ZmanGT

I was able to run both ComboFix and HijackThis. Logs are below. ComboFix 09-01-17.04 - Nick 2009-01-18 10:39:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1551 [GMT -5:00] Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe AV: avast! antivirus 4.8.1296 [VPS 090117-0] *On-access scanning disabled* (Updated) . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Alesha\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\UACfqyiabpn.log c:\windows\system32\UACjvwqtymx.dat c:\windows\system32\UACyqbbwnfn.dll ----- BITS: Possible infected sites ----- hxxp://download.esd.intuit.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 ))))))))))))))))))))))))))))))) . 2009-01-14 17:24 . 2009-01-14 17:24 <DIR> d-------- c:\program files\Alwil Software 2009-01-14 17:24 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll 2009-01-14 17:22 . 2009-01-14 17:22 <DIR> d-------- c:\program files\Trend Micro 2009-01-14 17:06 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys 2009-01-14 17:06 . 2004-08-03 22:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys 2009-01-14 14:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-14 14:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-14 14:18 . 2009-01-18 08:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-11 15:00 . 2009-01-11 15:12 139,296 --ahs---- c:\windows\system32\drivers\fidbox2.dat 2009-01-11 15:00 . 2009-01-11 15:12 2,604 --ahs---- c:\windows\system32\drivers\fidbox2.idx 2009-01-11 15:00 . 2009-01-11 15:12 32 --ahs---- c:\windows\system32\drivers\fidbox.idx 2009-01-11 15:00 . 2009-01-11 15:12 32 --ahs---- c:\windows\system32\drivers\fidbox.dat 2009-01-11 13:36 . 2009-01-11 13:36 <DIR> d-------- c:\documents and settings\Nick\Application Data\Kaspersky_Key_Finder_(KKF 2009-01-11 13:36 . 2009-01-11 15:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-01-11 13:35 . 2009-01-14 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8 2009-01-10 14:32 . 2009-01-10 14:32 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0 2009-01-10 09:28 . 2009-01-10 09:28 <DIR> d-------- c:\program files\TurboTax 2008-12-29 23:01 . 2009-01-14 17:17 <DIR> d-------- c:\program files\Windows Home Server 2008-12-24 15:51 . 2007-06-20 20:46 266,088 --a------ c:\windows\system32\xactengine2_8.dll 2008-12-24 15:51 . 2007-06-20 20:45 18,280 --a------ c:\windows\system32\x3daudio1_2.dll 2008-12-24 15:42 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll 2008-12-24 15:42 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll 2008-12-24 15:42 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll 2008-12-24 15:42 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll 2008-12-24 15:42 . 2007-01-24 15:27 255,848 --a------ c:\windows\system32\xactengine2_6.dll 2008-12-24 12:27 . 2008-12-24 12:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Nero 2008-12-24 12:26 . 2009-01-14 16:55 <DIR> d-------- c:\documents and settings\Administrator 2008-12-23 14:57 . 2008-12-23 14:57 <DIR> d-------- c:\program files\Guitar Pro 5 2008-12-22 10:14 . 2008-12-22 10:14 <DIR> d-------- c:\windows\Samsung 2008-12-22 10:14 . 2008-02-23 21:37 479,232 --a------ c:\windows\ssndii.exe 2008-12-22 10:14 . 2008-03-16 20:10 57,344 --a------ c:\windows\system32\ssdevm.dll 2008-12-22 10:14 . 2007-08-13 01:26 49,152 --a------ c:\windows\system32\ssusbpn.dll 2008-12-22 10:14 . 2007-08-13 01:26 44,544 --a------ c:\windows\system32\msxml4a.dll 2008-12-22 10:14 . 2007-08-13 01:26 21,776 --a------ c:\windows\system32\msxml2a.dll 2008-12-22 10:13 . 2007-08-13 04:39 151,552 --a------ c:\windows\system32\cl31cci.exe 2008-12-22 10:13 . 2007-08-13 04:39 65,536 --a------ c:\windows\system32\cl31cci.dll 2008-12-22 10:13 . 2007-08-13 04:39 22,723 --a------ c:\windows\system32\cl31cl3.dll 2008-12-22 10:13 . 2007-08-12 21:47 11,502 --------- c:\windows\Dr. Printer Icon.ico 2008-12-22 10:13 . 2007-08-13 04:39 361 --a------ c:\windows\system32\cl31cl3.smt 2008-12-22 10:12 . 2008-12-22 10:12 <DIR> d-------- c:\windows\system32\drivers\Samsung 2008-12-22 10:11 . 2008-12-22 10:11 <DIR> d-------- c:\program files\Samsung . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-18 13:13 --------- d-----w c:\program files\lx_cats 2009-01-11 20:12 --------- d-----w c:\program files\PeerGuardian2 2009-01-11 20:12 --------- d-----w c:\documents and settings\Nick\Application Data\uTorrent 2009-01-11 00:14 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-10 19:32 --------- d-----w c:\documents and settings\Nick\Application Data\Intuit 2009-01-10 19:31 --------- d-----w c:\program files\Common Files\Intuit 2009-01-10 19:31 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit 2009-01-05 15:42 --------- d-----w c:\documents and settings\Alesha\Application Data\uTorrent 2008-12-23 18:13 --------- d-----w c:\program files\EPSON 2008-12-04 01:29 --------- d-----w c:\program files\Apple