I have included my Hijack this log as well as a Malwarebytes log... please help my computer has gained a mind of its own... pop-ups trojans... downloaders... its losing it. I thank you.

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:50 PM, on 7/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\skeys.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\em90ymr.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\win.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\login.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\spoolsv.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\em90ymr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Owner\LOCALS~1\Temp\em90ymr.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\Owner\LOCALS~1\Temp\em90ymr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2795 bytes


MALWARE BYTES log:

Malwarebytes' Anti-Malware 1.32
Database version: 1617
Windows 5.1.2600 Service Pack 2

7/4/2009 2:08:17 AM
mbam-log-2009-07-04 (02-08-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 107336
Time elapsed: 2 hour(s), 40 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c0044D90.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0044d90 (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f5f826be.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows system recover! (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lowriskfiletypes (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gsf83iujid.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VSNAUMI7\fcdzd[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VSNAUMI7\flvjj[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z3ZLU101\wfcdqr[1].htm (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\_A00F5F826BE.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\winlogon.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c0044D90.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lich.dat (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\temp\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\temp\csrss.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\temp\taskmgr.exe (Trojan.Downloader) -> Delete on reboot.

double posted

This post has been edited by fenzodahl512: Jul 4 2009, 11:09 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

ComboFix 09-07-06.02 - Owner 07/06/2009 20:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.121 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\csrss.exe
c:\docume~1\Owner\LOCALS~1\Temp\lsass.exe
c:\docume~1\Owner\LOCALS~1\Temp\services.exe
c:\docume~1\Owner\LOCALS~1\Temp\svchost.exe
c:\docume~1\Owner\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Owner\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\13675304
c:\documents and settings\All Users\Application Data\13675304\13675304
c:\documents and settings\All Users\Application Data\13675304\13675304.exe
c:\documents and settings\Owner\Application Data\wiaserva.log
c:\documents and settings\Owner\Application Data\wiaservg.log
c:\program files\driver
c:\program files\driver\driver.dll
c:\program files\driver\driver.sys
c:\recycler\S-1-5-21-8367736019-9918718930-115108759-8827
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\0101120101465749.dat
c:\windows\freddy49.exe
c:\windows\Installer\5f7bde7.msi
c:\windows\ld10.exe
c:\windows\ld12.exe
c:\windows\mstre19.exe
c:\windows\pp10.exe
c:\windows\system32\anisebal.ini
c:\windows\system32\apuwosir.ini
c:\windows\system32\Data
c:\windows\system32\drivers\aaf10339.sys
c:\windows\system32\elesever.ini
c:\windows\system32\iehelper.dll
c:\windows\system32\wbem\proquota.exe
D:\Autorun.inf

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_aaf10339
-------\Service_driver
-------\Service_driverdrv


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-07 01:05 . 2009-07-04 01:07 1952 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2009-07-07 01:05 . 2006-02-15 00:22 142464 ----a-w- c:\windows\system32\drivers\aec.sys
2009-07-03 18:45 . 2009-07-03 18:45 96768 ----a-w- C:\fdvjfx.exe
2009-07-03 18:45 . 2009-07-03 18:45 224843 ----a-w- C:\gklrwl.exe
2009-07-03 18:43 . 1980-08-17 00:00 28160 ----a-w- C:\tcburi.exe.dat
2009-07-03 18:43 . 2009-07-03 18:43 39424 ----a-w- C:\tcburi.exe
2009-07-02 15:56 . 2009-07-02 15:56 1 ---h--w- c:\windows\jmmark2.dat
2009-07-02 15:56 . 2009-07-02 15:56 1 ---h--w- c:\windows\bf23567.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 20:07 . 2008-02-24 21:06 -------- d-----w- c:\program files\uTorrent
2009-07-04 20:02 . 2008-10-13 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-04 16:55 . 2008-10-06 03:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-10 19:43 . 2009-03-25 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-01-17 04:24 . 2007-10-19 02:11 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-17 04:24 . 2007-10-19 02:11 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-17 04:24 . 2007-10-19 02:11 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-17 04:24 . 2007-10-19 02:11 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-17 04:24 . 2007-10-19 02:11 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-05 1885464]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-01-08 1260296]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.Defrag"=3 (0x3)
"RP_FWS"=2 (0x2)
"RPSUpdaterR"=3 (0x3)
"Radialpoint Security Services"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"gusvc"=3 (0x3)
"dvpapi"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"CLTNetCnService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:driver

