[emeraldnzl]

Interesting...that found infection in IE which is where you have had some problems.

I think it would be wise to have another look at things to make sure MBAM got it all.

Please download ComboFix from one of these locations:

NOTE: If you are guest watching this topic. ComboFix is a very powerful tool. The disclaimer clearly states that you should not use it without supervision. There is good reason for this as ComboFix can, and sometimes does, run into conflict on a computer and render it unusable.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

[Advertisements]

ComboFix 09-02-15.01 - Gloom 2009-02-15 18:49:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.682 [GMT -4:00]
Running from: i:\documents and settings\Gloom\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090215-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\windows\system32\Microsoft.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-14 17:14 . 2009-02-14 17:14 <DIR> d-------- i:\program files\Alwil Software
2009-02-14 12:05 . 2009-02-14 12:05 <DIR> d-------- I:\rsit
2009-02-14 11:57 . 2009-02-14 11:57 <DIR> d-------- i:\program files\Malwarebytes' Anti-Malware
2009-02-14 11:57 . 2009-02-11 10:19 38,496 --a------ i:\windows\system32\drivers\mbamswissarmy.sys
2009-02-14 11:57 . 2009-02-11 10:19 15,504 --a------ i:\windows\system32\drivers\mbam.sys
2009-02-09 20:17 . 2008-10-16 14:06 268,648 --a------ i:\windows\system32\mucltui.dll
2009-02-09 20:17 . 2008-10-16 14:06 208,744 --a------ i:\windows\system32\muweb.dll
2009-02-09 20:17 . 2008-10-16 14:06 27,496 --a------ i:\windows\system32\mucltui.dll.mui
2009-02-09 15:37 . 2000-12-05 16:18 3,952 --a------ i:\windows\system32\drivers\DMICall.sys
2009-02-03 16:51 . 1998-02-06 22:37 299,520 --a------ i:\windows\uninst.exe
2009-01-31 12:33 . 2009-01-31 13:56 <DIR> d-------- i:\documents and settings\Gloom\Application Data\Music Recognition
2009-01-31 12:13 . 2001-08-08 22:00 40,960 --a------ i:\windows\system32\DGPNorm.ocx
2009-01-30 15:02 . 2009-01-30 15:05 <DIR> d-------- i:\documents and settings\Gloom\Application Data\Anvil Studio
2009-01-30 14:59 . 2009-01-30 14:59 1,720,086 --a------ i:\windows\system32\TmpA12653687
2009-01-30 14:50 . 2002-07-08 00:14 1,294,336 --a------ i:\windows\system32\vorbis.acm
2009-01-30 14:50 . 2006-06-20 10:56 225,280 --a------ i:\windows\system32\rewire.dll
2009-01-30 14:48 . 2003-06-20 13:28 1,777,664 --a------ i:\windows\system32\gdiplus.dll
2009-01-30 13:53 . 2003-07-01 17:07 1,724,416 --a------ i:\windows\system32\NCTAudioFile2.dll
2009-01-30 13:53 . 2000-05-22 16:58 1,066,176 --a------ i:\windows\system32\Mscomctl.ocx
2009-01-30 13:53 . 2003-07-30 01:56 645,616 --a------ i:\windows\system32\Mscomct2.ocx
2009-01-30 13:53 . 2004-10-01 11:07 389,120 --a------ i:\windows\system32\actskn43.ocx
2009-01-30 13:53 . 2002-03-18 15:18 221,184 --a------ i:\windows\system32\lame_enc.dll
2009-01-30 13:53 . 2000-12-06 00:00 209,608 --a------ i:\windows\system32\TabCtl32.ocx
2009-01-30 13:53 . 1999-10-30 01:00 167,936 --a------ i:\windows\system32\ccrpftv6.ocx
