[Inysy]

Hello, I somehow contracted this malware while eating dinner...

Anyhow, Its terrible with all its popups and stuff. Ive tried malwarebytes anti-malware and AVG does nothing.
If theres anymore information I can provide, please let me know.


Heres my hijackthis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:49 PM, on 12/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\LEXPPS.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINXP\explorer.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\rundll32.exe
C:\WINXP\system32\winscenter.exe
C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINXP\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA9785] command /c del "C:\Program Files\Spyware Guard 2008\spywareguard.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5931] cmd /c del "C:\Program Files\Spyware Guard 2008\spywareguard.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2541] command /c del "C:\Documents and Settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8600] cmd /c del "C:\Documents and Settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2774] command /c del "C:\Documents and Settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5469] cmd /c del "C:\Documents and Settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8916] command /c del "C:\Program Files\Spyware Guard 2008\spywareguard.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4773] cmd /c del "C:\Program Files\Spyware Guard 2008\spywareguard.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8343] command /c del "C:\Documents and Settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9813] cmd /c del "C:\Documents and Settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2618] command /c del "C:\Documents and Settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1437] cmd /c del "C:\Documents and Settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll ndhiqc.dll
O21 - SSODL: ieModule - {5FFB47B3-3AA7-49B5-8E6C-FBE64BD21B25} - C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {6DD3E0BD-F3F5-4E48-A629-4E0BE97D7D5F} - C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\adardlygfi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: lxcg_device - - C:\WINXP\system32\lxcgcoms.exe

--
End of file - 6491 bytes




Thanks in advance

-Jacob

[Advertisements]

Hi, Inysy

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• Install the Recovery Console upon request.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[JSntgRvr]

Hi, Inysy

Welcome.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• Install the Recovery Console upon request.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[Inysy]

