Ok, my desktop picture has changed into a screen that says I have fatal errors, I keep getting little warning icons stating that I have spyware please install "such and such" from antispywareupate.net, Ive gotten pop-ups stating Trojandownloader.xs, My Task Manager has been disabled. This thing is really getting nasty, can someone PLEASE HELP ME here.

Ive ran the activescan so here is that log:




Incident Status Location

Adware:Adware/SpyAway Not disinfected C:\WINDOWS\system32\mgmrwmrv.exe
Adware:adware/startpage.aco Not disinfected c:\windows\system32\ntnut32.exe
Spyware:spyware/fastsearchweb Not disinfected c:\windows\system32\shdocpe.dll
Adware:adware/123mania Not disinfected c:\windows\system32\SIPSPI32.dll
Spyware:spyware/virtumonde Not disinfected c:\windows\system32\ssqpp.dll
Adware:adware/tubby Not disinfected c:\windows\system32\WER8274.DLL
Adware:adware/ncase Not disinfected c:\windows\180ax.exe
Adware:adware/topconvert Not disinfected c:\windows\updatetc.exe
Adware:adware/portalscan Not disinfected c:\program files\stc
Adware:adware/surfassistant Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/adlogix Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:Adware/SpyAway Not disinfected C:\WINDOWS\kvmnovef.exe
Possible Virus. Not disinfected C:\WINDOWS\lsduxqlo.exe
Adware:Adware/Adband Not disinfected C:\WINDOWS\system32\LA664.tmp[ism.exe]



Here Is The HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:19 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {08A3084E-E8C8-4DE1-9FB4-48179982C8DE} - C:\WINDOWS\system32\rqrommk.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {856C2AFA-C61D-4B1F-AE14-2BC52F52377D} - C:\WINDOWS\system32\jkhhi.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {920f9b74-1dd2-11b2-baea-8cad97e0bc6b} - C:\WINDOWS\cfcjqbup.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {AD1D803E-3DFE-4901-BB60-FBF7A67A0105} - C:\WINDOWS\system32\sstqo.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [mdalqzwp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mdalqzwp.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Trpm] "C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1204955462212
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: rqrommk - C:\WINDOWS\SYSTEM32\rqrommk.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7415 bytes


Here Is my Uninstall List:

AppCore
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
Backup
ccCommon
Enable S3 for USB Device
GearDrvs
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HydraVision
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Nero Suite
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
Panda ActiveScan
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SPBBC 32bit
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VIA Integrated Setup Wizard
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2



PLEASE HELP, Last time Upon trying to remove this stuff, I ended up getting an Unknown Hard Error, and had to wipe everything from my harddrive

Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading SELECT Show hidden files and folders.
• UNCHECK the Hide protected operating system files (recommended) option.
• UNCHECK the Hide extensions for known file types option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download VundoFix from Here to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
7. Double click on Combo-Fix.exe & follow the prompts.
8. When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following:

• The contenst of the SDFix Report.txt
• The contents of Vundofix.txt
• The contents of Combofix.txt

Regards,
RatHat

Thanks RatHat, This is greatly appreciated!! So here are the logs, The Vundo Fix wouldnt run though, Im going to post the logs in order...Shall Post Vundos error message accordingly. Also wanted to say, that the desktop is normal now, and havent had any popups.....


