Hello,
I've been having problems relieving my pc of a virus, so I'm here as a last resort before I reformat.
Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:01 PM, on 9/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/d...mp;dtag=fs4vx51
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F6FA722-5E84-4FCE-9142-42CBD771931A} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {93F4320D-60A9-4265-8BE9-4825AD705BC0} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: awtst - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6901 bytes






Antivir log:











Avira AntiVir Personal
Report file date: Wednesday, September 03, 2008 16:53

Scanning for 1596463 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: Ryan
Computer name: MEGANANDRYAN

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 8/12/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 15:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 17:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 20:54:15
ANTIVIR2.VDF : 7.0.6.94 2998784 Bytes 8/31/2008 21:50:04
ANTIVIR3.VDF : 7.0.6.111 154112 Bytes 9/3/2008 21:50:06
Engineversion : 8.1.1.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 16:58:21
AESCRIPT.DLL : 8.1.0.70 319866 Bytes 9/3/2008 21:50:18
AESCN.DLL : 8.1.0.23 119156 Bytes 7/10/2008 19:44:49
AERDL.DLL : 8.1.1.1 397683 Bytes 9/3/2008 21:50:17
AEPACK.DLL : 8.1.2.1 364917 Bytes 7/15/2008 19:58:35
AEOFFICE.DLL : 8.1.0.23 196987 Bytes 9/3/2008 21:50:15
AEHEUR.DLL : 8.1.0.51 1397111 Bytes 9/3/2008 21:50:14
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/10/2008 19:44:48
AEGEN.DLL : 8.1.0.36 315764 Bytes 9/3/2008 21:50:09
AEEMU.DLL : 8.1.0.7 430452 Bytes 7/31/2008 15:33:21
AECORE.DLL : 8.1.1.11 172406 Bytes 9/3/2008 21:50:07
AEBB.DLL : 8.1.0.1 53617 Bytes 7/10/2008 19:44:48
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 9/3/2008 21:50:06
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, September 03, 2008 16:53

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LinksysAgent.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'KodakCCS.exe' - '1' Module(s) have been scanned
Scan process 'guard.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
33 processes with 33 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '54' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\VundoFix Backups\arnqfhbd.exe.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '492d11f1.qua'!
C:\VundoFix Backups\belyfyjk.exe.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '492b11e4.qua'!
C:\VundoFix Backups\flisatpt.exe.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '492811eb.qua'!
C:\VundoFix Backups\tyecjtca.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '492411f9.qua'!
C:\VundoFix Backups\vdhnbxsv.exe.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '492711e4.qua'!
C:\WINDOWS\SYSTEM32\phc3vsj0eed9.bmp
[DETECTION] Is the TR/Fakealert.AAF Trojan
[NOTE] The file was moved to '4922140a.qua'!


End of the scan: Wednesday, September 03, 2008 17:47
Used time: 53:39 Minute(s)

The scan has been done completely.

11670 Scanning directories
413003 Files were scanned
6 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
6 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
412995 Files not concerned
4076 Archives were scanned
2 Warnings
6 Notes










mbam log:









Malwarebytes' Anti-Malware 1.26
Database version: 1111
Windows 5.1.2600 Service Pack 3

9/3/2008 5:58:01 PM
mbam-log-2008-09-03 (17-58-01).txt

Scan type: Quick Scan
Objects scanned: 48931
Time elapsed: 1 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DRIVERS\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

