[killing Windows]

Recently I have been having trouble with IE opening random ads. I never use IE, and make a point to use Firefox because of the many problems associated with IE. The title of one of these recent ads said "Outerinfo." And, upon looking in my programs list, I found such a program called OuterInfo. I immediately deleted this and all related folders, making sure to uninstall. The ads still appeared, and I kept having to end the explorer.exe process, then run it again so it wouldn't freak out and use so much CPU.

Upon a friend's recommendation I downloaded Ad-Aware and conducted numerous scans to rid my computer of all malware. "Virtumonde.c" kept showing up; I would delete the files, as well as Tracker Cookies that appeared in the Privacy tab. Decided to Google the file and found that it is responsible for opening up IE and apparently connects itself with explorer.exe, which might explain my other problem.

Followed the advice to install and run VundoFix as well as HJT. Just before running VundoFix I conducted a Smart Scan with Ad-Aware and deleted all Tracker Cookies. Ran VundoFix and deleted the Vundo, rebooted, ran another Ad-Aware scan which uncovered SEVEN Tracker Cookies. (Tell me, how does that happen between a scan and a reboot? *Sigh*)

Ad-Aware does provide Log Files; however, I will only post HJT unless someone thinks the Ad-Aware logs would be useful as well. At the moment, I have just finished another Ad-Aware scan that did not produce any Virtumonde files, only Tracker Cookies.

Note: Per advice, I have not let HJT fix anything. This is the pure log. Help is much appreciated; I have much patience.

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:43 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {912991db-c436-be2a-c1b4-bb4d6391e852} - {258e1936-d4bb-4b1c-a2eb-634cbd199219} - C:\WINDOWS\system32\pmwtdodg.dll (file missing)
O2 - BHO: (no name) - {28A7FBD4-1163-4772-817A-47725387E01A} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\wvutrsp.dll (file missing)
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: wvutrsp - wvutrsp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3805 bytes

[Advertisements]

Hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[loophole]

Hi

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[killing Windows]

Hiya

Combfix

ComboFix 08-01-15.1 - admin 2008-01-14 16:05:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.696 [GMT -5:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
C:\Program Files\Common Files\AOL\1163468627\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\RCX37.tmp
C:\WINDOWS\system32\whvtugiv.ini
C:\WINDOWS\system32\wtsisvcc.exe

