Inactive The unbeatable virus

[Yourdogsucks]

I've been battling a mad virus for a while now. It redirects my browser and caused me all kinds of shame. The sad

part is that it bypassed supposedly "live protection" on my antivirus and antimalware - which just goes to prove

that the virii are being released by the same folks who make the antivirus to force consumers to purchase their

product.

But anyways.

I have wiped out mozilla and IE, and reinstalled, in safe mode, with intermittent scans of mbam, and no luck. I have

hunted down every noncritical process in msconfig and shut down every service I could find. This virus can still

redirect my browser in safe mode.

Also, I have done a repair install on windows, to no avail.

Where do I go next? I have no idea. Below are my logs as specified in the intro post. It's gotten to where I feel that this virus might even be so great that I could switch to a blank hard drive and it would still be there somehow.

I would love to hunt down the maker's of this virus and dispense some vigilante justice. Boy oh boy....

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4591

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

9/10/2010 9:37:55 PM
mbam-log-2010-09-10 (21-37-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 255739
Time elapsed: 35 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions)

-> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully.

GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-09-10 21:59:17
Windows 5.1.2600 Service Pack 3
Running: y30mcogb.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugwoqfob.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AA4FD00
Device -> \Driver\atapi \Device\Harddisk0\DR0 8AA6EEC5

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] kghps <-- ROOTKIT !!!

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Weird going's on here.

Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/22/2010 1:41:20 PM
System Uptime: 9/10/2010 9:54:50 PM (1 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3R
Processor: Intel Pentium III Xeon processor | Socket 775 | 2999/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 932 GiB total, 831.555 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&2A6EB68&0&0001
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_1002&DEV_AA01&SUBSYS_00AA0100&REV_1001\5&2A6EB68&0&0001
Service:

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Deskjet F4500 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Deskjet F4500,192.168.1.112
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Deskjet F4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Deskjet F4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
32 Bit HP CIO Components Installer
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Advertising Center
Alien Breed: Impact
Altitude
Antivirus 2010
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
ATI Catalyst Registration
AutoCAD 2010 - English
AutoCAD 2010 Language Pack - English
avast! Free Antivirus
Beat Hazard
Bonjour
BufferChm
CameraHelperMsi
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
Cisco Connect
Compact Wireless-G USB Adapter
Copy
Coupon Printer for Windows
CutePDF Writer 2.8
Demigod
Destinations
DeviceDiscovery
DJ_AIO_06_F4500_SW_MIN
DolbyFiles
EA Download Manager
EA Download Manager UI
Empire: Total War
erLT
F4500
Fraps
Gigabyte Raid Configurer
GPBaseService2
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 14.0
HP Deskjet F4500 All-in-One Driver Software 14.0 Rel. 6
HP Imaging Device Functions 14.0
HP Photo Creations
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPProductAssistant
HPSSupply
ImagXpress
Impulse
iTunes
iTunes Library Updater
Java Auto Updater
Java(TM) 6 Update 18
King's Bounty: Armored Princess
King's Bounty: The Legend
LG USB Modem driver
LightScribe System Software
LimeWire 5.5.8
Logitech Vid
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Video Mask Maker
LWS VideoEffects
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes' Anti-Malware
MarketResearch
McAfee Security Scan Plus
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Xbox 360 Accessories 1.2
mIRC
Mobipocket Reader 6.2
Movie Templates - Starter Kit
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MyCar-Monitor 4.2.0.7
Nero 9 Essentials
Nero BurnRights
Nero BurnRights Help
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero DiscSpeed
Nero DiscSpeed Help
Nero DriveSpeed
Nero DriveSpeed Help
Nero Express Help
Nero InfoTool
Nero InfoTool Help
Nero Installer
Nero Online Upgrade
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero Vision Help
NeroExpress
neroxml
Network
NVIDIA PhysX v8.10.29
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK Wireless LAN Driver and Utility
Scan
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Shop for HP Supplies
SmartWebPrinting
SolutionCenter
StarCraft
StarCraft II
Status
Steam
Supreme Commander 2
System Requirements Lab
The Battle for Middle-earth (tm) II
The Lord of the Rings FREE Trial
The Lord of the Rings, The Rise of the Witch-king
The Settlers 7: Paths to a Kingdom
Toolbox
TrayApp
Tropico 3 - Steam Special Edition
Tropico 3: Absolute Power
Ubisoft Game Launcher
UE3Redist
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.0.5
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
X-COM: Apocalypse
X-COM: Enforcer
X-COM: Interceptor
X-COM: Terror from the Deep
X-COM: UFO Defense
Xbox 360 Controller for Windows
XfireXO Toolbar
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

9/8/2010 5:28:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with

arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/8/2010 5:26:44 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s)

failed to load: Fips intelppm
9/8/2010 5:26:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with

arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/6/2010 9:24:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error:

%%2147942402
9/6/2010 8:24:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error:

%%2147942402
9/6/2010 7:24:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error:

%%2147942402
9/6/2010 6:24:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error:

%%2147942402
9/6/2010 5:24:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error:

%%2147942402
9/6/2010 4:24:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error:

%%2147942402
9/6/2010 3:24:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error:

%%2147942402
9/6/2010 2:58:29 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated

unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:

Restart the service.
9/6/2010 2:08:03 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected

system file rundll32.exe. This file was restored to the original version to maintain system stability. The file

version of the system file is 5.1.2600.5512.
9/6/2010 10:24:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error:

%%2147942402
9/4/2010 2:01:03 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS)

service terminated with the following error: Access is denied.
9/3/2010 6:44:12 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a

page file on the boot partition and that is large enough to contain all physical memory.
9/3/2010 6:44:12 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
9/3/2010 6:43:50 PM, error: Service Control Manager [7023] - The Network Security service terminated with the

following error: The specified module could not be found.
9/10/2010 9:56:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s)

failed to load: Aavmker4 aswSP aswTdi Fips intelppm
9/10/2010 9:47:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with

arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/10/2010 9:40:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s)

failed to load: Fips intelppm ohci1394
9/10/2010 9:02:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with

arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}
9/10/2010 8:59:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with

arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================

 

[Yourdogsucks]

DDS:

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 21:59:41.18 on Fri 09/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2938 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
"C:\WINDOWS\System32\svchost.exe"
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

TB: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web

printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed

Components" /v "NoIE4StubProcessing" /f
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital

imaging\smart web printing\hpswp_BHO.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} -

hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275710167109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} -

c:\progra~1\micros~3\office12\GRA8E1~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-8-9 816672]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-10 162768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-10 19024]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-10 40384]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-10 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-9-10 40384]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network

Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-8-5 594048]