SDFix: Version 1.154

Run by Dustin on Sun 03/09/2008 at 09:53 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Killing PID 1036 'mgmrwmrv.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\trwnrecd\1.png - Deleted
C:\WINDOWS\trwnrecd\2.png - Deleted
C:\WINDOWS\trwnrecd\3.png - Deleted
C:\WINDOWS\trwnrecd\4.png - Deleted
C:\WINDOWS\trwnrecd\5.png - Deleted
C:\WINDOWS\trwnrecd\6.png - Deleted
C:\WINDOWS\trwnrecd\7.png - Deleted
C:\WINDOWS\trwnrecd\8.png - Deleted
C:\WINDOWS\trwnrecd\9.png - Deleted
C:\WINDOWS\trwnrecd\bottom-rc.gif - Deleted
C:\WINDOWS\trwnrecd\config.png - Deleted
C:\WINDOWS\trwnrecd\content.png - Deleted
C:\WINDOWS\trwnrecd\download.gif - Deleted
C:\WINDOWS\trwnrecd\frame-bg.gif - Deleted
C:\WINDOWS\trwnrecd\frame-bottom-left.gif - Deleted
C:\WINDOWS\trwnrecd\frame-h1bg.gif - Deleted
C:\WINDOWS\trwnrecd\head.png - Deleted
C:\WINDOWS\trwnrecd\icon.png - Deleted
C:\WINDOWS\trwnrecd\indexwp.html - Deleted
C:\WINDOWS\trwnrecd\main.css - Deleted
C:\WINDOWS\trwnrecd\memory-prots.png - Deleted
C:\WINDOWS\trwnrecd\net.png - Deleted
C:\WINDOWS\trwnrecd\pc.gif - Deleted
C:\WINDOWS\trwnrecd\pc-mag.gif - Deleted
C:\WINDOWS\trwnrecd\poloska1.png - Deleted
C:\WINDOWS\trwnrecd\poloska2.png - Deleted
C:\WINDOWS\trwnrecd\poloska3.png - Deleted
C:\WINDOWS\trwnrecd\promowp1.html - Deleted
C:\WINDOWS\trwnrecd\promowp2.html - Deleted
C:\WINDOWS\trwnrecd\promowp3.html - Deleted
C:\WINDOWS\trwnrecd\promowp4.html - Deleted
C:\WINDOWS\trwnrecd\promowp5.html - Deleted
C:\WINDOWS\trwnrecd\reg.png - Deleted
C:\WINDOWS\trwnrecd\repair.png - Deleted
C:\WINDOWS\trwnrecd\scr-1.png - Deleted
C:\WINDOWS\trwnrecd\scr-2.png - Deleted
C:\WINDOWS\trwnrecd\start.png - Deleted
C:\WINDOWS\trwnrecd\styles.css - Deleted
C:\WINDOWS\trwnrecd\top-rc.gif - Deleted
C:\WINDOWS\trwnrecd\vline.gif - Deleted
C:\WINDOWS\trwnrecd\wp.png - Deleted
C:\WINDOWS\PerfInfo\lgCqB0L10Nwp.exe - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\system32\mgmrwmrv.exe - Deleted



Folder C:\WINDOWS\PerfInfo - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 22:02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 8 Mar 2008 89,088 ..SHR --- "C:\Documents and Settings\Dustin\My Documents\ądobe\mmc.exe"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"

Finished!


Vundo:

Run-time error '309':
Component 'comdlg32.ocx' or one of it's dependencies nor correctly registered: a file is missing or invalid

