ok here is the combo fix ComboFix 09-08-26.05 - Christopher 08/27/2009 0:39.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.599 [GMT -4:00] Running from: c:\documents and settings\Christopher\Desktop\ComboFix.exe AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Windows Antivirus Pro c:\program files\Windows Antivirus Pro\msvcm80.dll c:\program files\Windows Antivirus Pro\msvcp80.dll c:\program files\Windows Antivirus Pro\msvcr80.dll c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe c:\program files\Windows Antivirus Pro\tmp\images\i1.gif c:\program files\Windows Antivirus Pro\tmp\images\i2.gif c:\program files\Windows Antivirus Pro\tmp\images\i3.gif c:\program files\Windows Antivirus Pro\tmp\images\j1.gif c:\program files\Windows Antivirus Pro\tmp\images\j2.gif c:\program files\Windows Antivirus Pro\tmp\images\j3.gif c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif c:\program files\Windows Antivirus Pro\tmp\images\l1.gif c:\program files\Windows Antivirus Pro\tmp\images\l2.gif c:\program files\Windows Antivirus Pro\tmp\images\l3.gif c:\program files\Windows Antivirus Pro\tmp\images\pix.gif c:\program files\Windows Antivirus Pro\tmp\images\t1.gif c:\program files\Windows Antivirus Pro\tmp\images\t2.gif c:\program files\Windows Antivirus Pro\tmp\images\up1.gif c:\program files\Windows Antivirus Pro\tmp\images\up2.gif c:\program files\Windows Antivirus Pro\tmp\images\w1.gif c:\program files\Windows Antivirus Pro\tmp\images\w11.gif c:\program files\Windows Antivirus Pro\tmp\images\w2.gif c:\program files\Windows Antivirus Pro\tmp\images\w3.gif c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif c:\program files\Windows Antivirus Pro\tmp\wispex.html c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe c:\windows\Installer\2451c7.msi c:\windows\kb913800.exe c:\windows\ppp3.dat c:\windows\ppp4.dat c:\windows\regedit.com c:\windows\run.log c:\windows\system32\bennuar.old c:\windows\system32\bincd32.dat c:\windows\system32\drivers\kbiwkmjbgdxjao.sys c:\windows\system32\images c:\windows\system32\images\i1.gif c:\windows\system32\images\i2.gif c:\windows\system32\images\i3.gif c:\windows\system32\images\j1.gif c:\windows\system32\images\j2.gif c:\windows\system32\images\j3.gif c:\windows\system32\images\jj1.gif c:\windows\system32\images\jj2.gif c:\windows\system32\images\jj3.gif c:\windows\system32\images\l1.gif c:\windows\system32\images\l2.gif c:\windows\system32\images\l3.gif c:\windows\system32\images\pix.gif c:\windows\system32\images\t1.gif c:\windows\system32\images\t2.gif c:\windows\system32\images\up1.gif c:\windows\system32\images\up2.gif c:\windows\system32\images\w1.gif c:\windows\system32\images\w11.gif c:\windows\system32\images\w2.gif c:\windows\system32\images\w3.gif c:\windows\system32\images\w3.jpg c:\windows\system32\images\wt1.gif c:\windows\system32\images\wt2.gif c:\windows\system32\images\wt3.gif c:\windows\system32\kbiwkmhnmnieyl.dll c:\windows\system32\kbiwkmrdulxbrr.dll c:\windows\system32\kbiwkmrulqdody.dat c:\windows\system32\kbiwkmtpvbuvap.dat c:\windows\system32\kbiwkmxnriqlal.dat c:\windows\system32\sonhelp.htm c:\windows\system32\sysnet.dat c:\windows\system32\wispex.html Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\i386\eventlog.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_kbiwkmakfhcxer -------\Legacy_kbiwkmakfhcxer -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 ))))))))))))))))))))))))))))))) . 2009-08-25 04:38 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-25 04:38 . 2009-08-25 04:40 -------- d-----w- c:\program files\Fixthis 2009-08-25 04:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-25 04:30 . 2009-08-25 04:30 -------- d-----w- C:\_OTM 2009-08-22 07:10 . 2009-08-22 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-22 07:10 . 2009-08-22 07:10 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-22 05:17 . 2009-08-22 05:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-22 05:17 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe 2009-08-22 05:16 . 2009-08-22 05:16 -------- d-----w- c:\program files\Lavasoft 2009-08-22 05:16 . 2009-08-22 05:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-22 04:55 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-08-22 04:55 . 2009-08-22 06:46 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-08-22 04:55 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-22 04:55 . 2009-08-22 04:56 -------- d-----w- c:\program files\Common Files\PC Tools 2009-08-22 04:55 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-08-22 04:54 . 