=============== Created Last 30 ================

2010-09-11 04:47:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-11 04:11:16 873 ----a-w- c:\windows\system32\spupdsvc.inf
2010-09-06 22:00:15 0 d-----w- c:\program files\iPod
2010-09-06 21:58:05 0 d-----w- c:\program files\Bonjour
2010-09-06 21:31:31 112 ----a-w- c:\docume~1\alluse~1\applic~1\jbjx8GG.dat
2010-09-06 21:31:18 71170 ----a-w- c:\docume~1\alluse~1\applic~1\Mp36YFaV.exe
2010-08-29 18:40:23 2843 ----a-w- c:\windows\aweloruzifulo.dll
2010-08-29 18:39:54 182784 ----a-w- c:\windows\Uvydyb.exe
2010-08-29 09:37:48 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-08-29 09:37:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-29 09:37:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-29 09:37:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-29 09:37:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-29 09:25:00 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-08-29 09:21:43 120 ----a-w- c:\windows\Vbucazetij.dat
2010-08-29 09:21:43 0 ----a-w- c:\windows\Qqugadageq.bin
2010-08-29 09:20:34 182784 ----a-w- c:\windows\Uvydya.exe
2010-08-29 09:20:32 75776 --sha-r- c:\windows\system32\regwizc1.dll
2010-08-29 09:20:15 5 ----a-w- C:\zrpt.xml
2010-08-29 09:20:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-08-29 09:20:01 784384 ----a-w- c:\windows\system32\drivers\kghps.sys

==================== Find3M ====================

2010-09-11 04:54:56 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-09-11 03:50:06 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-10 03:02:52 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
2010-08-09 07:25:51 205881 ----a-w- c:\windows\hpoins46.dat
2010-08-06 01:00:28 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-08-06 01:00:27 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2010-08-01 21:12:07 77448 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-28 01:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-07 01:58:26 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-07-07 01:58:18 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-07-07 01:57:02 4337664 ----a-w- c:\windows\system32\aticaldd.dll
2010-07-07 01:53:00 15499264 ----a-w- c:\windows\system32\atioglxx.dll
2010-07-07 01:50:14 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-07-07 01:48:54 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-07-07 01:47:56 299520 ----a-w- c:\windows\system32\ati2dvag.dll
2010-07-07 01:41:18 3869952 ----a-w- c:\windows\system32\ati3duag.dll
2010-07-07 01:33:00 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-07-07 01:32:48 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-07-07 01:32:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-07-07 01:32:34 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-07-07 01:32:24 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-07-07 01:31:10 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-07-07 01:29:56 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-07-07 01:29:06 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-07-07 01:28:10 2273920 ----a-w- c:\windows\system32\ativvaxx.dll
2010-07-07 01:27:42 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-07-07 01:25:48 573440 ----a-w- c:\windows\system32\atikvmag.dll
2010-07-07 01:24:52 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-07-07 01:24:06 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-07-07 01:23:52 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-07-07 01:19:10 704512 ----a-w- c:\windows\system32\ati2cqag.dll
2010-07-07 01:15:58 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-07-07 01:15:58 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-15 02:16:24 86016 ----a-w- c:\windows\system32\frapsvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

============= FINISH: 22:00:32.28 ===============

 

[Bobbye]

Welcome to TechSpot. I'll help with the malware and am reviewing your logs now. You had or have Rogue Antivirus 2009 and a Rootkit so We'll need to be sure all of it has been removed.

Please run ths following programs:

Please download MBR Rootkit Detector and save it on your desktop.

• Pause/Stop all antivirus/spyware active protection.
• Then double click on mbr.exe to run it.
• Select Run when you receive a Security Warning
• The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
• A log file will the be created on your desktop where you ran mbr.exe
• Copy and paste the contents of mbr.log on your next reply.

============================
Follow with ComboFix download from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt into next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

In the mean time, Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Also, do not use uTorrent , LimeWire or any other files sharing program while I am helping you.

EDIT: Before you paste your next log in Notepad, please click on Format> Uncheck 'Word Wrap.'

 

[Yourdogsucks]

Thank you so much for your assistance.

This is strange and may be attributed to a virus scan or something.
Here is the new MBR

Also, it got that filthy mp36yfav that was causing issues. I will test if this fixed it and repost.

I bolded stuff that appears strange to me

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Combofix:

ComboFix 10-09-11.02 - User 09/11/2010 12:37:16.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2771 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\All Users\Application Data\Mp36YFaV.exe
c:\documents and settings\User\Application Data\4FB84C35B69FB2235FC2879CE7B03AE0
c:\documents and settings\User\Application Data\4FB84C35B69FB2235FC2879CE7B03AE0\enemies-names.txtWTF?
c:\documents and settings\User\Application Data\4FB84C35B69FB2235FC2879CE7B03AE0\local.ini
c:\documents and settings\User\Application Data\4FB84C35B69FB2235FC2879CE7B03AE0\lsrslt.ini
c:\documents and settings\User\Local Settings\Application Data\{073D1BF7-FEC6-435B-A2FB-C21ECDC5DC4B}
c:\documents and settings\User\Local Settings\Application Data\{073D1BF7-FEC6-435B-A2FB-C21ECDC5DC4B}\chrome.manifest
c:\documents and settings\User\Local Settings\Application Data\{073D1BF7-FEC6-435B-A2FB-C21ECDC5DC4B}\chrome\content\_cfg.js
c:\documents and settings\User\Local Settings\Application Data\{073D1BF7-FEC6-435B-A2FB-C21ECDC5DC4B}\chrome\content\overlay.xul
c:\documents and settings\User\Local Settings\Application Data\{073D1BF7-FEC6-435B-A2FB-C21ECDC5DC4B}\install.rdf
c:\documents and settings\User\Local Settings\Application Data\Windows Server
c:\documents and settings\User\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\User\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\User\Local Settings\Application Data\Windows Server\uses32.dat
C:\Install.exe
c:\windows\aweloruzifulo.dll
c:\windows\system32\drivers\kghps.sys
c:\windows\system32\spool\prtprocs\w32x86\kUOCE.dll
c:\windows\system32\spool\prtprocs\w32x86\W1uOCE79.dll
c:\windows\system32\USRINI~1.EXE

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_kghps
-------\Service_kghps