Hello gibber11,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

ComboFix 08-09-03.03 - Ryan 2008-09-04 6:44:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2152 [GMT -5:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ryan\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\SYSTEM32\tstwa.bak1
C:\WINDOWS\system32\tstwa.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-03 18:04 . 2008-09-03 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Malwarebytes
2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 17:50 . 2008-09-02 00:26 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-03 17:50 . 2008-09-02 00:25 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-03 16:45 . 2008-09-03 16:45 <DIR> d-------- C:\Program Files\Avira
2008-09-03 16:45 . 2008-09-03 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-03 15:49 . 2008-09-03 15:49 <DIR> d-------- C:\Program Files\CCleaner
2008-09-03 15:44 . 2008-09-03 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-30 16:32 . 2008-08-30 16:32 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Uniblue
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-29 16:08 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-29 16:02 . 2008-08-29 16:02 <DIR> d-------- C:\WINDOWS\EHome
2008-08-27 10:32 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-08-26 16:02 . 2008-08-26 16:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-26 16:02 . 2008-08-26 16:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-18 15:09 . 2008-08-18 15:09 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-13 19:34 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-13 19:33 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-29 21:32 4,554,296 -csha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-29 18:44 --------- d-----w C:\Documents and Settings\Ryan\Application Data\uTorrent
2008-08-27 23:11 --------- d-----w C:\Program Files\Electronic Arts
2008-08-27 23:10 --------- d-----w C:\Program Files\AIM
2008-08-27 23:09 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Aim
2008-08-21 21:32 --------- d-----w C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-08-13 00:42 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Xfire
2008-08-10 15:54 --------- d-----w C:\Program Files\Winamp
2008-08-04 17:11 --------- d-----w C:\Documents and Settings\Megan\Application Data\AdobeUM
2008-08-01 00:46 --------- d-----w C:\Documents and Settings\Ryan\Application Data\vlc
2008-08-01 00:37 --------- d-----w C:\Program Files\VideoLAN
2008-08-01 00:37 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-07-31 23:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 22:01 --------- d-----w C:\Documents and Settings\Ryan\Application Data\CyberLink
2008-07-31 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-10 00:01 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-12-05 02:41 81920 C:\WINDOWS\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-09-08 16:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"Steam"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"2chkdsk"=rundll32.exe "C:\WINDOWS\system32\tyecjtca.dll",setvm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Valve\\Steam\\steam.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\half-life 2\\hl2.exe"=
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\counter-strike\\hl.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\Vapour 2.0 Beta\\VapourApp.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 naecd;naecd;C:\DOCUME~1\Ryan\LOCALS~1\Temp\naecd.sys [ ]
S3 PciCon;PciCon;D:\PciCon.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{0F6FA722-5E84-4FCE-9142-42CBD771931A} - (no file)
BHO-{93F4320D-60A9-4265-8BE9-4825AD705BC0} - (no file)
HKCU-Run-Uniblue RegistryBooster 2009 - C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
Notify-awtst - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\siqvxo2c.Ryan\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Documents and Settings\Ryan\Application Data\Mozilla\Firefox\Profiles\siqvxo2c.Ryan\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - C:\Program Files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 06:51:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\PnkBstrA.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-09-04 6:57:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-04 11:57:46

Pre-Run: 43,995,533,312 bytes free
Post-Run: 43,888,300,032 bytes free

191 --- E O F --- 2008-08-31 08:00:35



















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:47 AM, on 9/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/d...mp;dtag=fs4vx51
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6289 bytes

Hello gibber11,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ComboFix 08-09-03.03 - Ryan 2008-09-05 6:53:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2144 [GMT -5:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Megan\Application Data\macromedia\Flash Player\#SharedObjects\U7GYFRJR\bin.clearspring.com
C:\Documents and Settings\Megan\Application Data\macromedia\Flash Player\#SharedObjects\U7GYFRJR\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Megan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Megan\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAECD
-------\Service_naecd