Thanks, I ran ComboFix and heres the log

ComboFix 08-12-07.04 - jacob 2008-12-09 1:37:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.587 [GMT -5:00]
Running from: c:\documents and settings\jacob.HARRIS-30403FC7\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINXP\Application Data\svhost.exe
c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\inst.exe
c:\documents and settings\jacob.HARRIS-30403FC7\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Jacob\Application Data\inst.exe
c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\recycler\desktopA.sys
c:\winxp\reged.exe
c:\winxp\spoolsystem.exe
c:\winxp\sys.com
c:\winxp\syscert.exe
c:\winxp\sysexplorer.exe
c:\winxp\system32\winscenter.exe
c:\winxp\Tasks\lqvaohnw.job
c:\winxp\vmreg.dll
c:\winxp\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 01:44 . 2008-12-09 01:44 <DIR> d-------- c:\program files\Spyware Guard 2008
2008-12-09 01:44 . 2008-12-09 01:44 1,003,957 --a------ c:\winxp\sysexplorer.exe
2008-12-09 01:44 . 2008-12-09 01:44 294,912 --a------ c:\winxp\system32\winscenter.exe
2008-12-09 01:44 . 2008-12-09 01:44 134,149 --a------ c:\winxp\reged.exe
2008-12-09 01:44 . 2008-12-09 01:44 51,197 --a------ c:\winxp\spoolsystem.exe
2008-12-09 01:44 . 2008-12-09 01:44 50,620 --a------ c:\winxp\sys.com
2008-12-09 01:44 . 2008-12-09 01:44 47,872 --a------ c:\winxp\syscert.exe
2008-12-09 01:44 . 2008-12-09 01:44 18,941 --a------ c:\winxp\vmreg.dll
2008-12-08 23:07 . 2008-12-08 23:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-08 20:39 . 2008-12-08 22:12 692 --a------ c:\winxp\wininit.ini
2008-12-08 20:07 . 2008-12-08 20:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-08 20:07 . 2008-12-08 20:40 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Spybot - Search & Destroy
2008-12-08 20:06 . 2008-12-08 20:06 <DIR> d-------- c:\program files\Lavasoft
2008-12-08 20:06 . 2008-12-08 20:08 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Lavasoft
2008-12-08 20:05 . 2008-12-08 20:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-08 19:58 . 2008-12-08 19:58 <DIR> d-------- c:\program files\Safer Networking
2008-12-08 19:10 . 2008-12-08 19:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 19:10 . 2008-12-08 19:10 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Malwarebytes
2008-12-08 19:10 . 2008-12-08 19:10 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2008-12-08 19:10 . 2008-12-03 19:53 38,496 --a------ c:\winxp\system32\drivers\mbamswissarmy.sys
2008-12-08 19:10 . 2008-12-03 19:53 15,504 --a------ c:\winxp\system32\drivers\mbam.sys
2008-12-08 18:53 . 2008-12-08 18:53 <DIR> d-------- c:\program files\EUSING FREE REGISTRY CLEANER
2008-12-08 17:54 . 2008-12-08 17:54 <DIR> d-------- c:\program files\GrandPack
2008-12-08 17:53 . 2008-12-08 17:53 158,208 --a------ c:\winxp\system32\dwmqbops.exe
2008-12-06 19:59 . 2008-12-06 19:59 <DIR> d-------- c:\program files\DVD Decrypter
2008-12-06 19:49 . 2008-12-06 19:49 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Red Kawa
2008-12-06 19:46 . 2008-12-06 19:46 <DIR> d-------- c:\program files\Red Kawa
2008-12-06 19:45 . 2008-12-06 19:45 <DIR> d-------- C:\OpenCandy
2008-12-04 01:04 . 2008-12-06 00:24 <DIR> d-------- c:\program files\Total Video Converter
2008-12-04 01:04 . 2000-05-22 22:58 608,448 --a------ c:\winxp\system32\comctl32.ocx
2008-12-02 18:59 . 2008-12-02 18:59 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\DivX
2008-12-02 18:58 . 2008-12-02 18:59 <DIR> d-------- c:\program files\DivX
2008-12-02 18:38 . 2008-12-02 18:38 <DIR> d-------- c:\program files\Webteh
2008-11-25 22:32 . 2008-02-28 12:26 1,414,440 --a------ c:\winxp\system32\ShellManager310E2D762.dll
2008-11-25 22:32 . 2008-02-28 12:01 774,144 --a------ c:\winxp\system32\NEROINSTAEC43759.DB
2008-11-25 22:31 . 2008-11-25 22:31 0 --a------ c:\winxp\Irremote.ini
2008-11-20 21:52 . 2006-02-27 20:41 14,976 --a------ c:\winxp\system32\drivers\xbcd.sys
2008-11-17 23:50 . 2008-11-20 22:05 <DIR> d-------- c:\program files\XBCD+
2008-11-16 13:56 . 2008-11-16 14:19 <DIR> d-------- c:\program files\Mixxx
2008-11-15 13:15 . 2008-11-15 13:15 <DIR> d-------- c:\program files\PlayOnline
2008-11-13 09:59 . 2008-11-13 09:59 <DIR> d-------- c:\program files\Handbrake
2008-11-11 18:23 . 2008-11-11 18:23 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Adobe Systems
2008-11-11 18:23 . 2001-08-17 22:36 5,632 --a------ c:\winxp\system32\ptpusb.dll
2008-11-11 18:22 . 2004-08-04 00:56 159,232 --a------ c:\winxp\system32\ptpusd.dll
2008-11-10 19:03 . 2008-11-10 19:04 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\FaxCtr
2008-11-10 15:00 . 2008-11-10 15:01 <DIR> d-------- c:\program files\Lexmark Fax Solutions
2008-11-10 15:00 . 2008-11-10 15:00 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\FaxCtr
2008-11-10 15:00 . 2003-03-11 17:26 339,968 --a------ c:\winxp\system32\IMGMAN32.DLL
2008-11-10 15:00 . 2003-03-11 17:26 98,345 --a------ c:\winxp\system32\IMHOST32.DLL
2008-11-10 15:00 . 2003-03-11 17:26 98,304 --a------ c:\winxp\system32\IM31XPNG.DEL
2008-11-10 15:00 . 2003-03-11 17:26 69,632 --a------ c:\winxp\system32\IM31XTIF.DEL
2008-11-10 15:00 . 2003-03-11 17:26 49,152 --a------ c:\winxp\system32\IM31IMG.DIL
2008-11-10 15:00 . 2005-07-12 08:33 32,768 --a------ c:\winxp\system32\LXPRMON.DLL
2008-11-10 15:00 . 2005-07-12 08:33 20,480 --a------ c:\winxp\system32\LXPMONUI.DLL
2008-11-10 15:00 . 2005-07-12 08:36 12,288 --a------ c:\winxp\system32\LXPMONRC.DLL
2008-11-10 14:59 . 2008-11-10 15:01 23,069 --a------ c:\winxp\system32\LexFiles.ulf
2008-11-10 14:58 . 2008-11-11 13:12 <DIR> d-------- c:\program files\Lx_cats
2008-11-10 14:58 . 2001-08-17 22:36 87,040 --a------ c:\winxp\system32\wiafbdrv.dll
2008-11-10 14:58 . 2001-08-17 22:36 87,040 --a--c--- c:\winxp\system32\dllcache\wiafbdrv.dll
2008-11-10 14:58 . 2004-08-03 22:58 15,104 --a------ c:\winxp\system32\drivers\usbscan.sys
2008-11-10 14:58 . 2004-08-03 22:58 15,104 --a--c--- c:\winxp\system32\dllcache\usbscan.sys
2008-11-10 14:58 . 2005-08-17 01:46 1,214 -ra------ c:\winxp\system32\lxcg.loc
2008-11-10 14:57 . 2008-11-10 19:03 <DIR> d-------- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-11-10 14:57 . 2008-11-10 19:03 <DIR> d-------- c:\program files\Lexmark 2300 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 06:45 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\OpenOffice.org2
2008-12-09 00:37 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\avg8
2008-12-08 20:54 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\uTorrent
2008-12-07 21:54 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\foobar2000
2008-12-07 00:46 --------- d-----w c:\program files\AviSynth 2.5
2008-11-27 19:33 --------- d-----w c:\program files\Opera
2008-11-26 03:33 --------- d-----w c:\program files\Common Files\Nero
2008-11-26 03:33 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Nero
2008-11-26 03:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 03:14 --------- d-----w c:\program files\WIDI VST 1.10
2008-11-16 18:59 --------- d-----w c:\program files\Vstplugins
2008-11-11 23:25 --------- d-----w c:\program files\Common Files\Adobe
2008-11-01 19:12 --------- d-----w c:\program files\Guild Wars
2008-10-29 03:24 --------- d-----w c:\program files\Acoustica Shared Effects
2008-10-28 22:36 823,296 ----a-w c:\winxp\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\winxp\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\winxp\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\winxp\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\winxp\system32\DivX.dll
2008-10-24 11:10 453,632 ----a-w c:\winxp\system32\drivers\mrxsmb.sys
2008-10-21 21:12 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Vso
2008-10-20 03:00 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Ableton
2008-10-20 02:58 --------- d-----w c:\program files\Ableton
2008-10-16 19:13 202,776 ----a-w c:\winxp\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\winxp\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\winxp\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\winxp\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\winxp\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\winxp\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\winxp\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\winxp\system32\wups.dll
2008-10-15 20:12 --------- d-----w c:\program files\BFG
2008-10-15 20:06 --------- d-----w c:\program files\ASIO4ALL v2
2008-10-14 01:10 --------- d-----w c:\program files\iTunes
2008-10-14 00:12 --------- d-----w c:\program files\Illutia
2008-10-11 15:28 --------- d-----w c:\program files\Cakewalk
2008-10-11 15:28 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Cakewalk
2008-10-11 15:23 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Sony
2008-10-11 15:19 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Publish Providers
2008-10-11 15:19 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\NetMedia Providers
2008-10-11 15:12 --------- d-----w c:\program files\Microsoft SQL Server
2008-10-11 15:11 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Sony
2008-10-11 15:10 --------- d-----w c:\program files\Sony
2008-10-11 14:58 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Sony Setup
2008-10-11 14:57 --------- d-----w c:\program files\Sony Setup
2008-10-10 21:53 --------- d-----w c:\program files\TallStick
2008-10-02 00:41 51,600 ----a-w c:\winxp\system32\RadLightMPCUninstall.exe
2008-09-30 21:43 1,286,152 ----a-w c:\winxp\system32\msxml4.dll
2008-09-26 01:21 47,360 ----a-w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\pcouffin.sys
2008-09-25 08:03 81,920 ----a-w c:\winxp\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\winxp\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\winxp\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\winxp\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\winxp\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\winxp\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\winxp\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\winxp\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\winxp\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\winxp\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\winxp\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\winxp\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\winxp\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\winxp\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\winxp\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\winxp\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\winxp\system32\DivXWMPExtType.dll
2008-09-15 11:57 1,846,016 ----a-w c:\winxp\system32\win32k.sys
2008-06-02 16:16 47,360 ----a-w c:\documents and settings\Jacob\Application Data\pcouffin.sys
2005-11-04 12:29 72,832 ----a-w c:\winxp\inf\CamAvb.sys
2006-05-03 09:06 163,328 --sh--r c:\winxp\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\winxp\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\winxp\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84BA8988-33E1-4c89-A150-BF428E8D3213}]
2008-12-05 14:16 133120 --a------ c:\program files\GrandPack\GrandPack.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LXCGCATS"="c:\winxp\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"spywareguard"="c:\program files\Spyware Guard 2008\spywareguard.exe" [2008-12-09 788992]