((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-11 06:26 . 2008-04-14 12:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-09-11 06:26 . 2008-04-14 05:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-09-11 06:26 . 2007-06-26 18:30 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2010-09-11 06:26 . 2007-06-26 18:26 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2010-09-11 06:26 . 2008-04-14 12:40 102912 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2010-09-11 06:25 . 2008-04-14 12:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-09-11 05:55 . 2004-08-04 12:00 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll
2010-09-11 05:54 . 2004-08-04 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-09-11 05:54 . 2004-08-04 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-09-11 05:54 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-09-11 05:54 . 2004-08-04 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-09-11 05:54 . 2004-08-04 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-09-11 05:54 . 2004-08-04 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-09-11 05:54 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-09-11 05:53 . 2004-08-04 12:00 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2010-09-11 05:53 . 2004-08-04 12:00 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2010-09-11 05:53 . 2004-08-04 12:00 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2010-09-11 05:53 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-09-11 05:30 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-09-11 05:30 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-09-11 05:30 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-09-11 05:30 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-09-11 04:47 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-11 04:47 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-11 04:47 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-11 04:47 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-11 04:47 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-11 04:47 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-11 04:47 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-11 04:47 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-09-11 04:47 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-11 04:47 . 2010-09-11 04:47 -------- d-----w- c:\program files\Alwil Software
2010-09-11 04:47 . 2010-09-11 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-07 05:15 . 2010-09-07 05:15 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-09-06 22:00 . 2010-09-06 22:00 -------- d-----w- c:\program files\iPod
2010-09-06 21:59 . 2010-09-06 22:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2010-09-06 21:58 . 2010-09-06 21:58 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2010-09-06 21:58 . 2010-09-06 21:58 -------- d-----w- c:\program files\Bonjour
2010-09-06 21:52 . 2010-09-06 21:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-09-06 21:52 . 2010-09-06 21:52 101632 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-06 21:33 . 2010-09-06 21:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-09-06 21:08 . 2010-09-06 21:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-08-29 18:39 . 2010-08-29 09:20 182784 ----a-w- c:\windows\Uvydyb.exe
2010-08-29 18:39 . 2010-08-29 18:39 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-08-29 09:37 . 2010-08-29 09:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-29 09:37 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-29 09:37 . 2010-08-29 09:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-29 09:37 . 2010-08-29 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-29 09:37 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-29 09:36 . 2010-08-29 09:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-29 09:24 . 2010-05-26 07:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-08-29 09:21 . 2010-09-08 22:50 120 ----a-w- c:\windows\Vbucazetij.dat
2010-08-29 09:21 . 2010-09-08 22:50 0 ----a-w- c:\windows\Qqugadageq.bin
2010-08-29 09:20 . 2010-08-29 09:20 182784 ----a-w- c:\windows\Uvydya.exe
2010-08-29 09:20 . 2010-08-29 09:20 75776 --sha-r- c:\windows\system32\regwizc1.dll
2010-08-29 09:20 . 2010-08-29 18:47 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\tfltmolue
2010-08-29 09:20 . 2010-08-29 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 19:41 . 2010-06-27 09:20 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-09-11 19:25 . 2010-06-27 09:20 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-09-11 05:52 . 2010-05-22 20:36 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-11 05:46 . 2010-06-27 09:19 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-09-06 22:00 . 2010-05-26 03:23 -------- d-----w- c:\program files\iTunes
2010-09-06 22:00 . 2010-05-26 03:22 -------- d-----w- c:\program files\Common Files\Apple
2010-09-06 21:59 . 2010-05-26 03:22 -------- d-----w- c:\program files\QuickTime
2010-09-06 21:55 . 2010-09-06 21:55 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-06 21:51 . 2010-05-26 03:04 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire
2010-09-06 21:31 . 2010-09-06 21:31 112 ----a-w- c:\documents and settings\All Users\Application Data\jbjx8GG.dat
2010-09-02 03:09 . 2010-09-02 03:09 46852 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-08-30 06:29 . 2010-08-30 06:29 6476416 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\Connect.exe
2010-08-30 06:29 . 2010-08-30 06:29 4096 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\._Setup.exe
2010-08-30 06:29 . 2010-08-30 06:29 4096 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\._Connect.exe
2010-08-30 06:19 . 2010-05-22 22:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-30 03:32 . 2010-07-29 02:26 -------- d-----w- c:\program files\StarCraft II
2010-08-14 09:06 . 2010-06-06 11:47 -------- d-----w- c:\documents and settings\User\Application Data\vlc
2010-08-10 03:07 . 2010-08-10 02:50 -------- d-----w- c:\program files\BSR Screen Recorder 4
2010-08-10 03:02 . 2010-08-10 02:51 2048 ----a-w- c:\windows\system32\Tr_sttool.dat
2010-08-10 01:12 . 2010-08-10 01:12 -------- d-----w- c:\program files\Cisco Systems
2010-08-09 07:25 . 2010-06-27 08:02 205881 ----a-w- c:\windows\hpoins46.dat
2010-08-09 02:10 . 2010-07-29 03:23 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2010-08-09 02:04 . 2010-05-26 03:23 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2010-08-06 01:19 . 2010-06-05 03:44 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-08-06 01:00 . 2010-06-23 02:05 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-08-06 01:00 . 2010-08-06 00:58 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2010-08-06 00:58 . 2010-05-22 21:23 -------- d-----w- c:\program files\Realtek
2010-08-06 00:58 . 2010-05-22 21:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 02:20 . 2010-05-22 21:55 5243392 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-08-04 01:59 . 2010-05-22 21:55 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-08-04 01:59 . 2010-05-22 21:55 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-08-04 01:57 . 2010-05-22 21:55 4358144 ----a-w- c:\windows\system32\aticaldd.dll
2010-08-04 01:53 . 2010-05-22 21:55 15900672 ----a-w- c:\windows\system32\atioglxx.dll
2010-08-04 01:47 . 2010-05-22 21:55 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-08-04 01:47 . 2010-05-22 21:55 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-08-04 01:46 . 2010-05-22 21:55 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-04 01:41 . 2010-05-22 21:55 3901280 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-04 01:31 . 2010-05-22 21:55 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-08-04 01:31 . 2010-05-22 21:55 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-08-04 01:30 . 2010-05-22 21:55 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-08-04 01:30 . 2010-05-22 21:55 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-08-04 01:30 . 2010-05-22 21:55 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-08-04 01:29 . 2010-05-22 21:55 606208 ----a-w- c:\windows\system32\ati2evxx.exe
2010-08-04 01:28 . 2010-05-22 21:55 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-08-04 01:28 . 2010-05-22 21:55 2537728 ----a-w- c:\windows\system32\ativvaxx.dll
2010-08-04 01:27 . 2010-05-22 21:55 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-08-04 01:27 . 2010-05-22 21:55 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-08-04 01:27 . 2010-05-22 21:55 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-08-04 01:24 . 2010-05-22 21:55 610304 ----a-w- c:\windows\system32\atikvmag.dll
2010-08-04 01:23 . 2010-05-22 21:55 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-08-04 01:22 . 2010-05-22 21:55 188416 ----a-w- c:\windows\system32\atiadlxx.dll
2010-08-04 01:22 . 2010-05-22 21:55 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-08-04 01:16 . 2010-05-22 21:55 700416 ----a-w- c:\windows\system32\ati2cqag.dll
2010-08-04 01:15 . 2010-05-22 21:55 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-08-04 01:15 . 2010-05-22 21:55 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-08-04 01:14 . 2010-05-22 21:55 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-08-01 21:12 . 2010-05-26 03:33 77448 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-01 03:23 . 2010-08-01 03:23 -------- d-----w- c:\documents and settings\User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-07-30 00:23 . 2010-05-23 03:09 -------- d-----w- c:\program files\Steam
2010-07-29 03:05 . 2010-07-29 03:05 -------- d-----w- c:\program files\iTunes Library Updater
2010-07-29 02:54 . 2010-07-29 02:54 -------- d-----w- c:\documents and settings\User\Application Data\ATI
2010-07-29 02:54 . 2010-07-29 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-07-29 02:49 . 2010-05-22 21:55 -------- d-----w- c:\program files\ATI Technologies
2010-07-29 02:37 . 2010-07-29 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-07-29 02:14 . 2010-07-29 02:14 -------- d-----w- c:\program files\LG Electronics
2010-07-29 01:53 . 2010-05-25 07:54 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2010-07-28 01:44 . 2010-07-28 01:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44 . 2010-07-28 01:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-18 07:04 . 2010-07-18 07:04 -------- d-----w- c:\documents and settings\User\Application Data\MyCar-Monitor 4.2.0.7
2010-07-18 07:04 . 2010-07-18 07:04 172032 ----a-w- c:\documents and settings\User\Application Data\MyCar-Monitor 4.2.0.7\Uninstall-MyCar-Monitor.exe
2010-07-18 07:04 . 2010-07-18 07:04 229376 ----a-w- c:\documents and settings\User\Application Data\MyCar-Monitor 4.2.0.7\SSEInternetUpdater.exe
2010-06-27 09:21 . 2010-06-27 09:21 53248 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-06-27 08:27 . 2010-05-26 03:29 101632 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-26 07:23 . 2010-06-26 07:23 260240 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-26 06:48 . 2010-06-26 06:48 36864 ----a-w- c:\documents and settings\User\Application Data\Autodesk\AutoCAD 2010\R18.0\enu\ContextualTabSelectorRules.dll
2010-06-23 02:41 . 2010-05-22 20:39 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-16 13:22 . 2010-05-22 21:55 219348 ----a-w- c:\windows\system32\atiicdxx.dat
2010-06-15 02:16 . 2010-06-15 02:16 86016 ----a-w- c:\windows\system32\frapsvid.dll
.