Software Update 2008-11-30 19:58 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf 2008-11-30 19:58 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf 2008-11-30 19:58 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf 2008-11-30 19:51 --------- d-----w c:\program files\Zune 2008-11-10 17:23 60,032 ----a-w c:\windows\system32\ZuneBusEnum.exe 2008-11-10 17:23 243,840 ----a-w c:\windows\system32\ZuneWlanCfgSvc.exe 2008-11-10 17:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll 2008-11-10 17:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll 2008-11-10 17:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll 2008-11-10 17:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll 2008-11-10 17:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll 2008-11-10 17:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll 2008-11-03 20:59 107,888 ----a-w c:\windows\system32\CmdLineExt.dll 2008-10-22 20:47 6 ----a-w c:\windows\Fonts\wfonts.key 2008-05-25 11:36 22,328 ----a-w c:\documents and settings\Nick\Application Data\PnkBstrK.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312] "LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536] "NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664] "NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352] "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-08 524288] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000] "RTHDCPL"="RTHDCPL.EXE" [2006-10-11 c:\windows\RTHDCPL.exe] "nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=sweppy.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winip40.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint] --a------ 2006-02-07 00:10 98304 c:\program files\Lexmark 2400 Series\ezprint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-06-02 10:13 267048 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2008-08-22 13:13 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe] --a------ 2006-03-06 12:48 286720 c:\program files\Lexmark 2400 Series\lxcrmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-14 111184] R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-14 20560] R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] S0 Winip40;Winip40;c:\windows\system32\Drivers\Winip40.sys --> c:\windows\system32\Drivers\Winip40.sys [?] S3 PYKH;PYKH;c:\docume~1\Nick\LOCALS~1\Temp\PYKH.exe --> c:\docume~1\Nick\LOCALS~1\Temp\PYKH.exe [?] S4 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" . Contents of the 'Scheduled Tasks' folder 2008-05-25 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job - c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 11:13] . - - - - ORPHANS REMOVED - - - - BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\rwhbfb873unjdfdg.dll SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\rwhbfb873unjdfdg.dll MSConfigStartUp-Antivirus - c:\program files\VAV\vav.exe MSConfigStartUp-Ododivagoxoyiv - c:\windows\Atutulaze.dll MSConfigStartUp-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://www.utorrent.com/testport.php?port=60459 uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\2d2531wt.default\ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-18 10:45:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-515967899-1229272821-725345543-1003\Software\SecuROM\License information*] "datasecu"=hex:d0,c3,0f,8c,11,0c,af,30,dd,bc,2f,88,50,58,11,1d,a0,bb,67,30,1a, c7,15,c4,53,0c,b5,d8,bf,88,45,35,d0,aa,d0,9f,29,4b,eb,83,d6,2f,59,62,52,6f,\ "rkeysecu"=hex:84,37,6b,d8,a3,7f,e0,d4,e4,5d,a6,9b,82,eb,05,a7 . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\rundll32.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Microsoft IntelliPoint\dpupdchk.exe c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\IoctlSvc.exe c:\windows\system32\ZuneBusEnum.exe c:\program files\Zune\ZuneNss.exe c:\program files\Common Files\Nero\Lib\NMIndexingService.exe c:\windows\system32\wscntfy.exe c:\windows\system32\lxcrcoms.exe . ************************************************************************** . Completion time: 2009-01-18 10:50:43 - machine was rebooted [Nick] ComboFix-quarantined-files.txt 2009-01-18 15:50:40 Pre-Run: 65,052,880,896 bytes free Post-Run: 65,714,819,072 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS [operating systems] d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 217 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:53:08 AM, on 1/18/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\lxcrcoms.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=60459 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208719345109 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208719501265 O20 - AppInit_DLLs: sweppy.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: PYKH - Unknown owner - C:\DOCUME~1\Nick\LOCALS~1\Temp\PYKH.exe (file missing) -- End of file - 7191 bytes