ComboFix 08-03-09.1 - Dustin 2008-03-09 22:22:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.68 [GMT -4:00]
Running from: C:\Documents and Settings\Dustin\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\mdalqzwp.dll
C:\Documents and Settings\Dustin\My Documents\DOBE~1
C:\Documents and Settings\Dustin\My Documents\DOBE~1\?dobe\
C:\Documents and Settings\Dustin\My Documents\DOBE~1\mmc.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cfcjqbup.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\rqrommk.dll
C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 21:43 . 2008-03-09 21:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-09 21:23 . 2008-03-09 22:05 <DIR> d-------- C:\SDFix
2008-03-09 16:15 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\rcpdllheusoe.sys
2008-03-09 15:36 . 2008-03-09 15:36 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-09 15:36 . 2008-03-09 15:36 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 02:49 . 2008-03-09 02:53 198,676,480 --a------ C:\29D.tmp
2008-03-09 02:34 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 02:32 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\tgifeboxdlju.sys
2008-03-09 01:33 . 2008-03-09 16:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-09 01:33 . 2008-03-09 15:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-09 01:33 . 2008-03-09 15:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-09 01:33 . 2008-03-09 15:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-09 00:26 . 2008-03-09 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-09 00:16 . 2008-03-09 00:16 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Grisoft
2008-03-09 00:15 . 2008-03-09 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 00:15 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-08 21:58 . 2008-03-08 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\zango
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\stc
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\180solutions
2008-03-08 20:15 . 2008-03-08 20:39 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Symantec
2008-03-08 20:12 . 2008-03-08 20:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-03-08 20:12 . 2008-03-09 16:34 <DIR> d-------- C:\Program Files\Norton 360
2008-03-08 20:12 . 2008-03-08 20:12 26,880 --a------ C:\WINDOWS\didduid.ini
2008-03-08 20:11 . 2008-03-08 20:14 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-08 20:11 . 2008-03-08 20:14 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-08 20:11 . 2008-03-08 20:14 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-08 20:11 . 2008-03-08 20:14 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-08 20:10 . 2008-03-08 20:14 <DIR> d-------- C:\Program Files\Symantec
2008-03-08 20:10 . 2008-03-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-08 19:33 . 2008-03-08 19:33 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-03-08 17:56 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-08 17:56 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-08 17:56 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-08 17:56 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-08 17:56 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-08 17:56 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-08 17:56 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-08 17:56 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-08 17:56 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-08 17:47 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-08 09:15 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-08 09:15 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-08 09:15 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-08 07:47 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-08 07:39 . 2008-03-08 07:39 22,272 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 07:39 . 2008-03-08 07:39 20,736 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-08 07:31 . 2008-03-08 07:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-08 07:30 . 2008-03-09 21:45 <DIR> d-------- C:\WINDOWS\trwnrecd
2008-03-08 07:30 . 2008-03-08 07:30 201,216 --a------ C:\WINDOWS\gnulcjkv.dll
2008-03-08 07:30 . 2008-03-08 07:30 88,593 --a------ C:\WINDOWS\kvmnovef.exe
2008-03-08 07:30 . 2008-03-08 07:30 34,304 --a------ C:\WINDOWS\lsduxqlo.exe
2008-03-08 07:29 . 2008-03-08 07:29 295,819 --a------ C:\WINDOWS\system32\LA664.tmp
2008-03-08 07:28 . 2008-03-08 07:29 229,532 --a------ C:\WINDOWS\system32\L8918.tmp
2008-03-08 07:20 . 2008-03-08 23:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-08 06:46 . 2008-03-08 06:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-08 06:46 . 2008-03-08 06:46 169 --a------ C:\WINDOWS\RtlRack.ini
2008-03-08 06:30 . 2008-03-09 22:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\peernet
2008-03-08 06:20 . 2008-03-08 06:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-08 06:16 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-08 06:14 . 2008-03-08 06:14 <DIR> d-------- C:\WINDOWS\EHome
2008-03-08 05:45 . 2004-08-04 01:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-03-08 05:45 . 2004-08-02 15:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-03-08 05:45 . 2004-08-02 15:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-03-08 05:06 . 2005-05-23 10:34 2,920,448 --------- C:\WINDOWS\UNNMP.exe
2008-03-08 05:06 . 2005-11-14 07:11 49,870 --------- C:\WINDOWS\UNNMP.cfg
2008-03-08 05:05 . 2008-03-09 16:32 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-08 05:04 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-08 05:03 . 2008-03-08 05:03 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-08 04:53 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\VIA
2008-03-08 04:53 . 2006-06-14 04:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-03-08 04:53 . 2006-02-14 20:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-03-08 04:53 . 2006-06-14 05:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-03-08 04:53 . 2003-06-12 06:31 75,904 -ra------ C:\WINDOWS\system32\drivers\viasraid.sys
2008-03-08 04:53 . 2004-08-04 02:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-03-08 04:53 . 2004-08-04 02:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-03-08 04:53 . 2006-06-14 04:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-03-08 04:53 . 2004-08-04 02:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-03-08 04:53 . 2008-03-08 04:53 22 --a------ C:\WINDOWS\system32\ati64hlp.stb
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Gigabyte
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\AvRack
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2008-03-08 04:50 . 2001-10-18 00:00 6,144 -ra------ C:\WINDOWS\system32\drivers\viaidexp.sys
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 04:46 . 2008-03-08 04:47 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 21:43 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-06 21:43 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-05 19:34 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-05 19:34 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-05 19:34 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-05 19:34 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-05 19:34 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-05 19:34 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-05 19:34 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-05 19:34 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-02-04 20:27 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-02-04 20:27 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-02-04 20:27 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2008-02-01 22:55 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2008-02-01 22:55 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2008-02-01 22:55 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2008-02-01 01:51 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2008-02-01 01:51 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2008-02-01 01:51 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2008-01-29 17:01 16,168 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-01-15 17:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 13:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-23 22:08 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-03-08 20:13 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll" [2008-02-23 22:08 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [2008-02-23 22:08 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Trpm"="C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 14:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 04:58 65536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2008-03-08 04:53:49 561152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-06-12 06:31]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-02-06 17:43]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 22:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-02-06 17:43]

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 22:28:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-09 22:32:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-10 02:32:32
.
2008-03-09 04:07:30 --- E O F ---

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display the results if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop as Kaspersky.txt.
• Copy and paste that information in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next post, please include:

• The contents of Combofix.txt
• The MBAM report
• The contents of Kaspersky.txt
• A fresh HijackThis log, taken after completing all of the above