<pre>
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\qttask .exe
c:\windows\system32\rundll32 .exe
</pre>

Continued...

 

[Yourdogsucks]

Continued from last

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-14 2734688]Have had a rough time removing this one

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REALTEK 11n USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REALTEK 11n USB Wireless LAN Utility.lnk
backup=c:\windows\pss\REALTEK 11n USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
m‘|\ü [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2007-11-19 03:28 1966080 ----a-r- c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2010-05-01 00:22 2815520 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-03-04 21:31 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ebaguh]
c:\windows\amasucefu.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 23:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 06:36 36864 ----a-r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-08-20 20:25 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 23:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid HD]
2010-05-11 23:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2010-05-08 01:35 165208 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 12:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-07-23 08:51 16804864 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2010-05-01 00:22 1833504 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-07-07 04:19 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-06-05 03:53 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 22:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wvrnfijv]
c:\documents and settings\User\Local Settings\Application Data\kvtefodbw\ucxansetssd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
2009-10-01 00:57 718688 ----a-w- c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"odserv"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LVPrcSrv"=2 (0x2)
"LightScribeService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Browser Defender Update Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"avast! Mail Scanner"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\altitude\\altitude.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien breed impact\\Binaries\\AlienBreed-Impact.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\kings bounty armored princess\\kb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\king's bounty - the legend\\kb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\king's bounty - the legend\\save_fixer.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\supreme commander 2\\bin\\SupremeCommander2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom ufo defense\\dosbox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\x-com terror from the deep\\runme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom enforcer\\System\\XCom.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom interceptor\\Interceptor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom apocalypse\\dosbox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\tropico 3\\Tropico3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Stardock Games\\Demigod\\bin\\Demigod.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the settlers 7 paths to a kingdom\\Data\\Base\\_Dbg\\Bin\\Release\\Settlers7R.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\beat hazard\\BeatHazard.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Logitech\\Vid\\Vid.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Realtek\\11n USB Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{0AFFEA39-60AF-4C4F-BB47-4A1F7CB12129}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot

R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [8/9/2010 6:11 PM 816672]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/10/2010 9:47 PM 162768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/10/2010 9:47 PM 19024]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [8/5/2010 5:58 PM 594048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 20:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{8BCAFB73-49AE-4AC4-00A1-70E4EC38BD4E} - c:\program files\Electronic Arts\The Lord of the Rings



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 12:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,5c,85,d5,a5,89,7e,4e,9c,aa,5e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,24,5c,85,d5,a5,89,7e,4e,9c,aa,5e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(1104)
c:\windows\system32\ieframe.dll
.
Completion time: 2010-09-11 12:45:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-11 19:45

Pre-Run: 888,718,954,496 bytes free
Post-Run: 889,690,824,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /safeboot:network

- - End Of File - - 38B11D7D0762903B6D6C299AE46D4C0D

 

[Yourdogsucks]

Still no bad symptoms. Everything is good so far. Some programs are acting funny (HP keeps trying to get me to insert it's disk) but other than that everything is good.

 

[Bobbye]

You don't need to put the logs in quotes. Log entries should not be changed in any way> no comments, no question marks, no bold print. Every character in a log is significant and shouldn't be modified in any way.You weren't instructed to remove anything yet.

You have a Vundo infection which is why you see the strange names.

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\docume~1\alluse~1\applic~1\jbjx8GG.dat
c:\docume~1\alluse~1\applic~1\Mp36YFaV.exe
c:\windows\aweloruzifulo.dll
c:\windows\Uvydyb.exe
c:\windows\Vbucazetij.dat
c:\windows\Qqugadageq.bin
c:\windows\Uvydya.exe
c:\windows\system32\regwizc1.dll
c:\docume~1\alluse~1\applic~1\Update
c:\windows\system32\drivers\kghps.sys
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\Tr_sttool.dat
c:\windows\hpoins46.dat
c:\documents and settings\All Users\Application Data\jbjx8GG.dat

RenV::
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\qttask .exe
c:\windows\system32\rundll32 .exe

RegLock::
[HKEY_USERS\S-1-5-21-1390067357-1979792683-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

Folder::
c:\documents and settings\User\Local Settings\Application Data\tfltmolue
c:\documents and settings\All Users\Application Data\Update

Registry::
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wvrnfijv]

DirLook::
C:\zrpt.xml

Driver::
DDS::
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed
Components" /v "NoIE4StubProcessing" /f
FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into your next reply.
=========================================
Contents of the 'Scheduled Tasks' folder> were there no processes in this?
Why are files created on 4/14/2008 and 6/26/2007 in the section for>>
(((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
2010-09-11 06:26 . 2008-04-14 12:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-09-11 06:26 . 2007-06-26 18:26 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
=========================================
Please run this Security Check:
Download Security Check and save it to your Desktop.

• Double-click SecurityCheck.exe to run.
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post this log in your next reply.

 

[Yourdogsucks]

Okay here are the new ones. Sorry for the quotes earlier I didn't realize the effect there.

Combofix log:

ComboFix 10-09-11.02 - User 09/11/2010 16:39:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2812 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

FILE ::
"c:\docume~1\alluse~1\applic~1\jbjx8GG.dat"
"c:\docume~1\alluse~1\applic~1\Mp36YFaV.exe"
"c:\docume~1\alluse~1\applic~1\Update"
"c:\documents and settings\All Users\Application Data\jbjx8GG.dat"
"c:\windows\aweloruzifulo.dll"
"c:\windows\hpoins46.dat"
"c:\windows\Qqugadageq.bin"
"c:\windows\system32\drivers\kghps.sys"
"c:\windows\system32\drivers\logiflt.iad"
"c:\windows\system32\drivers\lvuvc.hs"
"c:\windows\system32\regwizc1.dll"
"c:\windows\system32\Tr_sttool.dat"
"c:\windows\Uvydya.exe"
"c:\windows\Uvydyb.exe"
"c:\windows\Vbucazetij.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\jbjx8GG.dat
c:\documents and settings\All Users\Application Data\jbjx8GG.dat
c:\documents and settings\All Users\Application Data\Update
c:\documents and settings\User\Local Settings\Application Data\tfltmolue
c:\windows\hpoins46.dat
c:\windows\Qqugadageq.bin
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\regwizc1.dll
c:\windows\system32\Tr_sttool.dat
c:\windows\Uvydya.exe
c:\windows\Uvydyb.exe
c:\windows\Vbucazetij.dat