2009-08-27 03:28 -------- d-----w- c:\program files\Spyware Doctor 2009-08-22 04:54 . 2009-08-22 04:54 -------- d-----w- c:\documents and settings\Christopher\Application Data\PC Tools 2009-08-22 04:54 . 2009-08-22 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-08-19 17:25 . 2009-08-19 17:25 -------- d-----w- c:\documents and settings\Christopher\Application Data\Malwarebytes 2009-08-19 17:25 . 2009-08-19 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\windows\system32\XPSViewer 2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\program files\MSBuild 2009-08-16 00:47 . 2009-08-16 00:47 -------- d-----w- c:\program files\Reference Assemblies 2009-08-16 00:46 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-08-16 00:46 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll 2009-08-16 00:46 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll 2009-08-16 00:46 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll 2009-08-16 00:46 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll 2009-08-16 00:46 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll 2009-08-16 00:46 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-08-16 00:41 . 2009-08-16 00:41 -------- d-----w- c:\program files\MSXML 6.0 2009-08-12 19:49 . 2009-08-12 19:49 -------- d-----w- c:\windows\ServicePackFiles . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-27 04:12 . 2008-08-09 19:36 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-22 18:20 . 2009-07-21 04:25 -------- d-----w- c:\program files\World of Warcraft 2009-08-22 05:11 . 2006-08-25 01:30 -------- d-----w- c:\program files\Trend Micro 2009-08-17 20:06 . 2006-09-04 22:13 73352 ----a-w- c:\documents and settings\Christopher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-16 02:32 . 2009-02-18 04:40 73352 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-07 16:29 . 2009-05-14 21:13 -------- d-----w- c:\documents and settings\Guest\Application Data\U3 2009-08-07 07:04 . 2009-05-13 05:06 -------- d-----w- c:\documents and settings\Christopher\Application Data\U3 2009-08-06 18:44 . 2006-08-25 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\GTek 2009-08-06 18:43 . 2009-02-13 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure 2009-08-06 18:42 . 2006-08-25 01:19 -------- d-----w- c:\program files\MUSICMATCH 2009-08-06 18:40 . 2006-08-25 01:17 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-06 18:40 . 2005-08-17 01:54 -------- d-----w- c:\program files\GemMaster 2009-08-06 18:39 . 2006-08-25 01:13 -------- d-----w- c:\program files\Dell 2009-08-05 09:11 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-31 18:19 . 2007-06-01 03:33 -------- d-----w- c:\documents and settings\Christopher\Application Data\LimeWire 2009-07-22 04:34 . 2009-07-22 04:33 2988592 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\Update.exe 2009-07-17 18:55 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-06-30 15:52 . 2007-01-14 03:28 -------- d-----w- c:\program files\World of Warcraft2 2009-06-29 16:12 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll 2009-06-25 18:36 . 2005-08-16 09:18 471552 ----a-w- c:\windows\system32\mqutil.dll 2009-06-25 18:36 . 2005-08-16 09:18 95744 ----a-w- c:\windows\system32\mqsec.dll 2009-06-25 18:36 . 2005-08-16 09:18 661504 ----a-w- c:\windows\system32\mqqm.dll 2009-06-25 18:36 . 2005-08-16 09:18 517120 ----a-w- c:\windows\system32\mqsnap.dll 2009-06-25 18:36 . 2005-08-16 09:18 48640 ----a-w- c:\windows\system32\mqupgrd.dll 2009-06-25 18:36 . 2005-08-16 09:18 186880 ----a-w- c:\windows\system32\mqtrig.dll 2009-06-25 18:36 . 2005-08-16 09:18 177152 ----a-w- c:\windows\system32\mqrt.dll 2009-06-25 18:36 . 2005-08-16 09:18 123392 ----a-w- c:\windows\system32\mqrtdep.dll 2009-06-25 18:36 . 2005-08-16 09:18 47104 ----a-w- c:\windows\system32\mqdscli.dll 2009-06-25 18:36 . 2005-08-16 09:18 225280 ----a-w- c:\windows\system32\mqoa.dll 2009-06-25 18:36 . 2005-08-16 09:18 16896 ----a-w- c:\windows\system32\mqise.dll 2009-06-25 18:36 . 2005-08-16 09:18 138240 ----a-w- c:\windows\system32\mqad.dll 2009-06-25 08:17 . 2005-08-16 09:18 59392 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:17 . 2005-08-16 09:18 56320 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:17 . 2005-08-16 09:18 168448 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:17 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-25 08:17 . 2005-08-16 09:18 729600 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:17 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-22 11:49 . 