c:\documents and settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
UltimateZip Quick Start.lnk - c:\program files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe [2008-07-06 834048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ieModule"= {5FFB47B3-3AA7-49B5-8E6C-FBE64BD21B25} - c:\documents and settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll [2008-12-08 3312128]
"InternetConnection"= {6DD3E0BD-F3F5-4E48-A629-4E0BE97D7D5F} - c:\documents and settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\adardlygfi.dll [2008-12-08 926720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll ndhiqc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\WINXP\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

R0 tclondrv;tclondrv;c:\winxp\system32\DRIVERS\tclondrv.sys [2008-09-17 20352]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winxp\system32\Drivers\avgldx86.sys [2008-03-02 96520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 282904]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\winxp\system32\DRIVERS\libusb0.sys [2008-07-06 29184]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FireFox -: Profile - c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Mozilla\Firefox\Profiles\vqe453c3.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 01:44:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\winxp\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\winxp\vmreg.dll 18941 bytes
c:\winxp\system32\winscenter.exe 294912 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\winxp\system32\LEXBCES.EXE
c:\winxp\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winxp\system32\winscenter.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\winxp\system32\lxcgcoms.exe
c:\winxp\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-09 1:51:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 06:51:23

Pre-Run: 5,975,355,392 bytes free
Post-Run: 6,506,561,536 bytes free

268 --- E O F --- 2008-11-12 08:01:51

[Inysy]

New HijackThis Log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:22 AM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\LEXPPS.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\WINXP\system32\winscenter.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Guard 2008\spywareguard.exe
C:\Program Files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\system32\lxcgcoms.exe
C:\WINXP\system32\wscntfy.exe
C:\WINXP\system32\wuauclt.exe
C:\WINXP\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft...p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINXP\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll ndhiqc.dll
O21 - SSODL: ieModule - {5FFB47B3-3AA7-49B5-8E6C-FBE64BD21B25} - C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {6DD3E0BD-F3F5-4E48-A629-4E0BE97D7D5F} - C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\adardlygfi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: lxcg_device - - C:\WINXP\system32\lxcgcoms.exe

--
End of file - 5942 bytes

[JSntgRvr]

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

Folder::c:\program files\Spyware Guard 2008File::c:\winxp\sysexplorer.exec:\winxp\system32\winscenter.exe  c:\winxp\reged.exe  c:\winxp\spoolsystem.exe  c:\winxp\sys.com  c:\winxp\syscert.exe  c:\winxp\vmreg.dll Registry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"spywareguard"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"="avgrsstx.dll"

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

[Inysy]