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\System32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-11 06:26 . 2008-04-14 12:42 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-09-11 06:26 . 2008-04-14 05:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-09-11 06:26 . 2007-06-26 18:30 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2010-09-11 06:26 . 2007-06-26 18:26 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2010-09-11 06:26 . 2008-04-14 12:40 102912 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2010-09-11 06:25 . 2008-04-14 12:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-09-11 05:55 . 2004-08-04 12:00 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll
2010-09-11 05:54 . 2004-08-04 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-09-11 05:54 . 2004-08-04 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2010-09-11 05:54 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2010-09-11 05:54 . 2004-08-04 12:00 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2010-09-11 05:54 . 2004-08-04 12:00 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2010-09-11 05:54 . 2004-08-04 12:00 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2010-09-11 05:54 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2010-09-11 05:53 . 2004-08-04 12:00 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2010-09-11 05:53 . 2004-08-04 12:00 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2010-09-11 05:53 . 2004-08-04 12:00 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2010-09-11 05:53 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-09-11 05:30 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-09-11 05:30 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-09-11 05:30 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-09-11 05:30 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-09-11 04:47 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-11 04:47 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-11 04:47 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-11 04:47 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-11 04:47 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-11 04:47 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-11 04:47 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-11 04:47 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-09-11 04:47 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-11 04:47 . 2010-09-11 04:47 -------- d-----w- c:\program files\Alwil Software
2010-09-11 04:47 . 2010-09-11 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-30 06:29 . 2010-08-30 06:29 6476416 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\Connect.exe
2010-08-30 06:29 . 2010-08-30 06:29 4096 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\._Setup.exe
2010-08-30 06:29 . 2010-08-30 06:29 4096 ----a-w- c:\documents and settings\All Users\Application Data\Cisco Systems\Cisco Connect\Update\._Connect.exe
2010-08-29 18:39 . 2010-08-29 18:39 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-08-29 09:37 . 2010-08-29 09:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-29 09:37 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-29 09:37 . 2010-08-29 09:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-29 09:37 . 2010-08-29 09:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-29 09:37 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-29 09:36 . 2010-08-29 09:36 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-08-29 09:24 . 2010-05-26 07:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 23:39 . 2010-05-26 03:23 -------- d-----w- c:\program files\iTunes
2010-09-11 23:39 . 2010-05-26 03:22 -------- d-----w- c:\program files\QuickTime
2010-09-11 20:31 . 2010-05-26 03:04 -------- d-----w- c:\documents and settings\User\Application Data\LimeWire
2010-09-11 05:52 . 2010-05-22 20:36 22720 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-11 05:46 . 2010-06-27 09:19 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-09-06 22:00 . 2010-09-06 22:00 -------- d-----w- c:\program files\iPod
2010-09-06 22:00 . 2010-05-26 03:22 -------- d-----w- c:\program files\Common Files\Apple
2010-09-06 21:58 . 2010-09-06 21:58 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2010-09-06 21:58 . 2010-09-06 21:58 -------- d-----w- c:\program files\Bonjour
2010-09-06 21:55 . 2010-09-06 21:55 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-06 21:52 . 2010-09-06 21:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-09-06 21:52 . 2010-09-06 21:52 101632 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-02 03:09 . 2010-09-02 03:09 46852 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-08-30 06:19 . 2010-05-22 22:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-30 03:32 . 2010-07-29 02:26 -------- d-----w- c:\program files\StarCraft II
2010-08-14 09:06 . 2010-06-06 11:47 -------- d-----w- c:\documents and settings\User\Application Data\vlc
2010-08-10 03:07 . 2010-08-10 02:50 -------- d-----w- c:\program files\BSR Screen Recorder 4
2010-08-10 01:12 . 2010-08-10 01:12 -------- d-----w- c:\program files\Cisco Systems
2010-08-09 02:10 . 2010-07-29 03:23 -------- d-----w- c:\documents and settings\User\Application Data\HPAppData
2010-08-09 02:04 . 2010-05-26 03:23 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2010-08-06 01:19 . 2010-06-05 03:44 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-08-06 01:00 . 2010-06-23 02:05 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-08-06 01:00 . 2010-08-06 00:58 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2010-08-06 00:58 . 2010-05-22 21:23 -------- d-----w- c:\program files\Realtek
2010-08-06 00:58 . 2010-05-22 21:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 02:20 . 2010-05-22 21:55 5243392 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-08-04 01:59 . 2010-05-22 21:55 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-08-04 01:59 . 2010-05-22 21:55 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-08-04 01:57 . 2010-05-22 21:55 4358144 ----a-w- c:\windows\system32\aticaldd.dll
2010-08-04 01:53 . 2010-05-22 21:55 15900672 ----a-w- c:\windows\system32\atioglxx.dll
2010-08-04 01:47 . 2010-05-22 21:55 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-08-04 01:47 . 2010-05-22 21:55 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-08-04 01:46 . 2010-05-22 21:55 300544 ----a-w- c:\windows\system32\ati2dvag.dll
2010-08-04 01:41 . 2010-05-22 21:55 3901280 ----a-w- c:\windows\system32\ati3duag.dll
2010-08-04 01:31 . 2010-05-22 21:55 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-08-04 01:31 . 2010-05-22 21:55 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-08-04 01:30 . 2010-05-22 21:55 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-08-04 01:30 . 2010-05-22 21:55 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-08-04 01:30 . 2010-05-22 21:55 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-08-04 01:29 . 2010-05-22 21:55 606208 ----a-w- c:\windows\system32\ati2evxx.exe
2010-08-04 01:28 . 2010-05-22 21:55 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-08-04 01:28 . 2010-05-22 21:55 2537728 ----a-w- c:\windows\system32\ativvaxx.dll
2010-08-04 01:27 . 2010-05-22 21:55 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-08-04 01:27 . 2010-05-22 21:55 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-08-04 01:27 . 2010-05-22 21:55 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-08-04 01:24 . 2010-05-22 21:55 610304 ----a-w- c:\windows\system32\atikvmag.dll
2010-08-04 01:23 . 2010-05-22 21:55 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-08-04 01:22 . 2010-05-22 21:55 188416 ----a-w- c:\windows\system32\atiadlxx.dll
2010-08-04 01:22 . 2010-05-22 21:55 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-08-04 01:16 . 2010-05-22 21:55 700416 ----a-w- c:\windows\system32\ati2cqag.dll
2010-08-04 01:15 . 2010-05-22 21:55 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-08-04 01:15 . 2010-05-22 21:55 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-08-04 01:14 . 2010-05-22 21:55 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-08-01 21:12 . 2010-05-26 03:33 77448 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-01 03:23 . 2010-08-01 03:23 -------- d-----w- c:\documents and settings\User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-07-30 00:23 . 2010-05-23 03:09 -------- d-----w- c:\program files\Steam
2010-07-29 03:05 . 2010-07-29 03:05 -------- d-----w- c:\program files\iTunes Library Updater
2010-07-29 02:54 . 2010-07-29 02:54 -------- d-----w- c:\documents and settings\User\Application Data\ATI
2010-07-29 02:54 . 2010-07-29 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-07-29 02:49 . 2010-05-22 21:55 -------- d-----w- c:\program files\ATI Technologies
2010-07-29 02:37 . 2010-07-29 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-07-29 02:14 . 2010-07-29 02:14 -------- d-----w- c:\program files\LG Electronics
2010-07-29 01:53 . 2010-05-25 07:54 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent
2010-07-28 01:44 . 2010-07-28 01:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44 . 2010-07-28 01:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-18 07:04 . 2010-07-18 07:04 -------- d-----w- c:\documents and settings\User\Application Data\MyCar-Monitor 4.2.0.7
2010-07-18 07:04 . 2010-07-18 07:04 172032 ----a-w- c:\documents and settings\User\Application Data\MyCar-Monitor 4.2.0.7\Uninstall-MyCar-Monitor.exe
2010-07-18 07:04 . 2010-07-18 07:04 229376 ----a-w- c:\documents and settings\User\Application Data\MyCar-Monitor 4.2.0.7\SSEInternetUpdater.exe
2010-06-27 09:21 . 2010-06-27 09:21 53248 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-06-27 08:27 . 2010-05-26 03:29 101632 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-26 07:23 . 2010-06-26 07:23 260240 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-26 06:48 . 2010-06-26 06:48 36864 ----a-w- c:\documents and settings\User\Application Data\Autodesk\AutoCAD 2010\R18.0\enu\ContextualTabSelectorRules.dll
2010-06-23 02:41 . 2010-05-22 20:39 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-16 13:22 . 2010-05-22 21:55 219348 ----a-w- c:\windows\system32\atiicdxx.dat
2010-06-15 02:16 . 2010-06-15 02:16 86016 ----a-w- c:\windows\system32\frapsvid.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\zrpt.xml ----