((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-03 18:04 . 2008-09-03 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Malwarebytes
2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 17:50 . 2008-09-02 00:26 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-03 17:50 . 2008-09-02 00:25 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-03 16:45 . 2008-09-03 16:45 <DIR> d-------- C:\Program Files\Avira
2008-09-03 16:45 . 2008-09-03 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-03 15:49 . 2008-09-03 15:49 <DIR> d-------- C:\Program Files\CCleaner
2008-09-03 15:44 . 2008-09-03 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-30 16:32 . 2008-08-30 16:32 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Uniblue
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-29 16:08 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-29 16:02 . 2008-08-29 16:02 <DIR> d-------- C:\WINDOWS\EHome
2008-08-27 10:32 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-08-26 16:02 . 2008-08-26 16:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-26 16:02 . 2008-08-26 16:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-18 15:09 . 2008-08-18 15:09 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-13 19:34 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-13 19:33 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-31 03:40 60,928 ----a-w C:\WINDOWS\Internet Logs\xDB50.tmp
2008-08-31 03:40 1,798,144 ----a-w C:\WINDOWS\Internet Logs\xDB51.tmp
2008-08-30 18:15 161,280 ----a-w C:\WINDOWS\Internet Logs\xDB4F.tmp
2008-08-29 21:32 4,554,296 -csha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-29 18:44 --------- d-----w C:\Documents and Settings\Ryan\Application Data\uTorrent
2008-08-27 23:11 --------- d-----w C:\Program Files\Electronic Arts
2008-08-27 23:10 --------- d-----w C:\Program Files\AIM
2008-08-27 23:09 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Aim
2008-08-23 03:59 66,560 ----a-w C:\WINDOWS\Internet Logs\xDB4E.tmp
2008-08-21 21:32 --------- d-----w C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-08-15 02:28 37,376 ----a-w C:\WINDOWS\Internet Logs\xDB4D.tmp
2008-08-13 00:42 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Xfire
2008-08-12 02:45 44,544 ----a-w C:\WINDOWS\Internet Logs\xDB4B.tmp
2008-08-12 02:45 1,769,472 ----a-w C:\WINDOWS\Internet Logs\xDB4C.tmp
2008-08-10 15:54 --------- d-----w C:\Program Files\Winamp
2008-08-08 03:16 39,936 ----a-w C:\WINDOWS\Internet Logs\xDB49.tmp
2008-08-08 03:16 1,767,424 ----a-w C:\WINDOWS\Internet Logs\xDB4A.tmp
2008-08-05 02:43 106,496 ----a-w C:\WINDOWS\Internet Logs\xDB48.tmp
2008-08-04 17:11 --------- d-----w C:\Documents and Settings\Megan\Application Data\AdobeUM
2008-08-01 00:46 --------- d-----w C:\Documents and Settings\Ryan\Application Data\vlc
2008-08-01 00:37 --------- d-----w C:\Program Files\VideoLAN
2008-08-01 00:37 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-07-31 23:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 22:01 --------- d-----w C:\Documents and Settings\Ryan\Application Data\CyberLink
2008-07-31 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-25 04:24 104,960 ----a-w C:\WINDOWS\Internet Logs\xDB47.tmp
2008-07-25 01:46 8,330,959 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-07-11 22:12 59,392 -c--a-w C:\WINDOWS\Internet Logs\xDB46.tmp
2008-07-10 00:01 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-07-09 23:54 31,744 -c--a-w C:\WINDOWS\Internet Logs\xDB45.tmp
2008-07-04 12:13 232,448 -c--a-w C:\WINDOWS\Internet Logs\xDB44.tmp
2008-06-09 13:14 59,904 -c--a-w C:\WINDOWS\Internet Logs\xDB42.tmp
2008-06-09 13:14 1,717,760 -c--a-w C:\WINDOWS\Internet Logs\xDB43.tmp
2008-06-05 21:12 145,920 -c--a-w C:\WINDOWS\Internet Logs\xDB40.tmp
2008-06-05 21:12 1,718,784 -c--a-w C:\WINDOWS\Internet Logs\xDB41.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-12-05 02:41 81920 C:\WINDOWS\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-09-08 16:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"Steam"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"2chkdsk"=rundll32.exe "C:\WINDOWS\system32\tyecjtca.dll",setvm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Valve\\Steam\\steam.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\half-life 2\\hl2.exe"=
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\counter-strike\\hl.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\Vapour 2.0 Beta\\VapourApp.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 PciCon;PciCon;D:\PciCon.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 06:58:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SYSTEM32\DRIVERS\KodakCCS.exe
C:\WINDOWS\SYSTEM32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\PnkBstrA.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-09-05 7:05:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-05 12:05:02
ComboFix2.txt 2008-09-04 11:57:50

Pre-Run: 43,525,517,312 bytes free
Post-Run: 43,497,246,720 bytes free

195 --- E O F --- 2008-08-31 08:00:35























Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:07:42 AM, on 9/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/d...mp;dtag=fs4vx51
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 6380 bytes

Hello gibber11,

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply.