Ok followed your instruction exactly



ComboFix 08-12-07.04 - jacob 2008-12-09 17:21:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.514 [GMT -5:00]
Running from: c:\documents and settings\jacob.HARRIS-30403FC7\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jacob.HARRIS-30403FC7\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\winxp\reged.exe
c:\winxp\spoolsystem.exe
c:\winxp\sys.com
c:\winxp\syscert.exe
c:\winxp\sysexplorer.exe
c:\winxp\system32\winscenter.exe
c:\winxp\vmreg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\winxp\reged.exe
c:\winxp\spoolsystem.exe
c:\winxp\sys.com
c:\winxp\syscert.exe
c:\winxp\sysexplorer.exe
c:\winxp\system32\winscenter.exe
c:\winxp\vmreg.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-08 23:07 . 2008-12-08 23:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-08 20:39 . 2008-12-08 22:12 692 --a------ c:\winxp\wininit.ini
2008-12-08 20:07 . 2008-12-08 20:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-08 20:07 . 2008-12-08 20:40 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Spybot - Search & Destroy
2008-12-08 20:06 . 2008-12-08 20:06 <DIR> d-------- c:\program files\Lavasoft
2008-12-08 20:06 . 2008-12-08 20:08 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Lavasoft
2008-12-08 20:05 . 2008-12-08 20:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-08 19:58 . 2008-12-08 19:58 <DIR> d-------- c:\program files\Safer Networking
2008-12-08 19:10 . 2008-12-08 19:10 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 19:10 . 2008-12-08 19:10 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Malwarebytes
2008-12-08 19:10 . 2008-12-08 19:10 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2008-12-08 19:10 . 2008-12-03 19:53 38,496 --a------ c:\winxp\system32\drivers\mbamswissarmy.sys
2008-12-08 19:10 . 2008-12-03 19:53 15,504 --a------ c:\winxp\system32\drivers\mbam.sys
2008-12-08 18:53 . 2008-12-08 18:53 <DIR> d-------- c:\program files\EUSING FREE REGISTRY CLEANER
2008-12-08 17:54 . 2008-12-08 17:54 <DIR> d-------- c:\program files\GrandPack
2008-12-08 17:53 . 2008-12-08 17:53 158,208 --a------ c:\winxp\system32\dwmqbops.exe
2008-12-06 19:59 . 2008-12-06 19:59 <DIR> d-------- c:\program files\DVD Decrypter
2008-12-06 19:49 . 2008-12-06 19:49 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Red Kawa
2008-12-06 19:46 . 2008-12-06 19:46 <DIR> d-------- c:\program files\Red Kawa
2008-12-06 19:45 . 2008-12-06 19:45 <DIR> d-------- C:\OpenCandy
2008-12-04 01:04 . 2008-12-06 00:24 <DIR> d-------- c:\program files\Total Video Converter
2008-12-04 01:04 . 2000-05-22 22:58 608,448 --a------ c:\winxp\system32\comctl32.ocx
2008-12-02 18:59 . 2008-12-02 18:59 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\DivX
2008-12-02 18:58 . 2008-12-02 18:59 <DIR> d-------- c:\program files\DivX
2008-12-02 18:38 . 2008-12-02 18:38 <DIR> d-------- c:\program files\Webteh
2008-11-25 22:32 . 2008-02-28 12:26 1,414,440 --a------ c:\winxp\system32\ShellManager310E2D762.dll
2008-11-25 22:32 . 2008-02-28 12:01 774,144 --a------ c:\winxp\system32\NEROINSTAEC43759.DB
2008-11-25 22:31 . 2008-11-25 22:31 0 --a------ c:\winxp\Irremote.ini
2008-11-20 21:52 . 2006-02-27 20:41 14,976 --a------ c:\winxp\system32\drivers\xbcd.sys
2008-11-17 23:50 . 2008-11-20 22:05 <DIR> d-------- c:\program files\XBCD+
2008-11-16 13:56 . 2008-11-16 14:19 <DIR> d-------- c:\program files\Mixxx
2008-11-15 13:15 . 2008-11-15 13:15 <DIR> d-------- c:\program files\PlayOnline
2008-11-13 09:59 . 2008-11-13 09:59 <DIR> d-------- c:\program files\Handbrake
2008-11-11 18:23 . 2008-11-11 18:23 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Adobe Systems
2008-11-11 18:23 . 2001-08-17 22:36 5,632 --a------ c:\winxp\system32\ptpusb.dll
2008-11-11 18:22 . 2004-08-04 00:56 159,232 --a------ c:\winxp\system32\ptpusd.dll
2008-11-10 19:03 . 2008-11-10 19:04 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\FaxCtr
2008-11-10 15:00 . 2008-11-10 15:01 <DIR> d-------- c:\program files\Lexmark Fax Solutions
2008-11-10 15:00 . 2008-11-10 15:00 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\FaxCtr
2008-11-10 15:00 . 2003-03-11 17:26 339,968 --a------ c:\winxp\system32\IMGMAN32.DLL
2008-11-10 15:00 . 2003-03-11 17:26 98,345 --a------ c:\winxp\system32\IMHOST32.DLL
2008-11-10 15:00 . 2003-03-11 17:26 98,304 --a------ c:\winxp\system32\IM31XPNG.DEL
2008-11-10 15:00 . 2003-03-11 17:26 69,632 --a------ c:\winxp\system32\IM31XTIF.DEL
2008-11-10 15:00 . 2003-03-11 17:26 49,152 --a------ c:\winxp\system32\IM31IMG.DIL
2008-11-10 15:00 . 2005-07-12 08:33 32,768 --a------ c:\winxp\system32\LXPRMON.DLL
2008-11-10 15:00 . 2005-07-12 08:33 20,480 --a------ c:\winxp\system32\LXPMONUI.DLL
2008-11-10 15:00 . 2005-07-12 08:36 12,288 --a------ c:\winxp\system32\LXPMONRC.DLL
2008-11-10 14:59 . 2008-11-10 15:01 23,069 --a------ c:\winxp\system32\LexFiles.ulf
2008-11-10 14:58 . 2008-11-11 13:12 <DIR> d-------- c:\program files\Lx_cats
2008-11-10 14:58 . 2001-08-17 22:36 87,040 --a------ c:\winxp\system32\wiafbdrv.dll
2008-11-10 14:58 . 2001-08-17 22:36 87,040 --a--c--- c:\winxp\system32\dllcache\wiafbdrv.dll
2008-11-10 14:58 . 2004-08-03 22:58 15,104 --a------ c:\winxp\system32\drivers\usbscan.sys
2008-11-10 14:58 . 2004-08-03 22:58 15,104 --a--c--- c:\winxp\system32\dllcache\usbscan.sys
2008-11-10 14:58 . 2005-08-17 01:46 1,214 -ra------ c:\winxp\system32\lxcg.loc
2008-11-10 14:57 . 2008-11-10 19:03 <DIR> d-------- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-11-10 14:57 . 2008-11-10 19:03 <DIR> d-------- c:\program files\Lexmark 2300 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 22:14 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\foobar2000
2008-12-09 06:45 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\OpenOffice.org2
2008-12-09 00:37 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\avg8
2008-12-08 20:54 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\uTorrent
2008-12-07 00:46 --------- d-----w c:\program files\AviSynth 2.5
2008-11-27 19:33 --------- d-----w c:\program files\Opera
2008-11-26 03:33 --------- d-----w c:\program files\Common Files\Nero
2008-11-26 03:33 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Nero
2008-11-26 03:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 03:14 --------- d-----w c:\program files\WIDI VST 1.10
2008-11-16 18:59 --------- d-----w c:\program files\Vstplugins
2008-11-11 23:25 --------- d-----w c:\program files\Common Files\Adobe
2008-11-01 19:12 --------- d-----w c:\program files\Guild Wars
2008-10-29 03:24 --------- d-----w c:\program files\Acoustica Shared Effects
2008-10-28 22:36 823,296 ----a-w c:\winxp\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\winxp\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\winxp\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\winxp\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\winxp\system32\DivX.dll
2008-10-24 11:10 453,632 ----a-w c:\winxp\system32\drivers\mrxsmb.sys
2008-10-21 21:12 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Vso
2008-10-20 03:00 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Ableton
2008-10-20 02:58 --------- d-----w c:\program files\Ableton
2008-10-16 19:13 202,776 ----a-w c:\winxp\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\winxp\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\winxp\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\winxp\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\winxp\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\winxp\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\winxp\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\winxp\system32\wups.dll
2008-10-15 20:12 --------- d-----w c:\program files\BFG
2008-10-15 20:06 --------- d-----w c:\program files\ASIO4ALL v2
2008-10-14 01:10 --------- d-----w c:\program files\iTunes
2008-10-14 00:12 --------- d-----w c:\program files\Illutia
2008-10-11 15:28 --------- d-----w c:\program files\Cakewalk
2008-10-11 15:28 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Cakewalk
2008-10-11 15:23 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Sony
2008-10-11 15:19 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Publish Providers
2008-10-11 15:19 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\NetMedia Providers
2008-10-11 15:12 --------- d-----w c:\program files\Microsoft SQL Server
2008-10-11 15:11 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Sony
2008-10-11 15:10 --------- d-----w c:\program files\Sony
2008-10-11 14:58 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Sony Setup
2008-10-11 14:57 --------- d-----w c:\program files\Sony Setup
2008-10-10 21:53 --------- d-----w c:\program files\TallStick
2008-10-02 00:41 51,600 ----a-w c:\winxp\system32\RadLightMPCUninstall.exe
2008-09-30 21:43 1,286,152 ----a-w c:\winxp\system32\msxml4.dll
2008-09-26 01:21 47,360 ----a-w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\pcouffin.sys
2008-09-25 08:03 81,920 ----a-w c:\winxp\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\winxp\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\winxp\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\winxp\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\winxp\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\winxp\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\winxp\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\winxp\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\winxp\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\winxp\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\winxp\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\winxp\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\winxp\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\winxp\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\winxp\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\winxp\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\winxp\system32\DivXWMPExtType.dll
2008-09-15 11:57 1,846,016 ----a-w c:\winxp\system32\win32k.sys
2008-06-02 16:16 47,360 ----a-w c:\documents and settings\Jacob\Application Data\pcouffin.sys
2005-11-04 12:29 72,832 ----a-w c:\winxp\inf\CamAvb.sys
2006-05-03 09:06 163,328 --sh--r c:\winxp\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\winxp\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\winxp\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84BA8988-33E1-4c89-A150-BF428E8D3213}]
2008-12-05 14:16 133120 --a------ c:\program files\GrandPack\GrandPack.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LXCGCATS"="c:\winxp\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]