((((((((((((((((((((((((((((( SnapShot@2010-09-11_19.41.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-11 20:31 . 2010-09-11 20:31 16384 c:\windows\temp\Perflib_Perfdata_264.dat
+ 2010-05-22 20:37 . 2009-08-07 02:24 35552 c:\windows\system32\wups.dll
+ 2010-05-22 20:37 . 2009-08-07 02:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2004-08-04 12:00 . 2008-04-14 12:42 33280 c:\windows\system32\dllcache\rundll32.exe
+ 2004-08-04 12:00 . 2008-04-14 07:10 96512 c:\windows\system32\dllcache\atapi.sys
.

 

[Yourdogsucks]

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-06-14 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-07-07 98304]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-08 165208]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"AlcWzrd"="ALCWZRD.EXE" [2010-05-01 2815520]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK 11n USB Wireless LAN Utility.lnk - c:\program files\Realtek\11n USB Wireless LAN Utility\RtWLan.exe [2010-8-5 966656]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\User\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]
m‘|\ü [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 08:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 23:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"WUSB54GCSVC"=2 (0x2)
"odserv"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"LVPrcSrv"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\altitude\\altitude.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien breed impact\\Binaries\\AlienBreed-Impact.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\kings bounty armored princess\\kb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\king's bounty - the legend\\kb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\king's bounty - the legend\\save_fixer.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\supreme commander 2\\bin\\SupremeCommander2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom ufo defense\\dosbox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\x-com terror from the deep\\runme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom enforcer\\System\\XCom.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom interceptor\\Interceptor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom apocalypse\\dosbox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\tropico 3\\Tropico3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Stardock Games\\Demigod\\bin\\Demigod.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the settlers 7 paths to a kingdom\\Data\\Base\\_Dbg\\Bin\\Release\\Settlers7R.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\beat hazard\\BeatHazard.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Logitech\\Vid\\Vid.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Realtek\\11n USB Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\{0AFFEA39-60AF-4C4F-BB47-4A1F7CB12129}\\setup\\hpznui01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/10/2010 9:47 PM 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/10/2010 9:47 PM 19024]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [8/9/2010 6:11 PM 816672]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [8/5/2010 5:58 PM 594048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 20:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Ebaguh - c:\windows\amasucefu.dll
MSConfigStartUp-wvrnfijv - c:\documents and settings\User\Local Settings\Application Data\kvtefodbw\ucxansetssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2010-09-11 16:43:24
ComboFix-quarantined-files.txt 2010-09-11 23:43
ComboFix2.txt 2010-09-11 19:45

Pre-Run: 888,511,328,256 bytes free
Post-Run: 888,674,041,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E1585261A8575F4971E517D182AB4AC7

Security Check Log:

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
avast! Free Antivirus
Antivirus 2010
King's Bounty: Armored Princess
McAfee Security Scan Plus
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 18
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 9.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

 

[Yourdogsucks]

I hope one day I'll learn to understand this jargon. I'm an engineer but not a software/hardware one.

This 'vundo' is the nastiest virus I've had. It was undetectable by my antivirus and survived a windows repair. Also, I am seeing alot of people having this problem with the redirects after a google search. You would think the antivirus companies would have caught on to it by now.

I'm trying to wrack my brain as to how I got it. I haven't downloaded any suspicious files and my browser is set to medium-high security. Maybe mozilla had some sort of issue and I got it from a porn site or something.

Seriously, I wish there was a way we could tip you guys for this service.

 

[Bobbye]

Part of the Combofix header is missing. There should be 2 lines naming the antivirus, antimalware and firewall and their status as either Enabled or Outdated. I don't see them in either Combofix log. Looks something like this:

AV: AVG Internet Security *On-access scanning disabled* (Updated) {number string}
FW: AVG Firewall *disabled* {number string}

It's important because it tells me if your security was disabled and also if rogue program shows in the header.

Antivirus 2010 which is a rogue program shows in the Security Scan. I can move the name if it shows in the Combofix header.

Java needs to be updated to v6u21.
Check this site .Java Updates Uninstall any earlier versions Java(TM) 6 Update 18 in Add/Remove Programs as they are vulnerabilities for the system.

XfireXO toolbar is a legitimate entry but you mentioned something about having a hard time removing it. It is still loading but I can move the entries with script> all you have to do is run what I set up so please let me know.

McAfee scan is still on Startup and loading from the Registry. I can remove that also with script.

I'd like you to update Malwarebytes and run another scan. But this time, I'd like you to choose Full Scan instead of Quick Scan. Paste the new log in next reply.

Malwarebytes' Anti-Malware

• At the end, be sure a checkmark is placed next to
  [o] Update Malwarebytes' Anti-Malware
  [o] and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  [o] If you accidentally close it, the log file is saved here and will be named like this:
  [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

========================

 

[Yourdogsucks]

I double checked the combofix log. There is no header that I'm aware of. Also, I had avast disabled when I did combofix last, that may be the reason.

Going to run MBAM

 

[Yourdogsucks]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4602

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/12/2010 7:51:31 PM
mbam-log-2010-09-12 (19-51-31).txt

Scan type: Full scan (C:\|)
Objects scanned: 252140
Time elapsed: 35 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kghps.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.

 

[Bobbye]

Actually, the header in Combofix should show that the AV is Avast and that it is Disabled.

The only entry in Mbam is for the Qoobox which is where Combofix puts the quarantined files- so it's not active in the system.

Please look in Add/Remove Programs in the Control Panel and see if Antivirus 2010 is listed there. If it is, uninstall it. then open Windows Explorer> Windows key + E> My Computer> double click on Local Drive (C)> Programs> look for Antivirus 2010> do a right click> Delete if folder is there.

Let me know about the XO Bar and McAfee so I can finish the script. Handle the Java as instructed. Hopefully by now you are noticing some improvement in the system.

 

[Yourdogsucks]

Things are working alot better.

Yeah I will def want to remove mcaffee and XO.