Looks like if I download ComboFix from any of the 3 links you provided I get a non English version. I can still click through and run it but I'm afraid the log that's created will not be in English and may not be of help to you. If you think you can still read it I will run it, if not do you know where I can get an English version?

The Anti-Virus rescue CD seems to have cleaned up some of the mess. I can now run ComboFix and Malwarebytes. I tried to run ComboFix but the file is not running in English, it appears to be German but I could be wrong about that too. I'm not sure why it's not running in English. Other programs appear ok and system settings have English as the language for the system. I'm going to download the file on another machine and make sure it's english then transfer it to the bad machine. Also right now I'm running a full Malwarebytes scan to see if it helps. Once I get the file on there I will post the logs today. Thank you for your help.

I am booting to the Avira AntiVir Rescue CD to see if can cleat my computer up to the level where I can run some of the utilities that will help.

Sorry to be a pain but I can't get ComboFix.exe to run either. Other exe work fine, it appears limited to only stopping exe's that will help me. I did open device manager, show hidden devices but I never saw anything called TDDSys or similar. Any other thoughts? Can I run ComboFix in safe mode w/networking?

AdvancedSetup, Thanks for your help. Right now it appears that mbam.exe does not run, and even when I rename it does not run (Unless I'm in safe mode). Is there a way to fix this? If I rename it and run it in safe mode it works but anything that needs to be removed after a reboot fails because on a reboot it tries to run mbam.exe to remove the files but that exe can't be found as it's renamed to myprogram.exe What can I do to fix this? Thank you for your help. I sincerely appreciate it.

I got infected by Spyware Guard 2008. I was running Free AVG on my computer (Windows XP sp3) however it would crash anytime I ran a scan, Malwarebytes would not run either. Finally I was able to boot into safemode and rename mbam.exe so I could get a scan going. It removed most of the threat. When I booted back into Windows however FreeAVG would still not scan. I uninstalled it and installed Avast and did a scan. No virus' were found. However when I open IE I get redirected to spyware pages and ad's still pop up. Malwarebytes will still not open unless I rename the exe, but it does not find any threats. I ran Hijack this and have attached the log. Any help would be greatly appreciated. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:03:02 PM, on 1/14/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Zune\ZuneLauncher.exe C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\WINDOWS\system32\lxcrcoms.exe C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=60459 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: C:\WINDOWS\system32\rwhbfb873unjdfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208719345109 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208719501265 O20 - AppInit_DLLs: sweppy.dll O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe -- End of file - 7806 bytes