c:\documents and settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
UltimateZip Quick Start.lnk - c:\program files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe [2008-07-06 834048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ieModule"= {5FFB47B3-3AA7-49B5-8E6C-FBE64BD21B25} - c:\documents and settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll [2008-12-08 3312128]
"InternetConnection"= {6DD3E0BD-F3F5-4E48-A629-4E0BE97D7D5F} - c:\documents and settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\adardlygfi.dll [2008-12-08 926720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\WINXP\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

R0 tclondrv;tclondrv;c:\winxp\system32\DRIVERS\tclondrv.sys [2008-09-17 20352]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winxp\system32\Drivers\avgldx86.sys [2008-03-02 96520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 282904]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\winxp\system32\DRIVERS\libusb0.sys [2008-07-06 29184]

*Newly Created Service* - CATCHME
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FireFox -: Profile - c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Mozilla\Firefox\Profiles\vqe453c3.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 17:23:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\winxp\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-09 17:24:19
ComboFix-quarantined-files.txt 2008-12-09 22:24:01
ComboFix2.txt 2008-12-09 06:51:29

Pre-Run: 6,483,767,296 bytes free
Post-Run: 6,465,761,280 bytes free

237 --- E O F --- 2008-11-12 08:01:51

[Inysy]

hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:25 PM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\LEXPPS.EXE
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\system32\lxcgcoms.exe
C:\WINXP\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Last.fm\LastFM.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINXP\system32\wuauclt.exe
C:\WINXP\system32\notepad.exe
C:\WINXP\explorer.exe
C:\WINXP\system32\winscenter.exe
C:\Program Files\Spyware Guard 2008\spywareguard.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft...p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINXP\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: ieModule - {5FFB47B3-3AA7-49B5-8E6C-FBE64BD21B25} - C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {6DD3E0BD-F3F5-4E48-A629-4E0BE97D7D5F} - C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\adardlygfi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: lxcg_device - - C:\WINXP\system32\lxcgcoms.exe

--
End of file - 5880 bytes

[JSntgRvr]

Disable Teatimer
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Don't forget to re-enable it, when your computer is clean.