Scanning Report
Friday, September 05, 2008 16:12:01 - 17:48:43

Computer name: MEGANANDRYAN
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 7 malware found
Trojan-Downloader.JS.Agent.cnn (virus)

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\41IV85E3\AC[1].HTM (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\41IV85E3\AC[2].HTM (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\41IV85E3\AC[3].HTM (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\41IV85E3\AC[4].HTM (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\41IV85E3\AC[5].HTM (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\41IV85E3\AC[6].HTM (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\41IV85E3\AC[7].HTM (Renamed & Submitted)

Statistics
Scanned:

* Files: 57396
* System: 4434
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 7
* Deleted: 0
* None: 0
* Submitted: 7

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-09-05
* F-Secure AVP: 7.0.171, 2008-09-05
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Hello gibber11,

Your logs are looking much better, how is your computer running?

Hello __RiP_ChAiN_,

My computer is behaving much more like it should.

I can't thank you enough for helping me out. I was lost trying to tackle this problem on my own.

In other news, my parents' laptop is having a similar problem so you may hear from me again in the near future.

Thanks again!!!!!!

Hello gibber11,

That's excellent news, just a couple of things left to delete here and we'll finish up.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Hello __RiP_ChAiN_,

I did just as your last post instructed, but ComboFix seems to be just sitting idle.

gibber11,

Did combofix ever run, or did it stall and quit?

it starts up like it's about to run, but I get just a blue screen with a blinking cursor.
I let that sit for a while without any action.

__RiP_ChAiN_,
This was weird. I tried ComboFix again and this time it asked to be updated. After updating it started to run and here is the log:



ComboFix 08-09-10.04 - Ryan 2008-09-11 6:38:21.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2119 [GMT -5:00]
Running from: C:\Documents and Settings\Ryan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ryan\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-06 16:15 . 2008-09-06 16:15 641,021 --a------ C:\WINDOWS\unins001.exe
2008-09-06 16:15 . 2008-09-06 16:15 2,601 --a------ C:\WINDOWS\unins001.dat
2008-09-06 16:14 . 2008-09-06 16:14 <DIR> d-------- C:\Documents and Settings\Megan\Application Data\Malwarebytes
2008-09-05 16:07 . 2008-09-05 16:07 <DIR> d-------- C:\fsaua.data
2008-09-03 18:04 . 2008-09-03 18:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-03 17:50 . 2008-09-10 16:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Malwarebytes
2008-09-03 17:50 . 2008-09-03 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-03 17:50 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-09-03 17:50 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-09-03 16:45 . 2008-09-03 16:45 <DIR> d-------- C:\Program Files\Avira
2008-09-03 16:45 . 2008-09-03 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-03 15:49 . 2008-09-03 15:49 <DIR> d-------- C:\Program Files\CCleaner
2008-09-03 15:44 . 2008-09-03 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-30 16:32 . 2008-08-30 16:32 <DIR> d-------- C:\Documents and Settings\Ryan\Application Data\Uniblue
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-08-29 16:11 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-29 16:08 . 2008-08-29 16:11 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-29 16:02 . 2008-08-29 16:02 <DIR> d-------- C:\WINDOWS\EHome
2008-08-27 10:32 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\SYSTEM32\dot3ui.dll
2008-08-26 16:02 . 2008-08-26 16:02 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-26 16:02 . 2008-08-26 16:02 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-18 15:09 . 2008-08-18 15:09 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-13 19:34 . 2008-05-01 09:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-13 19:33 . 2008-04-11 14:04 691,712 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 19:41 --------- d-----w C:\Program Files\EA GAMES
2008-09-03 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-03 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-31 03:40 60,928 ----a-w C:\WINDOWS\Internet Logs\xDB50.tmp
2008-08-31 03:40 1,798,144 ----a-w C:\WINDOWS\Internet Logs\xDB51.tmp
2008-08-30 18:15 161,280 ----a-w C:\WINDOWS\Internet Logs\xDB4F.tmp
2008-08-29 21:32 4,554,296 -csha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-29 18:44 --------- d-----w C:\Documents and Settings\Ryan\Application Data\uTorrent
2008-08-27 23:11 --------- d-----w C:\Program Files\Electronic Arts
2008-08-27 23:10 --------- d-----w C:\Program Files\AIM
2008-08-27 23:09 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Aim
2008-08-23 03:59 66,560 ----a-w C:\WINDOWS\Internet Logs\xDB4E.tmp
2008-08-21 21:32 --------- d-----w C:\Documents and Settings\Ryan\Application Data\dvdcss
2008-08-15 02:28 37,376 ----a-w C:\WINDOWS\Internet Logs\xDB4D.tmp
2008-08-13 00:42 --------- d-----w C:\Documents and Settings\Ryan\Application Data\Xfire
2008-08-12 02:45 44,544 ----a-w C:\WINDOWS\Internet Logs\xDB4B.tmp
2008-08-12 02:45 1,769,472 ----a-w C:\WINDOWS\Internet Logs\xDB4C.tmp
2008-08-10 15:54 --------- d-----w C:\Program Files\Winamp
2008-08-08 03:16 39,936 ----a-w C:\WINDOWS\Internet Logs\xDB49.tmp
2008-08-08 03:16 1,767,424 ----a-w C:\WINDOWS\Internet Logs\xDB4A.tmp
2008-08-05 02:43 106,496 ----a-w C:\WINDOWS\Internet Logs\xDB48.tmp
2008-08-04 17:11 --------- d-----w C:\Documents and Settings\Megan\Application Data\AdobeUM
2008-08-01 00:46 --------- d-----w C:\Documents and Settings\Ryan\Application Data\vlc
2008-08-01 00:37 --------- d-----w C:\Program Files\VideoLAN
2008-08-01 00:37 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-07-31 23:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-31 22:01 --------- d-----w C:\Documents and Settings\Ryan\Application Data\CyberLink
2008-07-31 22:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-31 21:59 29,480 ----a-w C:\WINDOWS\SYSTEM32\msxml3a.dll
2008-07-25 04:24 104,960 ----a-w C:\WINDOWS\Internet Logs\xDB47.tmp
2008-07-25 01:46 8,330,959 -c--a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2008-07-19 03:10 45,768 -c--a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-19 03:10 36,552 -c--a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2008-07-11 22:12 59,392 -c--a-w C:\WINDOWS\Internet Logs\xDB46.tmp
2008-07-09 23:54 31,744 -c--a-w C:\WINDOWS\Internet Logs\xDB45.tmp
2008-07-07 20:26 253,952 -c--a-w C:\WINDOWS\SYSTEM32\es.dll
2008-07-04 12:13 232,448 -c--a-w C:\WINDOWS\Internet Logs\xDB44.tmp
2008-06-24 16:43 74,240 -c--a-w C:\WINDOWS\SYSTEM32\mscms.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-04_ 6.57.23.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-27 20:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-02-27 20:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
- 2007-03-15 23:19:28 1,476,992 -c--a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
+ 2008-03-20 23:06:36 1,480,232 ----a-w C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
- 2008-05-29 23:35:11 17,486,968 -c--a-w C:\WINDOWS\SYSTEM32\MRT.exe
+ 2008-08-26 18:28:14 16,208,504 -c--a-w C:\WINDOWS\SYSTEM32\MRT.exe
- 2004-08-30 20:25:24 438,272 -c--a-w C:\WINDOWS\SYSTEM32\vp6vfw.dll
+ 2004-08-18 02:14:36 442,368 -c--a-r C:\WINDOWS\SYSTEM32\vp6vfw.dll
+ 2008-04-15 17:47:33 1,724,416 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-12-05 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2004-07-19 07:51 306688 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-09-26 14:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2007-12-05 02:41 81920 C:\WINDOWS\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2006-09-08 16:36 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" /startup
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"Steam"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"IntelMeM"=C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RunDLL32.exe NvMCTray.dll,NvTaskbarInit
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Valve\\Steam\\steam.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\half-life 2\\hl2.exe"=
"C:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\counter-strike\\hl.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"C:\\Program Files\\Vapour 2.0 Beta\\VapourApp.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gibber53211\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S3 PciCon;PciCon;D:\PciCon.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-11 06:41:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-11 6:44:01
ComboFix-quarantined-files.txt 2008-09-11 11:43:36
ComboFix2.txt 2008-09-05 12:05:09
ComboFix3.txt 2008-09-04 11:57:50