2009-01-30 13:53 . 1998-06-24 10:55 164,144 --a------ i:\windows\system32\Comct232.ocx
2009-01-30 13:53 . 2003-11-17 12:49 154,624 --a------ i:\windows\system32\fmod.dll
2009-01-30 13:53 . 2000-05-22 15:58 140,488 --a------ i:\windows\system32\comdlg32.ocx
2009-01-30 13:53 . 2003-06-26 18:38 94,208 --a------ i:\windows\system32\id3v23x.dll
2009-01-30 13:53 . 2000-12-30 11:47 22,528 --a------ i:\windows\system32\MNCPrgBr.OCX
2009-01-30 10:51 . 2009-01-30 10:51 <DIR> d-------- i:\documents and settings\Gloom\Application Data\Malwarebytes
2009-01-30 10:51 . 2009-01-30 10:51 <DIR> d-------- i:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 22:23 . 2009-01-28 22:23 <DIR> d-------- i:\program files\Common Files\Enterbrain
2009-01-26 09:28 . 2000-12-08 21:59 122,880 --a------ i:\windows\UnGins.exe
2009-01-21 20:30 . 2009-01-22 14:54 <DIR> d-------- i:\documents and settings\Gloom\Application Data\RenPy
2009-01-21 20:30 . 2009-01-22 15:11 <DIR> d-------- i:\documents and settings\Gloom\.jedit
2009-01-21 17:44 . 2009-01-21 17:44 <DIR> d-------- i:\program files\Common Files\DirectX
2009-01-20 19:09 . 2009-01-31 22:09 1,682 --ahs---- i:\windows\system32\KGyGaAvL.sys
2009-01-20 19:09 . 2009-01-28 22:24 56 -r-hs---- i:\windows\system32\9E1725EBB7.sys
2009-01-20 19:08 . 2009-01-20 19:08 <DIR> d-------- i:\program files\Enterbrain
2009-01-15 14:08 . 2009-01-15 14:10 <DIR> d-------- i:\documents and settings\Gloom\Application Data\Crayon Physics Deluxe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 22:09 --------- d-----w i:\documents and settings\Gloom\Application Data\WTablet
2009-02-14 21:12 --------- d-----w i:\documents and settings\All Users\Application Data\Viewpoint
2009-02-09 23:32 --------- d-----w i:\program files\Common Files\Adobe
2009-02-09 19:37 --------- d--h--w i:\program files\InstallShield Installation Information
2009-02-09 19:37 --------- d-----w i:\program files\Common Files\Sony Shared
2008-12-21 04:46 --------- d-----w i:\documents and settings\Gloom\Application Data\.BitTornado
2008-12-20 02:02 410,984 ----a-w i:\windows\system32\deploytk.dll
2008-12-20 02:02 --------- d-----w i:\program files\Java
2008-12-17 01:15 --------- d-----w i:\program files\Macromedia
2008-12-17 01:15 --------- d-----w i:\program files\Common Files\Macromedia Shared
2008-12-17 01:15 --------- d-----w i:\program files\Common Files\Macromedia
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="i:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"IgfxTray"="i:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="i:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"Persistence"="i:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"LogitechCommunicationsManager"="i:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast!"="i:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 i:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 i:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 i:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 i:\windows\AGRSMMSG.exe]