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

Registry:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"ieModule"=-"InternetConnection"=-[-HKEY_CLASSES_ROOT\CLSID\{5FFB47B3-3AA7-49B5-8E6C-FBE64BD21B25}][-HKEY_CLASSES_ROOT\CLSID\{6DD3E0BD-F3F5-4E48-A629-4E0BE97D7D5F}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"spywareguard"=-

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u10-windows-i586-p.exe and select "Run as an Administrator.")

[Inysy]

Ok here it is with the new script
Combofix log


ComboFix 08-12-07.04 - jacob 2008-12-09 20:33:12.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.535 [GMT -5:00]
Running from: c:\documents and settings\jacob.HARRIS-30403FC7\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jacob.HARRIS-30403FC7\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Spyware Guard 2008
c:\program files\Spyware Guard 2008\conf.cfg
c:\program files\Spyware Guard 2008\mbase.vdb
c:\program files\Spyware Guard 2008\quarantine.vdb
c:\program files\Spyware Guard 2008\queue.vdb
c:\program files\Spyware Guard 2008\spywareguard.exe
c:\program files\Spyware Guard 2008\uninstall.exe
c:\program files\Spyware Guard 2008\vbase.vdb
c:\winxp\reged.exe
c:\winxp\spoolsystem.exe
c:\winxp\sys.com
c:\winxp\syscert.exe
c:\winxp\sysexplorer.exe
c:\winxp\system32\winscenter.exe
c:\winxp\vmreg.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-09 19:15 . 2008-12-09 19:15 <DIR> d-------- c:\documents and settings\Administrator.HARRIS-30403FC7
2008-12-08 23:07 . 2008-12-08 23:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-08 20:39 . 2008-12-08 22:12 692 --a------ c:\winxp\wininit.ini
2008-12-08 20:07 . 2008-12-09 18:31 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-08 20:07 . 2008-12-09 18:28 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Spybot - Search & Destroy
2008-12-08 20:06 . 2008-12-08 20:06 <DIR> d-------- c:\program files\Lavasoft
2008-12-08 20:06 . 2008-12-08 20:08 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Lavasoft
2008-12-08 20:05 . 2008-12-08 20:05 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-08 19:58 . 2008-12-08 19:58 <DIR> d-------- c:\program files\Safer Networking
2008-12-08 19:10 . 2008-12-09 19:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 19:10 . 2008-12-08 19:10 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Malwarebytes
2008-12-08 19:10 . 2008-12-08 19:10 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2008-12-08 19:10 . 2008-12-03 19:53 38,496 --a------ c:\winxp\system32\drivers\mbamswissarmy.sys
2008-12-08 19:10 . 2008-12-03 19:53 15,504 --a------ c:\winxp\system32\drivers\mbam.sys
2008-12-08 18:53 . 2008-12-08 18:53 <DIR> d-------- c:\program files\EUSING FREE REGISTRY CLEANER
2008-12-08 17:54 . 2008-12-08 17:54 <DIR> d-------- c:\program files\GrandPack
2008-12-08 17:53 . 2008-12-08 17:53 158,208 --a------ c:\winxp\system32\dwmqbops.exe
2008-12-06 19:59 . 2008-12-06 19:59 <DIR> d-------- c:\program files\DVD Decrypter
2008-12-06 19:49 . 2008-12-06 19:49 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Red Kawa
2008-12-06 19:46 . 2008-12-06 19:46 <DIR> d-------- c:\program files\Red Kawa
2008-12-06 19:45 . 2008-12-06 19:45 <DIR> d-------- C:\OpenCandy
2008-12-04 01:04 . 2008-12-06 00:24 <DIR> d-------- c:\program files\Total Video Converter
2008-12-04 01:04 . 2000-05-22 22:58 608,448 --a------ c:\winxp\system32\comctl32.ocx
2008-12-02 18:59 . 2008-12-02 18:59 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\DivX
2008-12-02 18:58 . 2008-12-02 18:59 <DIR> d-------- c:\program files\DivX
2008-12-02 18:38 . 2008-12-02 18:38 <DIR> d-------- c:\program files\Webteh
2008-11-25 22:32 . 2008-02-28 12:26 1,414,440 --a------ c:\winxp\system32\ShellManager310E2D762.dll
2008-11-25 22:32 . 2008-02-28 12:01 774,144 --a------ c:\winxp\system32\NEROINSTAEC43759.DB
2008-11-25 22:31 . 2008-11-25 22:31 0 --a------ c:\winxp\Irremote.ini
2008-11-20 21:52 . 2006-02-27 20:41 14,976 --a------ c:\winxp\system32\drivers\xbcd.sys
2008-11-17 23:50 . 2008-11-20 22:05 <DIR> d-------- c:\program files\XBCD+
2008-11-16 13:56 . 2008-11-16 14:19 <DIR> d-------- c:\program files\Mixxx
2008-11-15 13:15 . 2008-11-15 13:15 <DIR> d-------- c:\program files\PlayOnline
2008-11-13 09:59 . 2008-11-13 09:59 <DIR> d-------- c:\program files\Handbrake
2008-11-11 18:23 . 2008-11-11 18:23 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\Adobe Systems
2008-11-11 18:23 . 2001-08-17 22:36 5,632 --a------ c:\winxp\system32\ptpusb.dll
2008-11-11 18:22 . 2004-08-04 00:56 159,232 --a------ c:\winxp\system32\ptpusd.dll
2008-11-10 19:03 . 2008-11-10 19:04 <DIR> d-------- c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\FaxCtr
2008-11-10 15:00 . 2008-11-10 15:01 <DIR> d-------- c:\program files\Lexmark Fax Solutions
2008-11-10 15:00 . 2008-11-10 15:00 <DIR> d-------- c:\documents and settings\All Users.WINXP\Application Data\FaxCtr
2008-11-10 15:00 . 2003-03-11 17:26 339,968 --a------ c:\winxp\system32\IMGMAN32.DLL
2008-11-10 15:00 . 2003-03-11 17:26 98,345 --a------ c:\winxp\system32\IMHOST32.DLL
2008-11-10 15:00 . 2003-03-11 17:26 98,304 --a------ c:\winxp\system32\IM31XPNG.DEL
2008-11-10 15:00 . 2003-03-11 17:26 69,632 --a------ c:\winxp\system32\IM31XTIF.DEL
2008-11-10 15:00 . 2003-03-11 17:26 49,152 --a------ c:\winxp\system32\IM31IMG.DIL
2008-11-10 15:00 . 2005-07-12 08:33 32,768 --a------ c:\winxp\system32\LXPRMON.DLL
2008-11-10 15:00 . 2005-07-12 08:33 20,480 --a------ c:\winxp\system32\LXPMONUI.DLL
2008-11-10 15:00 . 2005-07-12 08:36 12,288 --a------ c:\winxp\system32\LXPMONRC.DLL
2008-11-10 14:59 . 2008-11-10 15:01 23,069 --a------ c:\winxp\system32\LexFiles.ulf
2008-11-10 14:58 . 2008-12-09 20:24 <DIR> d-------- c:\program files\Lx_cats
2008-11-10 14:58 . 2001-08-17 22:36 87,040 --a------ c:\winxp\system32\wiafbdrv.dll
