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-07-25 03:53 25,990,432 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-04-16 00:48 42,720 -c--a-w C:\Documents and Settings\Ray\Application Data\GDIPFONTCACHEV1.DAT
2006-04-06 16:18 161 -c--a-w C:\Documents and Settings\Ray\Application Data\internaldb1942.dat
2005-03-30 15:04 198 -c--a-w C:\Program Files\mtachat.txt
2005-04-29 08:27 2,169 -csha-w C:\WINDOWS\system32\mmf(2)(2).sys
2005-07-23 21:17 2,169 -csha-w C:\WINDOWS\system32\mmf(2).sys
2005-04-29 02:13 2,169 -csha-w C:\WINDOWS\system32\mmf(3)(2).sys
2005-08-04 19:01 2,169 -csha-w C:\WINDOWS\system32\mmf(3).sys
2005-04-28 01:28 2,169 -csha-w C:\WINDOWS\system32\mmf(4)(2).sys
2005-08-08 07:56 2,169 -csha-w C:\WINDOWS\system32\mmf(4).sys
2005-04-27 20:41 2,169 -csha-w C:\WINDOWS\system32\mmf(5)(2).sys
2005-08-31 12:06 2,169 -csha-w C:\WINDOWS\system32\mmf(5).sys
2005-04-24 01:22 2,169 -csha-w C:\WINDOWS\system32\mmf(6)(2).sys
2005-09-13 13:23 2,169 -csha-w C:\WINDOWS\system32\mmf(6).sys
2007-07-03 20:40 2,169 --sha-w C:\WINDOWS\system32\mmf.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-15_23.25.52.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 05:08:39 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 18:43:53 241,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 05:08:39 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 18:43:53 12,288 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 05:08:40 8,388,608 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-16 18:43:54 8,388,608 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-16 05:08:40 192,512 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 18:43:54 192,512 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 09:09:49 25,214 ----a-r C:\WINDOWS\Installer\{B0193A69-9A2C-4469-B38C-8D421C10DC56}\_6FEFF9B68218417F98F549.exe
+ 2005-05-24 18:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 21:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 21:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-01-14 22:58:21 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
+ 2008-01-17 09:09:52 74,137 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activ eX.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"iLike"="C:\Program Files\iLike\1.1.26\ilikesidebar.exe" [2007-09-21 09:38 63024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-08 12:23 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-08 12:23 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTracker Pro.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\VersionTracker\VersionTracker Pro.lnk
backup=C:\WINDOWS\pss\VersionTracker Pro.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 09:54 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
--a------ 2007-06-27 12:54 1051464 C:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
--a------ 2005-07-11 05:51 409600 C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TClock.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-11 05:33 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)

R2 RVIEG01;VSC Engine;C:\Program Files\Cakewalk\Shared Dxi\Roland\RVIEg01.sys [2001-04-13 18:16]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-12-13 13:52]
S3 DSCVc;Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2003-11-03 16:31]
S3 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe []
S3 MmedFilter;MmedFilter;C:\WINDOWS\system32\Drivers\ MmedFilter.sys []
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 00:04]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;C:\WINDOWS\system32\DRIVERS\wldel48b.sys [2003-11-24 12:51]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cf6eecb0-7e66-11dc-832e-00022d84df7a}]
\Shell\AutoRun\command - C:\Documents and Settings\Ray\LapNet\LapNetWizard.exe

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 04:37:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-17 4:40:06
ComboFix-quarantined-files.txt 2008-01-17 10:39:42
ComboFix2.txt 2008-01-16 18:55:17
ComboFix3.txt 2008-01-16 05:26:25
.
2008-01-10 05:19:38 --- E O F ---

**Jintan** · #13 January 17th, 2008, 04:40 PM

Not quite sure what steps were done there, and now ComboFix is being run from a folder and not the desktop itself, but if nothing else those repairs in CFScript appear to have removed the items now.

If there are no issues you notice there a remaining task is to re-enable those disabled startups at least once, to do a complete cleaning. But first post back if there are any problems we need to address still.

RaphaelRJ2 · #14 January 17th, 2008, 08:16 PM

Do u Think Me Using Spy Ware Doctor Has something to do with the cleansing?

The only real problem I seem to have is....
Example:
If I'm watching a google video my Browser Starts Running at 100% & if I let it play to long....My P.C Would just Shut off with out warning????

**Jintan** · #15 January 18th, 2008, 02:22 AM

If you didn't heed the warnings to disable protective software and left Spyware Doctor running/enabled then yes, it very much would interfere with repairs. But at this point looks like we still removed the active infection. How long have you had that iLike downloading software installed there? I hadn't seen it before so did a quick check. I don't see infection as part of it's install, though it did install itself rapidly without ever a mention of a user Agreement of Privacy Statement. Never a good sign when installing "free" web download software.

Installs a server setup on your computer, maintains it's own net access contact, updates itself and adds it's own plugin to your Media Player there. very possibly an issue when using other media related items. You may want o consider uninstalling that, then after a reboot check for improvement.

Any other issues before we do the cleaning with all enabled startups there?

Similar Topics
Topic	Topic Starter	Forum	Replies	Last Post
Computer freezes, 2 wuadt's 1 runs 50K+ &1 svhost runs 80K+	i82much	Malware Removal	64	June 17th, 2012 01:48 AM
P.C Runs @ 100% Then Shuts Off	RaphaelRJ2	Malware Removal	1	January 16th, 2008 04:42 AM
P.C Runs @ 100% Then Shuts Off	RaphaelRJ2	Windows XP	4	January 16th, 2008 04:41 AM
computer runs for 2 sec. shuts down and starts up changes time to jan2003	deacon2006	Windows XP	2	December 15th, 2006 01:38 PM
Runs out of memory - shuts itself dowm	VinceInDenver	Windows NT, 2000, 2003, 2008, 2012	1	July 21st, 2004 06:21 PM