<pre>
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> Reader_sl.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4   .exe ---> Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe ---> SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe ---> CLIStart.exe
C:\Program Files\Common Files\AOL\1163468627\ee\AOLSoftware .exe ---> AOLSoftware.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend .exe ---> IPHSend.exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe ---> Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper .exe ---> iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> jusched.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon .exe ---> lxdiamon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon .exe ---> lxdimon.exe
C:\Program Files\Microsoft IntelliPoint\point32 .exe ---> point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32 .exe ---> type32.exe
C:\Program Files\QuickTime\qttask   .exe ---> qttask.exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-14 16:04 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 19:32 . 2008-01-13 19:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 19:18 . 2008-01-13 19:18 <DIR> d-------- C:\VundoFix Backups
2008-01-13 10:05 . 2008-01-13 10:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-13 10:05 . 2008-01-13 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-13 10:04 . 2008-01-13 10:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 18:10 . 2008-01-13 09:31 163 --a------ C:\WINDOWS\wininit.ini
2008-01-12 09:23 . 2008-01-15 16:50 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-12 09:20 . 2008-01-12 11:27 386,048 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-01-12 09:19 . 2008-01-12 09:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 09:19 . 2008-01-12 09:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-03 11:24 . 2008-01-03 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-01-03 11:24 . 2008-01-03 11:24 <DIR> d-------- C:\Documents and Settings\admin\Application Data\ATI
2008-01-02 22:29 . 2008-01-02 22:32 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-01 17:57 . 2008-01-02 11:57 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-28 10:49 . 2007-12-28 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-28 10:24 . 2007-12-28 10:24 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-27 10:34 . 2007-12-27 10:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-27 10:34 . 2007-12-27 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-12-27 10:34 . 2007-12-27 10:34 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Sandlot Games
2007-12-27 10:33 . 2007-12-27 23:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-25 16:17 . 2007-12-26 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-12-25 16:17 . 2007-12-28 10:50 <DIR> d-------- C:\Documents and Settings\admin\Application Data\PlayFirst
2007-12-25 12:36 . 2008-01-13 15:13 <DIR> d-------- C:\My Download Files
2007-12-25 12:34 . 2007-12-25 12:34 <DIR> d-------- C:\Program Files\Real
2007-12-25 12:34 . 2007-12-28 10:33 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 21:50 --------- d-----w C:\Program Files\QuickTime
2008-01-15 21:50 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-15 21:50 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-15 21:50 --------- d-----w C:\Program Files\Lexmark 3500-4500 Series
2008-01-15 21:50 --------- d-----w C:\Program Files\iTunes
2008-01-13 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 14:54 --------- d-----w C:\Program Files\Java
2008-01-12 16:30 --------- d-----w C:\Program Files\Logitech
2008-01-03 17:10 --------- d-----w C:\Program Files\AIM6
2008-01-03 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-03 04:16 --------- d-----w C:\Program Files\Steam
2008-01-03 03:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 22:57 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-11-29 02:48 --------- d-----w C:\Documents and Settings\admin\Application Data\Lexmark Productivity Studio
2007-11-21 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-19 03:08 --------- d-----w C:\Program Files\Microsoft Works
2007-11-19 03:07 --------- d-----w C:\Program Files\Microsoft.NET
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{258e1936-d4bb-4b1c-a2eb-634cbd199219}]
C:\WINDOWS\system32\pmwtdodg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28A7FBD4-1163-4772-817A-47725387E01A}]
C:\WINDOWS\system32\ddcya.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvutrsp]
wvutrsp.dll

[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2429ec4c]
C:\WINDOWS\system32\cnlfxmvj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 11:27 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcmwltry]
--a------ 2003-05-26 15:48 413696 C:\WINDOWS\system32\bcmwltry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
--a------ 2008-01-12 11:27 61440 C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2008-01-12 11:27 50760 C:\Program Files\Common Files\AOL\1163468627\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2008-01-12 11:27 217088 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2008-01-12 11:27 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-12 11:27 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ddcya.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2005-07-22 23:25 28160 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]
--a------ 2008-01-12 11:27 20480 C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]
--a------ 2008-01-12 11:27 435120 C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\removecpl]
--a------ 2003-01-16 11:33 24576 C:\WINDOWS\system32\RemoveCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2008-01-12 11:27 790528 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-12 11:27 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-01-13 12:03 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2008-01-12 11:27 196608 C:\Program Files\Microsoft IntelliType Pro\type32.exe

R2 lxdi_device;lxdi_device;C:\WINDOWS\system32\lxdicoms.exe [2007-04-26 10:38]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-04-26 10:38]

.
Contents of the 'Scheduled Tasks' folder
"2007-01-21 17:50:41 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 16:59:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 17:02:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 22:02:14
.
2008-01-08 23:41:33 --- E O F ---


and HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:21 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {912991db-c436-be2a-c1b4-bb4d6391e852} - {258e1936-d4bb-4b1c-a2eb-634cbd199219} - C:\WINDOWS\system32\pmwtdodg.dll (file missing)
O2 - BHO: (no name) - {28A7FBD4-1163-4772-817A-47725387E01A} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: wvutrsp - wvutrsp.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3694 bytes

[loophole]

Hi again

Please rescan with Hijackthis and place a check next to the following entries:

O2 - BHO: {912991db-c436-be2a-c1b4-bb4d6391e852} - {258e1936-d4bb-4b1c-a2eb-634cbd199219} - C:\WINDOWS\system32\pmwtdodg.dll (file missing)
O2 - BHO: (no name) - {28A7FBD4-1163-4772-817A-47725387E01A} - C:\WINDOWS\system32\ddcya.dll (file missing)
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O20 - Winlogon Notify: wvutrsp - wvutrsp.dll (file missing)

Now click "Fix Checked" and close Hijackthis

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.





Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

[killing Windows]

I checked and fixed those entries in HJT just fine.

However, after installing the Windows boot disk file, I tried to drag it onto ComboFix and got a message saying that CFScript was 'incorrectly spelt'. I deleted the file and downloaded again, and actually tried dragging it onto ComboFix a few more times, but each time I got the same error message.

Sorry!

[loophole]

May have been a bug in combofix yesterday.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  
  [list]
• 

Please download ComboFix from Here and try it again according to the previous directions

[killing Windows]

Worked!

CF_RC:

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

[loophole]

Perfect

How is the computer running? If good I think we can close this up

[killing Windows]

Right now, it's good. I have two concerns though.

When I do Ad-Aware scans, Tracking Cookies and things called 'MRU' (I think) keep appearing. I know Tracking Cookies are standard with most web sites, but are the others a threat to my computer?

Also, VERY rarely these little square ads pop up in my Firefox browser, almost as if they were brought up by the site itself, but they disappear after 3 seconds. And they all seem to be of the same type...I've tried to look for an example, but like I said, it happens very rarely.

Other than that, everything is smooth!

[loophole]

Hi

MRU is short for "Most Recently Used". Applications such as Microsoft Word, etc use these as a convenient way for you to open files that you have used recently. They are not malicious. They may represent a privacy issue on shared computer as other technically competent users on the computer maybe able to see these MRUs lists. As such there are tools such as Ad-Aware that allow you to optionally delete these MRU lists for a vast range of applications.

Down to your discretion if you want to remove the MRU lists, if you do then the recently used files list will no longer be available in the application.

You can set Ad-Aware 2007 not to scan for MRU items. Start Ad-Aware 2007, click the settings button then click on the scanning tab and uncheck "Scan for MRUs" and click on save.

The other sounds like normal ad based pop ups. Legitimate sites have them. I get them sometimes to. Probably just slipped through the pop up blocker. They continually try to find ways to get around them but they aren't malicious, more of ann anoyance

[killing Windows]

Alrighty, that makes sense.

Thanks so much for helping me out!!

[loophole]

No problem

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here

[killing Windows]

Ok, I hate to be a nuisance, but the IE ads are pretty much back full force...

It's got to be some site that someone else goes to because it only happens when friends have been on the computer.

Did an Ad-Aware scan which came up with 48 critical objects in the following:
CmdServices
Adware.StarsRoute
Hacktool.Netmon
Adware.DollarRevenue
Win32.TrojanDownloader.Small
and two other Win32 families, including one that is a virus that cannot be removed


I'm kicking all of my friends' asses..

Help!!

Edited by killing Windows, 19 January 2008 - 06:14 PM.

[loophole]

Hmm, post me a new Hijack log and combofix log please

[killing Windows]

I'm pretty much a dumb [bleep] but I didn't receive email notification for your latest response, so I thought that this topic had been considered closed so I went and posted a new topic like an idiot...Forgive me.

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34, on 2008-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3316 bytes



ComboFix:

ComboFix 08-01-20.1 - admin 2008-01-20 20:24:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.468 [GMT -5:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin\My Documents\SSEMBL~1
C:\Documents and Settings\admin\My Documents\SSEMBL~1\d?xplore.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\sks~1
C:\Program Files\sks~1\winlogon.exe
C:\Program Files\Temporary
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys
C:\WINDOWS\system32\iifgggf.dll
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\ututv.ini2
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\vtutu.exe
C:\WINDOWS\uninstall_nmon.vbs

<pre>
C:\Program Files\Dot1XCfg\Dot1XCfg .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>