2008-11-10 14:58 . 2001-08-17 22:36 87,040 --a--c--- c:\winxp\system32\dllcache\wiafbdrv.dll
2008-11-10 14:58 . 2004-08-03 22:58 15,104 --a------ c:\winxp\system32\drivers\usbscan.sys
2008-11-10 14:58 . 2004-08-03 22:58 15,104 --a--c--- c:\winxp\system32\dllcache\usbscan.sys
2008-11-10 14:58 . 2005-08-17 01:46 1,214 -ra------ c:\winxp\system32\lxcg.loc
2008-11-10 14:57 . 2008-11-10 19:03 <DIR> d-------- c:\temp\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2008-11-10 14:57 . 2008-11-10 19:03 <DIR> d-------- c:\program files\Lexmark 2300 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 01:24 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\OpenOffice.org2
2008-12-09 23:05 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\foobar2000
2008-12-09 00:37 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\avg8
2008-12-08 20:54 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\uTorrent
2008-12-07 00:46 --------- d-----w c:\program files\AviSynth 2.5
2008-11-27 19:33 --------- d-----w c:\program files\Opera
2008-11-26 03:33 --------- d-----w c:\program files\Common Files\Nero
2008-11-26 03:33 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Nero
2008-11-26 03:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 03:14 --------- d-----w c:\program files\WIDI VST 1.10
2008-11-16 18:59 --------- d-----w c:\program files\Vstplugins
2008-11-11 23:25 --------- d-----w c:\program files\Common Files\Adobe
2008-11-01 19:12 --------- d-----w c:\program files\Guild Wars
2008-10-29 03:24 --------- d-----w c:\program files\Acoustica Shared Effects
2008-10-28 22:36 823,296 ----a-w c:\winxp\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\winxp\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\winxp\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\winxp\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\winxp\system32\DivX.dll
2008-10-24 11:10 453,632 ----a-w c:\winxp\system32\drivers\mrxsmb.sys
2008-10-21 21:12 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Vso
2008-10-20 03:00 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Ableton
2008-10-20 02:58 --------- d-----w c:\program files\Ableton
2008-10-16 19:13 202,776 ----a-w c:\winxp\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\winxp\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\winxp\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\winxp\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\winxp\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\winxp\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\winxp\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\winxp\system32\wups.dll
2008-10-15 20:12 --------- d-----w c:\program files\BFG
2008-10-15 20:06 --------- d-----w c:\program files\ASIO4ALL v2
2008-10-14 01:10 --------- d-----w c:\program files\iTunes
2008-10-14 00:12 --------- d-----w c:\program files\Illutia
2008-10-11 15:28 --------- d-----w c:\program files\Cakewalk
2008-10-11 15:28 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Cakewalk
2008-10-11 15:23 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Sony
2008-10-11 15:19 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Publish Providers
2008-10-11 15:19 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\NetMedia Providers
2008-10-11 15:12 --------- d-----w c:\program files\Microsoft SQL Server
2008-10-11 15:11 --------- d-----w c:\documents and settings\All Users.WINXP\Application Data\Sony
2008-10-11 15:10 --------- d-----w c:\program files\Sony
2008-10-11 14:58 --------- d-----w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Sony Setup
2008-10-11 14:57 --------- d-----w c:\program files\Sony Setup
2008-10-10 21:53 --------- d-----w c:\program files\TallStick
2008-10-02 00:41 51,600 ----a-w c:\winxp\system32\RadLightMPCUninstall.exe
2008-09-30 21:43 1,286,152 ----a-w c:\winxp\system32\msxml4.dll
2008-09-26 01:21 47,360 ----a-w c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\pcouffin.sys
2008-09-25 08:03 81,920 ----a-w c:\winxp\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\winxp\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\winxp\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\winxp\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\winxp\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\winxp\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\winxp\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\winxp\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\winxp\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\winxp\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\winxp\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\winxp\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\winxp\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\winxp\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\winxp\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\winxp\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\winxp\system32\DivXWMPExtType.dll
2008-09-15 11:57 1,846,016 ----a-w c:\winxp\system32\win32k.sys
2008-06-02 16:16 47,360 ----a-w c:\documents and settings\Jacob\Application Data\pcouffin.sys
2005-11-04 12:29 72,832 ----a-w c:\winxp\inf\CamAvb.sys
2006-05-03 09:06 163,328 --sh--r c:\winxp\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r c:\winxp\system32\msfDX.dll
2008-03-16 12:30 216,064 --sh--r c:\winxp\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84BA8988-33E1-4c89-A150-BF428E8D3213}]
2008-12-05 14:16 133120 --a------ c:\program files\GrandPack\GrandPack.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"LXCGCATS"="c:\winxp\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"lxcgmon.exe"="c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"EzPrint"="c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]