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
S3 DoradoPC;Conexant VGA Camera;c:\windows\system32\drivers\drdvid40.sys [4/7/2007 12:34 AM 106816]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
S4 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe [2/26/2008 5:10 PM 67824]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-11-17 14:14]
.
.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\iis5djvg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 21:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\lich.dat 0 bytes
c:\windows\system32\lich.exe 86016 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lich]
"ImagePath"="\"c:\windows\system32\lich.exe\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6624)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\skeys.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-07 21:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 01:12

Pre-Run: 45,103,001,600 bytes free
Post-Run: 45,023,453,184 bytes free

182 --- E O F --- 2008-07-11 21:32

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:56 PM, on 7/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\skeys.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2726 bytes

1. Please open Notepad

* If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter



2. Now copy/paste the entire content of the codebox below into the Notepad window:



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

* Combofix.txt
* A new HijackThis log.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If ComboFix fails to upload the file, please find C:\Qoobox\Quarantine\[4]-Submit(time and date here).zip file and upload it at this site

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:32 PM, on 7/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,SKEYS /I
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2538 bytes

Err.. ComboFix log please?

sorry all new logs to follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:49 AM, on 7/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2401 bytes


ComboFix 09-07-12.03 - Owner 07/13/2009 11:00.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.111 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-13 14:53 . 2009-07-04 01:07 1952 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2009-07-13 14:53 . 2006-02-15 00:22 142464 ----a-w- c:\windows\system32\drivers\aec.sys
2009-07-03 18:45 . 2009-07-03 18:45 96768 ----a-w- C:\fdvjfx.exe
2009-07-03 18:45 . 2009-07-03 18:45 224843 ----a-w- C:\gklrwl.exe
2009-07-03 18:43 . 1980-08-17 00:00 28160 ----a-w- C:\tcburi.exe.dat
2009-07-03 18:43 . 2009-07-03 18:43 39424 ----a-w- C:\tcburi.exe
2009-07-02 15:56 . 2009-07-02 15:56 1 ---h--w- c:\windows\jmmark2.dat
2009-07-02 15:56 . 2009-07-02 15:56 1 ---h--w- c:\windows\bf23567.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 14:51 . 2008-10-13 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-13 14:48 . 2005-11-07 17:00 -------- d-----w- c:\program files\Common Files\Ahead
2009-07-13 14:48 . 2008-02-27 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-07-13 14:33 . 2008-02-24 21:06 -------- d-----w- c:\program files\uTorrent
2009-07-04 16:55 . 2008-10-06 03:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-10 19:43 . 2009-03-25 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-01-17 04:24 . 2007-10-19 02:11 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-17 04:24 . 2007-10-19 02:11 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-17 04:24 . 2007-10-19 02:11 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-17 04:24 . 2007-10-19 02:11 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-17 04:24 . 2007-10-19 02:11 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-05 1885464]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-01-08 1260296]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.Defrag"=3 (0x3)
"RP_FWS"=2 (0x2)
"RPSUpdaterR"=3 (0x3)
"Radialpoint Security Services"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"gusvc"=3 (0x3)
"dvpapi"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"CLTNetCnService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:driver

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
S3 DoradoPC;Conexant VGA Camera;c:\windows\system32\drivers\drdvid40.sys [4/7/2007 12:34 AM 106816]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
S4 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe [2/26/2008 5:10 PM 67824]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-11-17 14:14]
.
.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\iis5djvg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 11:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\lich.dat 0 bytes
c:\windows\system32\lich.exe 86016 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\lich]
"ImagePath"="\"c:\windows\system32\lich.exe\""
.
Completion time: 2009-07-13 11:09
ComboFix-quarantined-files.txt 2009-07-13 15:08
ComboFix2.txt 2009-07-12 00:43
ComboFix3.txt 2009-07-10 03:08
ComboFix4.txt 2009-07-07 01:12

Pre-Run: 40,280,150,016 bytes free
Post-Run: 40,253,820,928 bytes free

130 --- E O F --- 2008-07-11 21:32


malwarebytes:

Malwarebytes' Anti-Malware 1.32
Database version: 1617
Windows 5.1.2600 Service Pack 2

7/12/2009 12:37:11 AM
mbam-log-2009-07-12 (00-37-11).txt

Scan type: Quick Scan
Objects scanned: 55096
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lich.dat (Stolen.Data) -> Delete on reboot.