The problem I'm having is removing the antivirus 2010. I went into safe mode as admin and it give me this message "An error occurred while trying to remove Antivirus 2010. You do not have access to \\.\globalroot\systemroot\system32\userinit.exe. You can specify the new uninstall program below."
and it offers a browse box that says "command line for the uninstall program"


I'm assuming this is a fake uninstaller or something that antivirus 2010 left behind, right?

 

[Yourdogsucks]

Also, nothing in program files. Even with 'show hidden and system' files on.

Strange tidings...

I did update the java yesterday before you mentioned it in the post. Hopefully that will seal out new virus's. I'm working on activating avast again right now.

 

[Bobbye]

Avast should have been enabled as soon as you finished the Combofix scan. I'd like you to #1> run the script below first, follow with #2> Eset online scan, follow with #3> HijackThis:

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
c:\windows\system32\emptyregdb.dat
c:\program files\XfireXO\tbXfir.dll
c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

Folder::
c:\documents and settings\All Users\Application Data\TEMP
C:\zrpt.xml

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=-
backup=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
=====================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

============================================
Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
====================================
Question: when you tried this> "The problem I'm having is removing the antivirus 2010. I went into safe mode as admin and it give me this message..." and got the message, what exactly were you doing?

 

[Yourdogsucks]

I was in control panel>add/remove programs clicking 'uninstall' when it gave me that message.

 

[Yourdogsucks]

All logs are attached to this post. It would have taken 5 posts to put the logs in text.

 

[Bobbye]

I'm not understand this: you were trying to uninstall a program>>what program<< and you got a message to change your home page?

Where are you finding Antivirus 2010?

Request again: take LimeWire off of Startup.

You have one new infection in the Eset log:
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  :Files  
  C:\WINDOWS\system32\hlp.dat
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
Please reopen HijackThis to 'do system scan only.'. Check each of the following, if present:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O24 - Desktop Component 1: (no name) - http://www.bp.com/liveassets/bp_int...local_assets/bp_homepage/html/rov_stream.html

Close all Windows except HijackThis and click on "Fix Checked."
==============================================
Click on Start> Control Panel> Display> Desktop> Customize Desktop> Web tab> uncheck and delete everything you find in there (except for "My current home page")> Also remove the check mark from the the Lock Desktop Items box if it is checked> Apply> OK> Close
==========================================
Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll::
File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad
c:\windows\temp\Perflib_Perfdata_1d8.dat

Folder::
c:\documents and settings\User\Application Data\LimeWire
c:\program files\XfireXO
c:\documents and settings\User\Application Data\uTorrent
c:\program files\iTunes Library Updater
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
c:\documents and settings\User\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please paste all logs. Use as many posts as you need,

 

[Yourdogsucks]

I was trying to uninstall antivirus 2010 in the 'add/remove' programs utility.

 

[Yourdogsucks]

All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\WINDOWS\system32\hlp.dat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 776 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 6872 bytes

User: User
->Temp folder emptied: 833724 bytes
->Temporary Internet Files folder emptied: 119552572 bytes
->Java cache emptied: 57420 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 35011 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1330186 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 118.00 mb


OTM by OldTimer - Version 3.1.16.1 log created on 09152010_184728

Files moved on Reboot...
File C:\Documents and Settings\User\Local Settings\Temp\~DF68A9.tmp not found!
File C:\Documents and Settings\User\Local Settings\Temp\~DF68C2.tmp not found!
File C:\Documents and Settings\User\Local Settings\Temp\~DF694C.tmp not found!
File C:\Documents and Settings\User\Local Settings\Temp\~DF69A8.tmp not found!
File C:\Documents and Settings\User\Local Settings\Temp\~DF6A89.tmp not found!
File C:\Documents and Settings\User\Local Settings\Temp\~DF6AAB.tmp not found!
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\O2YQTDKF\ads[3].htm moved successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\O2YQTDKF\sh23[1].html moved successfully.
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\O2YQTDKF\topic153185[1].html moved successfully.

Registry entries deleted on Reboot...

 

[Yourdogsucks]

ComboFix 10-09-15.01 - User 09/15/2010 18:58:27.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2714 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\logiflt.iad"
"c:\windows\system32\drivers\lvuvc.hs"
"c:\windows\temp\Perflib_Perfdata_1d8.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Application Data\LimeWire
c:\documents and settings\User\Application Data\LimeWire\active.mojito
c:\documents and settings\User\Application Data\LimeWire\browser\xul-v2.0b2.5-do-not-remove
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\AccessibleMarshal.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\branding.jar
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\branding.manifest
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\classic.jar
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\classic.manifest
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\comm.jar
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\comm.manifest
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\en-US.jar
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\en-US.manifest
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\limewire.jar
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\limewire.manifest
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\pippki.jar
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\pippki.manifest
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.jar
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\chrome\toolkit.manifest
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\accessibility-msaa.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\accessibility.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\alerts.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\appshell.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\appshell_modal.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\appstartup.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\auth.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\autocomplete.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\autoconfig.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\autoconfig.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\caps.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\chardet.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\chrome.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\commandhandler.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\commandlines.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\composer.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\content_base.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\content_html.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\content_htmldoc.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\content_xmldoc.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\content_xslt.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\content_xtf.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\contentprefs.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\cookie.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\directory.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\docshell_base.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_base.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_canvas.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_core.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_css.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_events.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_html.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_json.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_loadsave.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_offline.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_range.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_sidebar.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_storage.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_stylesheets.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_svg.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_traversal.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_views.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_xbl.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_xpath.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\dom_xul.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\downloads.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\editor.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\embed_base.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\extensions.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\exthandler.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\exthelper.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\fastfind.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\FeedProcessor.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\feeds.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\find.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\gfx.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\htmlparser.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\imgicon.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\imglib2.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\inspector.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\intl.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\jar.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\jsconsole-clhandler.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\jsdservice.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\layout_base.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\layout_printing.xpt

 

[Yourdogsucks]