2005-08-16 09:18 117248 ----a-w- c:\windows\system32\mqtgsvc.exe 2009-06-22 11:49 . 2005-08-16 09:18 19968 ----a-w- c:\windows\system32\mqbkup.exe 2009-06-22 11:49 . 2005-08-16 09:18 4608 ----a-w- c:\windows\system32\mqsvc.exe 2009-06-22 11:48 . 2005-08-16 09:18 91776 ----a-w- c:\windows\system32\drivers\mqac.sys 2009-06-22 11:35 . 2005-08-16 09:18 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:55 . 2005-08-16 09:18 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:55 . 2005-08-16 09:18 82432 ----a-w- c:\windows\system32\fontsub.dll 2009-06-12 11:50 . 2005-08-16 09:18 80896 ----a-w- c:\windows\system32\tlntsess.exe 2009-06-12 11:50 . 2005-08-16 09:18 76288 ----a-w- c:\windows\system32\telnet.exe 2009-06-10 14:21 . 2005-08-16 09:18 84992 ----a-w- c:\windows\system32\avifil32.dll 2009-06-10 06:32 . 2005-08-16 09:18 132096 ----a-w- c:\windows\system32\wkssvc.dll 2009-06-05 07:42 . 2005-08-16 09:37 655872 ----a-w- c:\windows\system32\mstscax.dll 2009-06-03 19:24 . 2005-08-16 09:18 1291264 ----a-w- c:\windows\system32\quartz.dll 2008-06-15 21:19 . 2008-07-26 17:46 91399338 -c--a-w- c:\program files\WSDashlynn_brooke_FOHS5_clip01.rmvb 2006-10-15 08:47 . 2006-10-15 08:46 3843926 -c--a-w- c:\program files\FFdshow-20060821-rev2546.exe 2007-10-19 19:33 . 2006-11-05 07:29 88 --sh--r- c:\windows\system32\54EDC733EA.sys 2007-10-19 19:33 . 2006-11-05 07:29 3350 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362] "c:\program files\dfjdkjfdkjfldjf\dfjdkjfdkjfldjf\winlogin.exe"="c:\program files\dfjdkjfdkjfldjf\dfjdkjfdkjfldjf\systemclock.exe" [2008-10-31 1396736] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592] "SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760] c:\documents and settings\Guest\Start Menu\Programs\Startup\ msmngr.exe [2009-8-17 1109560] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-24 24576] Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Remote Media Center Experience "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/22/2009 12:55 AM 130936] R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 10:47 AM 205328] R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 10:47 AM 290889] R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 10:47 AM 585792] R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 10:47 AM 36368] R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 10:47 AM 262215] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/4/2008 3:39 AM 24652] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/22/2009 12:55 AM 348752] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE . Contents of the 'Scheduled Tasks' folder 2009-08-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57] 2009-08-20 c:\windows\Tasks\ParetoLogic Registration.job - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36] 2009-08-25 c:\windows\Tasks\ParetoLogic Update Version2.job - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36] . - - - - ORPHANS REMOVED - - - - HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe HKCU-Run-ares - c:\program files\Ares\Ares.exe HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Christopher\Application Data\Mozilla\Firefox\Profiles\xuqsdeo1.default\ FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-27 00:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2008) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\program files\Common Files\Motive\McciCMService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe c:\windows\ehome\RMSvc.exe c:\windows\ehome\McrdSvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\system32\dllhost.exe c:\windows\system32\igfxsrvc.exe c:\windows\ehome\ehmsas.exe c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\system32\wscntfy.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-08-27 0:55 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-27 04:55 Pre-Run: 2,053,668,864 bytes free Post-Run: 4,004,474,880 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 351 --- E O F --- 2009-08-18 08:24 And here is Hijackthis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:15:51 AM, on 8/27/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\WINDOWS\ehome\RMSvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\ehome\RMSysTry.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\Scan\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" O4 - HKLM\..\Run: [C:\Program Files\dfjdkjfdkjfldjf\dfjdkjfdkjfldjf\winlogin.exe] "C:\Program Files\dfjdkjfdkjfldjf\dfjdkjfdkjfldjf\systemclock.exe" /R O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 9397 bytes