i:\documents and settings\Gloom\Start Menu\Programs\Startup\
Adobe Gamma.lnk - i:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 11:21 50472 i:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 16:15 2407184 i:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 i:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 i:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"i:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"i:\\Program Files\\MSN Messenger\\livecall.exe"=
"i:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"i:\\Program Files\\AIM6\\aim6.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"i:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

R1 aswSP;avast! Self Protection;i:\windows\system32\drivers\aswSP.sys [2009-02-14 114768]
R2 aswFsBlk;aswFsBlk;i:\windows\system32\drivers\aswFsBlk.sys [2009-02-14 20560]
R2 TabletServiceWacom;TabletServiceWacom;i:\windows\system32\Wacom_Tablet.exe [2008-08-15 3406120]
R3 wacmoumonitor;Wacom Mode Helper;i:\windows\system32\drivers\wacmoumonitor.sys [2008-08-15 15656]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - i:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 18:50:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-436374069-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:b4,ff,9e,8d,b4,75,9a,85,02,b3,62,19,11,9a,a4,1c,4c,71,5d,14,de,
b0,33,43,c4,96,5a,5e,8f,b7,07,fa,ef,89,35,d5,31,3f,04,b3,d5,fd,01,9f,da,10,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7
.
Completion time: 2009-02-15 18:51:19
ComboFix-quarantined-files.txt 2009-02-15 22:51:17

Pre-Run: 141,017,333,760 bytes free
Post-Run: 141,273,047,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

149

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:40 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
I:\Program Files\Alwil Software\Avast4\ashServ.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Java\jre6\bin\jusched.exe
I:\WINDOWS\system32\igfxtray.exe
I:\WINDOWS\system32\hkcmd.exe
I:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
I:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\Wacom_Tablet.exe
I:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
I:\WINDOWS\system32\Wacom_Tablet.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
I:\WINDOWS\system32\ctfmon.exe
I:\WINDOWS\explorer.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Documents and Settings\Gloom\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - I:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - I:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] I:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] I:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] I:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "I:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] I:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.co.../sysreqlab3.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-27-0.cab
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - I:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - I:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - I:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - I:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - I:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - I:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 7077 bytes

[Gloom]