c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\layout_xul.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\layout_xul_tree.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\locale.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\loginmgr.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\lwbrk.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\mimetype.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\mozbrwsr.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\mozfind.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_about.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_cache.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_cookie.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_dns.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_file.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_ftp.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_http.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_res.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_socket.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_strconv.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\necko_viewsource.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsAddonRepository.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsBadCertHandler.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsBlocklistService.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsContentDispatchChooser.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsContentPrefService.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsDefaultCLH.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsDictionary.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsDownloadManagerUI.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsExtensionManager.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsHandlerService.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsHelperAppDlg.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsLivemarkService.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsLoginInfo.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsLoginManager.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsLoginManagerPrompter.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsPostUpdateWin.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsProgressDialog.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsProxyAutoConfig.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsResetPref.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsTaggingService.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsTryToClose.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsUpdateService.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsURLFormatter.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsWebHandlerApp.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsXmlRpcClient.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\nsXULAppInstall.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\oji.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\parentalcontrols.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\pipboot.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\pipboot.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\pipnss.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\pipnss.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\pippki.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\pippki.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\places.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\plugin.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\pluginGlue.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\pref.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\prefetch.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\profile.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\proxyObject.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\rdf.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\satchel.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\saxparser.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\shistory.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\spellchecker.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\storage-Legacy.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\storage.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\toolkitprofile.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\transformiix.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\txEXSLTRegExFunctions.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\txmgr.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\txtsvc.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\uconv.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\unicharutil.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\universalchardet.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\update.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\uriloader.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\urlformatter.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\webBrowser_core.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\webbrowserpersist.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\webshell_idls.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\websrvcs.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\widget.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\windowds.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\windowwatcher.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xml-rpc.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xmlextras.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpcom_base.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpcom_components.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpcom_ds.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpcom_io.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpcom_system.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpcom_thread.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpcom_xpti.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpconnect.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xpinstall.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xulapp.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xulapp_setup.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xuldoc.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xultmpl.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\xulutil.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\components\zipwriter.xpt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\crashreporter.exe
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\crashreporter.ini
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\platform.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\autoconfig\prefcalls.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\pref\xulrunner.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userChrome-example.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\profile\chrome\userContent-example.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\profile\localstore.rdf
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userChrome-example.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\chrome\userContent-example.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\defaults\profile\US\localstore.rdf
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\dependentlibs.list
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.aff
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\dictionaries\en-US.dic
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\freebl3.chk
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\freebl3.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\greprefs\all.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\greprefs\security-prefs.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\greprefs\xpinstall.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\IA2Marshal.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\javaxpcom.jar
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\javaxpcomglue.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\js3250.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\LICENSE
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\modules\debug.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\modules\DownloadUtils.jsm
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\modules\ISO8601DateUtils.jsm
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\modules\JSON.jsm
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\modules\Microformats.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\modules\PluralForm.jsm
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\modules\utils.js
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\modules\XPCOMUtils.jsm
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\mozctl.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\mozctlx.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\MSVCP71.DLL
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\msvcr71.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\nspr4.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\nss3.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\nssckbi.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\nssdbm3.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\nssutil3.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\platform.ini
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\plc4.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\plds4.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\plugins\npnul32.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\README.txt
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\arrow.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\arrowd.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\broken-image.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\charsetalias.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\charsetData.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\contenteditable.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\designmode.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\dtd\mathml.dtd

 

[Yourdogsucks]

c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\dtd\xhtml11.dtd
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\EditorOverride.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Latin1.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Special.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\entityTables\html40Symbols.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\entityTables\htmlEntityVersions.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\entityTables\mathml20.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\entityTables\transliterate.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfont.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontStandardSymbolsL.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXNonUnicode.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSTIXSize1.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontSymbol.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\fonts\mathfontUnicode.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\forms.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\grabber.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\hiddenWindow.html
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\html.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\html\folder.png
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\langGroups.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\language.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\loading-image.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\mathml.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\quirk.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\svg.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-active.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after-hover.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-column-after.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-active.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before-hover.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-column-before.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-active.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after-hover.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-row-after.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-active.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before-hover.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-add-row-before.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-active.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-remove-column-hover.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-remove-column.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-active.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-remove-row-hover.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\table-remove-row.gif
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\ua.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\viewsource.css
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\res\wincharset.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\smime3.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\softokn3.chk
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\softokn3.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\sqlite3.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\ssl3.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\updater.exe
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\version.properties
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xpcom.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xpcshell.exe
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xpicleanup.exe
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xpidl.exe
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xpt_dump.exe
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xpt_link.exe
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xul.dll
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xulrunner-stub.exe
c:\documents and settings\User\Application Data\LimeWire\browser\xulrunner\xulrunner.exe
c:\documents and settings\User\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\User\Application Data\LimeWire\createtimes.cache
c:\documents and settings\User\Application Data\LimeWire\downloads.dat
c:\documents and settings\User\Application Data\LimeWire\fileurns.cache
c:\documents and settings\User\Application Data\LimeWire\gnutella.net
c:\documents and settings\User\Application Data\LimeWire\installation.props
c:\documents and settings\User\Application Data\LimeWire\library.dat
c:\documents and settings\User\Application Data\LimeWire\library5.dat
c:\documents and settings\User\Application Data\LimeWire\limewire.props
c:\documents and settings\User\Application Data\LimeWire\lock
c:\documents and settings\User\Application Data\LimeWire\mojito.props
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\.autoreg
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_001_
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_002_
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_003_
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\Cache\_CACHE_MAP_
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\Cache\03A7FE01d01
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\Cache\1FEE1D13d01
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\Cache\7BD6A121d01
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\cert8.db
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\compreg.dat
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\cookies.sqlite
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\downloads.sqlite
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\extensions.cache
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\extensions.ini
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\history.dat
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\key3.db
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\permissions.sqlite
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\places.sqlite-journal
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\places.sqlite
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\pluginreg.dat
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\prefs.js
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\secmod.db
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\XPC.mfl
c:\documents and settings\User\Application Data\LimeWire\mozilla-profile\xpti.dat
c:\documents and settings\User\Application Data\LimeWire\player.props
c:\documents and settings\User\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\User\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\User\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\User\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\User\Application Data\LimeWire\questions.props
c:\documents and settings\User\Application Data\LimeWire\responses.cache
c:\documents and settings\User\Application Data\LimeWire\simpp.cert
c:\documents and settings\User\Application Data\LimeWire\simpp.xml
c:\documents and settings\User\Application Data\LimeWire\spam.dat
c:\documents and settings\User\Application Data\LimeWire\tables.props
c:\documents and settings\User\Application Data\LimeWire\ttdata.cache
c:\documents and settings\User\Application Data\LimeWire\ttroot.cache
c:\documents and settings\User\Application Data\LimeWire\update.cert
c:\documents and settings\User\Application Data\LimeWire\urns.dat
c:\documents and settings\User\Application Data\LimeWire\version.xml
c:\documents and settings\User\Application Data\LimeWire\versions.props
c:\documents and settings\User\Application Data\LimeWire\xml\data\audio.sxml3
c:\documents and settings\User\Application Data\uTorrent
c:\program files\iTunes Library Updater
c:\program files\iTunes Library Updater\Interop.iTunesLib.dll
c:\program files\iTunes Library Updater\iTLU Handbuch.pdf
c:\program files\iTunes Library Updater\iTLU Manual.pdf
c:\program files\iTunes Library Updater\ITLUconsole.exe
c:\program files\iTunes Library Updater\ITLUengine.dll
c:\program files\iTunes Library Updater\ITLUgui.exe
c:\program files\iTunes Library Updater\PureComponents.NicePanel.fw11.dll
c:\program files\XfireXO
c:\program files\XfireXO\INSTALL.LOG
c:\program files\XfireXO\toolbar.cfg
c:\program files\XfireXO\UNWISE.EXE
c:\program files\XfireXO\XfireXOToolbarHelper.exe
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs

.
((((((((((((((((((((((((( Files Created from 2010-08-16 to 2010-09-16 )))))))))))))))))))))))))))))))
.

2010-09-16 01:47 . 2010-09-16 01:47 -------- d-----w- C:\_OTM
2010-09-15 02:10 . 2010-09-15 02:10 -------- d-----w- c:\program files\ESET
2010-09-15 01:50 . 2010-09-15 01:50 388096 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-15 01:50 . 2010-09-15 01:50 -------- d-----w- c:\program files\Trend Micro
2010-09-14 04:51 . 2010-09-14 04:51 47364 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-09-14 01:44 . 2010-09-14 01:45 205421 ----a-w- c:\windows\hpoins46.dat
2010-09-12 04:00 . 2010-09-12 04:00 53248 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-09-12 00:29 . 2010-09-12 00:29 -------- d-----w- c:\program files\Common Files\Java
2010-09-12 00:29 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-12 00:19 . 2010-09-12 00:19 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6a5acc59-n\msvcp71.dll