.
----- Unknown downloads made by BITS: ----
http://javadl.sun.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-20 20:23 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-19 18:37 . 2008-01-19 07:50 <DIR> d--hs---- C:\WINDOWS\UmFjaGVsIFN0dWFydA
2008-01-19 18:17 . 2008-01-20 20:27 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-18 04:23 . 2001-08-17 13:49 237,728 --a------ C:\cmldr
2008-01-18 04:23 . 2008-01-13 19:09 211 --a------ C:\Boot.bak
2008-01-13 19:32 . 2008-01-13 19:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 10:05 . 2008-01-13 10:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-13 10:05 . 2008-01-13 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-13 10:04 . 2008-01-13 10:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-12 18:10 . 2008-01-13 09:31 163 --a------ C:\WINDOWS\wininit.ini
2008-01-03 11:24 . 2008-01-03 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-01-03 11:24 . 2008-01-03 11:24 <DIR> d-------- C:\Documents and Settings\admin\Application Data\ATI
2008-01-02 22:29 . 2008-01-02 22:32 <DIR> d-------- C:\Program Files\ATI Technologies
2008-01-01 17:57 . 2008-01-02 11:57 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-28 10:49 . 2007-12-28 10:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-12-28 10:24 . 2007-12-28 10:24 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-12-27 10:34 . 2007-12-27 10:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-27 10:34 . 2007-12-27 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-12-27 10:34 . 2007-12-27 10:34 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Sandlot Games
2007-12-27 10:33 . 2007-12-27 23:18 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-25 16:17 . 2007-12-26 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-12-25 16:17 . 2007-12-28 10:50 <DIR> d-------- C:\Documents and Settings\admin\Application Data\PlayFirst
2007-12-25 12:36 . 2008-01-13 15:13 <DIR> d-------- C:\My Download Files
2007-12-25 12:34 . 2007-12-25 12:34 <DIR> d-------- C:\Program Files\Real
2007-12-25 12:34 . 2007-12-28 10:33 <DIR> d-------- C:\Program Files\Common Files\Real

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 23:28 10 ----a-w C:\Program Files\.autoreg
2008-01-15 21:50 --------- d-----w C:\Program Files\QuickTime
2008-01-15 21:50 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-01-15 21:50 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-01-15 21:50 --------- d-----w C:\Program Files\Lexmark 3500-4500 Series
2008-01-15 21:50 --------- d-----w C:\Program Files\iTunes
2008-01-13 17:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 16:20 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-13 14:54 --------- d-----w C:\Program Files\Java
2008-01-12 19:21 505,856 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-01-12 16:30 --------- d-----w C:\Program Files\Logitech
2008-01-03 17:10 --------- d-----w C:\Program Files\AIM6
2008-01-03 17:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-01-03 04:16 --------- d-----w C:\Program Files\Steam
2008-01-03 03:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-01 22:57 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-05 19:17 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:05 368,640 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:48 9,535,488 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:14 180,224 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-11-29 02:48 --------- d-----w C:\Documents and Settings\admin\Application Data\Lexmark Productivity Studio
2007-11-21 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\UmFjaGVsIFN0dWFydA\oAI3u3pPKIhXxqIVxE.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\admin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2429ec4c]
C:\WINDOWS\system32\cnlfxmvj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 11:27 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcmwltry]
--a------ 2003-05-26 15:48 413696 C:\WINDOWS\system32\bcmwltry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2008-01-12 11:27 50760 C:\Program Files\Common Files\AOL\1163468627\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2008-01-12 11:27 217088 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
--a------ 2008-01-12 11:27 124520 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-12 11:27 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\ddcya.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2005-07-22 23:25 28160 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdiamon]
--a------ 2008-01-12 11:27 20480 C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdimon.exe]
--a------ 2008-01-12 11:27 435120 C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\removecpl]
--a------ 2003-01-16 11:33 24576 C:\WINDOWS\system32\RemoveCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2008-01-12 11:27 790528 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-12 11:27 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-01-13 12:03 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2008-01-12 11:27 196608 C:\Program Files\Microsoft IntelliType Pro\type32.exe

R2 lxdi_device;lxdi_device;C:\WINDOWS\system32\lxdicoms.exe [2007-04-26 10:38]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-04-26 10:38]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 11:53:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 20:31:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-20 20:34:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-21 01:34:30
.
2008-01-08 23:41:33 --- E O F ---