Pre-Run: 40,046,702,592 bytes free
Post-Run: 40,124,768,256 bytes free

202 --- E O F --- 2008-08-31 08:00:35

__RiP_ChAiN_,

It's unclear to me whether or not ComboFix ran with the script. I dragged the script over the ComboFix icon, just as instructed, and that is when it updated. It then restarted and scanned automatically. The ensuing log is what is in the last post.

Should I run the script again and post that log, or is the one I posted okay?

Thanks.

Hello gibber11,

The log from Combofix that you posted will do fine.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on launch.exe to start the program.
• Cancel any prompts to download the latest CureIt version and click Start.
• At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
• When complete, click Select All, then choose Cure > Move incurable.
  (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• Now put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
• Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Ryan\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Ryan\Desktop;Archive contains infected objects;Moved.;
Install_AIM.exe\data041;C:\Documents and Settings\Ryan\Desktop\MISC\Install_AIM.exe;Adware.Aws;;
Install_AIM.exe;C:\Documents and Settings\Ryan\Desktop\MISC;Archive contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Ryan\Desktop\SECURITY\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Ryan\Desktop\SECURITY;Archive contains infected objects;Moved.;
GTDownDE_87.ocx;C:\I386;Adware.Gdown;Incurable.Moved.;
A0005631.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0005631.exe;Program.PsExec.171;;
A0005631.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11;Archive contains infected objects;Moved.;
A0005632.exe\data041;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0005632.exe;Adware.Aws;;
A0005632.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11;Archive contains infected objects;Moved.;
A0005633.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0005633.exe;Tool.Prockill;;
A0005633.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11;Archive contains infected objects;Moved.;
A0000021.EXE;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2;Program.PsExec.170;Incurable.Moved.;
A0000457.EXE;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3;Program.PsExec.170;Incurable.Moved.;
A0002542.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8\A0002542.exe;Program.PsExec.171;;
A0002542.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP8;Archive contains infected objects;Moved.;

Hello gibber11,

Your logs are looking better, how is your computer running?

Hey __RiP_ChAiN_,

My computer's running great. Better than it has in a while in fact.

I'm assuming that all files and folders with blue text have something to do with recovery console. Is that normal?

Hello gibber11,


Yes, they indicate compressed files. This is nothing to worry about.

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
  • 
  
  
  
• When shown the disclaimer, Select "2"

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

I think this may be a separate issue, but I am no longer able to use add or remove programs.
The list that's created is loaded with unfamiliar software; none of which I am able to do anything.
I checked the registry and the only software that appears in uninstall is Avira AntiVir.

Have you had any experience with this issue?

i thought a new HJT log would help


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:05 PM, on 9/26/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/vso9/d...mp;dtag=fs4vx51
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6231 bytes

Hello gibber11,

Do you have a current XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on START-->RUN and type sfc /scannow (note the space) (Let this run undisturbed until the window with the blue progress bar goes away)

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage. In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.