c:\documents and settings\jacob.HARRIS-30403FC7\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]
UltimateZip Quick Start.lnk - c:\program files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe [2008-07-06 834048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ieModule"= {5FFB47B3-3AA7-49B5-8E6C-FBE64BD21B25} - c:\documents and settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll [2008-12-08 3312128]
"InternetConnection"= {FECCF2D0-C22C-4353-9B0C-16FC169965E9} - c:\documents and settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\adardlygfi.dll [2008-12-09 926720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\WINXP\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

R0 tclondrv;tclondrv;c:\winxp\system32\DRIVERS\tclondrv.sys [2008-09-17 20352]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\winxp\system32\Drivers\avgldx86.sys [2008-03-02 96520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 282904]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\winxp\system32\DRIVERS\libusb0.sys [2008-07-06 29184]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FireFox -: Profile - c:\documents and settings\jacob.HARRIS-30403FC7\Application Data\Mozilla\Firefox\Profiles\vqe453c3.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 20:36:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\winxp\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\winxp\system32\avgrsstx.dll
.
Completion time: 2008-12-09 20:37:37
ComboFix-quarantined-files.txt 2008-12-10 01:37:06
ComboFix2.txt 2008-12-09 22:24:21
ComboFix3.txt 2008-12-09 06:51:29

Pre-Run: 6,483,701,760 bytes free
Post-Run: 6,473,097,216 bytes free

234 --- E O F --- 2008-11-12 08:01:51

[Inysy]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:42 PM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINXP\system32\LEXBCES.EXE
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\LEXPPS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINXP\system32\lxcgcoms.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\wscntfy.exe
C:\WINXP\system32\wuauclt.exe
C:\WINXP\system32\notepad.exe
C:\WINXP\explorer.exe
C:\WINXP\system32\winscenter.exe
C:\Program Files\Spyware Guard 2008\spywareguard.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft...p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINXP\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip 2007\UltimateZip 2007\uzqkst.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: ieModule - {5FFB47B3-3AA7-49B5-8E6C-FBE64BD21B25} - C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {FECCF2D0-C22C-4353-9B0C-16FC169965E9} - C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\adardlygfi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: lxcg_device - - C:\WINXP\system32\lxcgcoms.exe

--
End of file - 5238 bytes



Ok Ill do that kaspersky next

[JSntgRvr]

Will post next fix after seeing the Kaspersky.

[Inysy]

Ok Sorry for the long delay but that scan takes foreeever and I dont have too much free time...

Anyways heres the kaspersky log:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 11, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 09, 2008 21:19:47
Records in database: 1448136
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\

Scan statistics:
Files scanned: 148491
Threat name: 5
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 07:00:29


File name / Threat name / Threats count
C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll/C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.y 1
C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll/C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.aa 12
C:\WINXP\system32\winscenter.exe//PE_Patch.UPX//UPX/C:\WINXP\system32\winscenter.exe//PE_Patch.UPX//UPX Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.ab 1
C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.y 1
C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.aa 1
C:\Program Files\Spyware Guard 2008\spywareguard.exe Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.x 1
C:\Program Files\Spyware Guard 2008\uninstall.exe Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.z 1
C:\Qoobox\Quarantine\C\Program Files\Spyware Guard 2008\spywareguard.exe.vir Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.x 1
C:\Qoobox\Quarantine\C\Program Files\Spyware Guard 2008\uninstall.exe.vir Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.z 1
C:\Qoobox\Quarantine\C\WINXP\system32\winscenter.exe.vir Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.ab 1
C:\WINXP\system32\winscenter.exe Infected: not-a-virus:FraudTool.Win32.SpywareGuard2008.ab 1

The selected area was scanned.

[JSntgRvr]

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

Collect::C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dllC:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dllC:\Documents and Settings\All Users.WINXP\Application Data\Microsoft\Internet Explorer\DLLs\adardlygfi.dllC:\WINXP\system32\winscenter.exeFolder::C:\Program Files\Spyware Guard 2008Registry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"ieModule"=-"InternetConnection"=-

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, ComboFix will generate a zipped file on the C:\Qoobox\Quarantine\ called Submit [Date Time].zip

Please submit this file to:

http://www.bleepingc...e.php?channel=4

Please include a link to this topic in the message.

[Inysy]

Ok its all set... File uploaded and all.
I think that killed it for the most part. It hasnt popped up again since I ran that last script.

Also, I uninstalled spybot S&D, I dont think it was helping.

[JSntgRvr]

Let me see a HijackThis log.