Regards,
RatHat

Here are the new logs you asked for,

ComboFix 08-03-09.1 - Dustin 2008-03-09 23:13:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.85 [GMT -4:00]
Running from: C:\Documents and Settings\Dustin\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Dustin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\29D.tmp
C:\WINDOWS\gnulcjkv.dll
C:\WINDOWS\kvmnovef.exe
C:\WINDOWS\lsduxqlo.exe
C:\WINDOWS\system32\L8918.tmp
C:\WINDOWS\system32\LA664.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\29D.tmp
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\gnulcjkv.dll
C:\WINDOWS\kvmnovef.exe
C:\WINDOWS\lsduxqlo.exe
C:\WINDOWS\system32\L8918.tmp
C:\WINDOWS\system32\LA664.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 21:43 . 2008-03-09 21:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-09 21:23 . 2008-03-09 22:05 <DIR> d-------- C:\SDFix
2008-03-09 16:15 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\rcpdllheusoe.sys
2008-03-09 15:36 . 2008-03-09 15:36 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 02:34 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 02:32 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\tgifeboxdlju.sys
2008-03-09 01:33 . 2008-03-09 16:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-09 01:33 . 2008-03-09 15:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-09 01:33 . 2008-03-09 15:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-09 01:33 . 2008-03-09 15:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-09 00:26 . 2008-03-09 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-09 00:16 . 2008-03-09 00:16 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Grisoft
2008-03-09 00:15 . 2008-03-09 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 00:15 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-08 21:58 . 2008-03-08 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\stc
2008-03-08 20:15 . 2008-03-08 20:39 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Symantec
2008-03-08 20:12 . 2008-03-08 20:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-03-08 20:12 . 2008-03-09 16:34 <DIR> d-------- C:\Program Files\Norton 360
2008-03-08 20:12 . 2008-03-08 20:12 26,880 --a------ C:\WINDOWS\didduid.ini
2008-03-08 20:11 . 2008-03-08 20:14 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-08 20:11 . 2008-03-08 20:14 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-08 20:11 . 2008-03-08 20:14 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-08 20:11 . 2008-03-08 20:14 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-08 20:10 . 2008-03-08 20:14 <DIR> d-------- C:\Program Files\Symantec
2008-03-08 20:10 . 2008-03-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-08 19:33 . 2008-03-08 19:33 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-03-08 17:56 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-08 17:56 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-08 17:56 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-08 17:56 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-08 17:56 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-08 17:56 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-08 17:56 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-08 17:56 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-08 17:56 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-08 17:47 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-08 09:15 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-08 09:15 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-08 09:15 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-08 07:47 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-08 07:39 . 2008-03-08 07:39 22,272 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 07:39 . 2008-03-08 07:39 20,736 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-08 07:31 . 2008-03-08 07:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-08 07:30 . 2008-03-09 21:45 <DIR> d-------- C:\WINDOWS\trwnrecd
2008-03-08 07:20 . 2008-03-08 23:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-08 06:46 . 2008-03-08 06:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-08 06:46 . 2008-03-08 06:46 169 --a------ C:\WINDOWS\RtlRack.ini
2008-03-08 06:30 . 2008-03-09 22:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\peernet
2008-03-08 06:20 . 2008-03-08 06:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-08 06:16 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-08 06:14 . 2008-03-08 06:14 <DIR> d-------- C:\WINDOWS\EHome
2008-03-08 05:45 . 2004-08-04 01:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-03-08 05:45 . 2004-08-02 15:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-03-08 05:45 . 2004-08-02 15:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-03-08 05:06 . 2005-05-23 10:34 2,920,448 --------- C:\WINDOWS\UNNMP.exe
2008-03-08 05:06 . 2005-11-14 07:11 49,870 --------- C:\WINDOWS\UNNMP.cfg
2008-03-08 05:05 . 2008-03-09 16:32 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-08 05:04 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-08 05:03 . 2008-03-08 05:03 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-08 04:53 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\VIA
2008-03-08 04:53 . 2006-06-14 04:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-03-08 04:53 . 2006-02-14 20:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-03-08 04:53 . 2006-06-14 05:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-03-08 04:53 . 2003-06-12 06:31 75,904 -ra------ C:\WINDOWS\system32\drivers\viasraid.sys
2008-03-08 04:53 . 2004-08-04 02:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-03-08 04:53 . 2004-08-04 02:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-03-08 04:53 . 2006-06-14 04:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-03-08 04:53 . 2004-08-04 02:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-03-08 04:53 . 2008-03-08 04:53 22 --a------ C:\WINDOWS\system32\ati64hlp.stb
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Gigabyte
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\AvRack
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2008-03-08 04:50 . 2001-10-18 00:00 6,144 -ra------ C:\WINDOWS\system32\drivers\viaidexp.sys
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 04:46 . 2008-03-08 04:47 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-08 02:00 . 2004-08-04 03:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-08 02:00 . 2004-08-04 03:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-08 02:00 . 2004-08-04 03:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-08 02:00 . 2004-08-04 03:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-03-08 02:00 . 2007-03-08 11:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-03-07 19:22 . 2007-03-19 12:18 104,064 --a------ C:\WINDOWS\system32\drivers\viamraid.sys
2008-02-19 21:06 . 2008-02-19 21:06 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-02-19 21:06 . 2008-02-19 21:06 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 21:43 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-06 21:43 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-05 19:34 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-05 19:34 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-05 19:34 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-05 19:34 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-05 19:34 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-05 19:34 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-05 19:34 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-05 19:34 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-02-04 20:27 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-02-04 20:27 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-02-04 20:27 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2008-02-01 22:55 10,549 ----a-w C:\WINDOW