Er.. I think you run it wrongly.. I will need you to open Notepad.. Then copy/paste below code into Notepad and save it as CFScript.. After that you MUST drag CFScript on to the ComboFix icon..




Remember to drag the CFScript on top of ComboFix icon just like below



Let ComboFix run and then post the log here..

i apologize... however i did it like you said and that was the result. I have re ran this procedure and here are the results...

Combo fix:

ComboFix 09-07-13.01 - Owner 07/13/2009 17:40.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.168 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

file zipped: C:\fdvjfx.exe
file zipped: C:\gklrwl.exe
file zipped: C:\tcburi.exe
file zipped: C:\tcburi.exe.dat
file zipped: c:\windows\bf23567.dat
file zipped: c:\windows\jmmark2.dat
file zipped: c:\windows\system32\lich.dat
file zipped: c:\windows\system32\lich.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fdvjfx.exe
C:\gklrwl.exe
C:\tcburi.exe
C:\tcburi.exe.dat
c:\windows\bf23567.dat
c:\windows\jmmark2.dat
c:\windows\system32\lich.dat
c:\windows\system32\lich.exe

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_lich


((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-13 14:53 . 2009-07-04 01:07 1952 ----a-w- c:\windows\system32\drivers\ALCXWDM.SYS
2009-07-13 14:53 . 2006-02-15 00:22 142464 ----a-w- c:\windows\system32\drivers\aec.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 21:39 . 2008-10-13 00:24 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-13 14:48 . 2005-11-07 17:00 -------- d-----w- c:\program files\Common Files\Ahead
2009-07-13 14:48 . 2008-02-27 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-07-13 14:33 . 2008-02-24 21:06 -------- d-----w- c:\program files\uTorrent
2009-07-04 16:55 . 2008-10-06 03:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-10 19:43 . 2009-03-25 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-01-17 04:24 . 2007-10-19 02:11 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-17 04:24 . 2007-10-19 02:11 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-17 04:24 . 2007-10-19 02:11 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-17 04:24 . 2007-10-19 02:11 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-17 04:24 . 2007-10-19 02:11 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"="c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-12-05 1885464]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-01-08 1260296]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TuneUp.Defrag"=3 (0x3)
"RP_FWS"=2 (0x2)
"RPSUpdaterR"=3 (0x3)
"Radialpoint Security Services"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"NVSvc"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"gusvc"=3 (0x3)
"dvpapi"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"CLTNetCnService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/3/2008 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/3/2008 2:07 PM 55024]
S3 DoradoPC;Conexant VGA Camera;c:\windows\system32\drivers\drdvid40.sys [4/7/2007 12:34 AM 106816]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/3/2008 2:07 PM 7408]
S4 Radialpoint Security Services;Verizon Internet Security Suite;c:\program files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe [2/26/2008 5:10 PM 67824]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-17 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-11-17 14:14]
.
.
------- Supplementary Scan -------
.
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\iis5djvg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 17:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2836)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\skeys.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-13 17:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 21:53
ComboFix2.txt 2009-07-13 15:09
ComboFix3.txt 2009-07-12 00:43
ComboFix4.txt 2009-07-10 03:08
ComboFix5.txt 2009-07-13 21:39

Pre-Run: 40,154,845,184 bytes free
Post-Run: 40,120,094,720 bytes free

149 --- E O F --- 2008-07-11 21:32

Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:06 PM, on 7/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\skeys.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2597 bytes

I thank you for your help in this matter.

I don't see any antivirus in the computer.. Now its the good time to install one.. Choose ONLY ONE of below list.. My personal choice would be Avira..

• Avira AntiVir Personal
• Avast! 4 Home Edition
• PC Tools Antivirus
• AVG8 Free

Then do below..

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the ActiveX control to install
4. Click Start
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
6. Click Scan
   Wait for the scan to finish
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
8. Copy and paste that log as a reply to this topic

How's the computer now?

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.