ComboFix 09-02-15.01 - Gloom 2009-02-15 18:49:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.682 [GMT -4:00]
Running from: i:\documents and settings\Gloom\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090215-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\windows\system32\Microsoft.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-14 17:14 . 2009-02-14 17:14 <DIR> d-------- i:\program files\Alwil Software
2009-02-14 12:05 . 2009-02-14 12:05 <DIR> d-------- I:\rsit
2009-02-14 11:57 . 2009-02-14 11:57 <DIR> d-------- i:\program files\Malwarebytes' Anti-Malware
2009-02-14 11:57 . 2009-02-11 10:19 38,496 --a------ i:\windows\system32\drivers\mbamswissarmy.sys
2009-02-14 11:57 . 2009-02-11 10:19 15,504 --a------ i:\windows\system32\drivers\mbam.sys
2009-02-09 20:17 . 2008-10-16 14:06 268,648 --a------ i:\windows\system32\mucltui.dll
2009-02-09 20:17 . 2008-10-16 14:06 208,744 --a------ i:\windows\system32\muweb.dll
2009-02-09 20:17 . 2008-10-16 14:06 27,496 --a------ i:\windows\system32\mucltui.dll.mui
2009-02-09 15:37 . 2000-12-05 16:18 3,952 --a------ i:\windows\system32\drivers\DMICall.sys
2009-02-03 16:51 . 1998-02-06 22:37 299,520 --a------ i:\windows\uninst.exe
2009-01-31 12:33 . 2009-01-31 13:56 <DIR> d-------- i:\documents and settings\Gloom\Application Data\Music Recognition
2009-01-31 12:13 . 2001-08-08 22:00 40,960 --a------ i:\windows\system32\DGPNorm.ocx
2009-01-30 15:02 . 2009-01-30 15:05 <DIR> d-------- i:\documents and settings\Gloom\Application Data\Anvil Studio
2009-01-30 14:59 . 2009-01-30 14:59 1,720,086 --a------ i:\windows\system32\TmpA12653687
2009-01-30 14:50 . 2002-07-08 00:14 1,294,336 --a------ i:\windows\system32\vorbis.acm
2009-01-30 14:50 . 2006-06-20 10:56 225,280 --a------ i:\windows\system32\rewire.dll
2009-01-30 14:48 . 2003-06-20 13:28 1,777,664 --a------ i:\windows\system32\gdiplus.dll
2009-01-30 13:53 . 2003-07-01 17:07 1,724,416 --a------ i:\windows\system32\NCTAudioFile2.dll
2009-01-30 13:53 . 2000-05-22 16:58 1,066,176 --a------ i:\windows\system32\Mscomctl.ocx
2009-01-30 13:53 . 2003-07-30 01:56 645,616 --a------ i:\windows\system32\Mscomct2.ocx
2009-01-30 13:53 . 2004-10-01 11:07 389,120 --a------ i:\windows\system32\actskn43.ocx
2009-01-30 13:53 . 2002-03-18 15:18 221,184 --a------ i:\windows\system32\lame_enc.dll
2009-01-30 13:53 . 2000-12-06 00:00 209,608 --a------ i:\windows\system32\TabCtl32.ocx
2009-01-30 13:53 . 1999-10-30 01:00 167,936 --a------ i:\windows\system32\ccrpftv6.ocx
2009-01-30 13:53 . 1998-06-24 10:55 164,144 --a------ i:\windows\system32\Comct232.ocx
2009-01-30 13:53 . 2003-11-17 12:49 154,624 --a------ i:\windows\system32\fmod.dll
2009-01-30 13:53 . 2000-05-22 15:58 140,488 --a------ i:\windows\system32\comdlg32.ocx
2009-01-30 13:53 . 2003-06-26 18:38 94,208 --a------ i:\windows\system32\id3v23x.dll
2009-01-30 13:53 . 2000-12-30 11:47 22,528 --a------ i:\windows\system32\MNCPrgBr.OCX
2009-01-30 10:51 . 2009-01-30 10:51 <DIR> d-------- i:\documents and settings\Gloom\Application Data\Malwarebytes
2009-01-30 10:51 . 2009-01-30 10:51 <DIR> d-------- i:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 22:23 . 2009-01-28 22:23 <DIR> d-------- i:\program files\Common Files\Enterbrain
2009-01-26 09:28 . 2000-12-08 21:59 122,880 --a------ i:\windows\UnGins.exe
2009-01-21 20:30 . 2009-01-22 14:54 <DIR> d-------- i:\documents and settings\Gloom\Application Data\RenPy
2009-01-21 20:30 . 2009-01-22 15:11 <DIR> d-------- i:\documents and settings\Gloom\.jedit
2009-01-21 17:44 . 2009-01-21 17:44 <DIR> d-------- i:\program files\Common Files\DirectX
2009-01-20 19:09 . 2009-01-31 22:09 1,682 --ahs---- i:\windows\system32\KGyGaAvL.sys
2009-01-20 19:09 . 2009-01-28 22:24 56 -r-hs---- i:\windows\system32\9E1725EBB7.sys
2009-01-20 19:08 . 2009-01-20 19:08 <DIR> d-------- i:\program files\Enterbrain
2009-01-15 14:08 . 2009-01-15 14:10 <DIR> d-------- i:\documents and settings\Gloom\Application Data\Crayon Physics Deluxe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 22:09 --------- d-----w i:\documents and settings\Gloom\Application Data\WTablet
2009-02-14 21:12 --------- d-----w i:\documents and settings\All Users\Application Data\Viewpoint
2009-02-09 23:32 --------- d-----w i:\program files\Common Files\Adobe
2009-02-09 19:37 --------- d--h--w i:\program files\InstallShield Installation Information
2009-02-09 19:37 --------- d-----w i:\program files\Common Files\Sony Shared
2008-12-21 04:46 --------- d-----w i:\documents and settings\Gloom\Application Data\.BitTornado
2008-12-20 02:02 410,984 ----a-w i:\windows\system32\deploytk.dll
2008-12-20 02:02 --------- d-----w i:\program files\Java
2008-12-17 01:15 --------- d-----w i:\program files\Macromedia
2008-12-17 01:15 --------- d-----w i:\program files\Common Files\Macromedia Shared
2008-12-17 01:15 --------- d-----w i:\program files\Common Files\Macromedia
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="i:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"IgfxTray"="i:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="i:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"Persistence"="i:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"LogitechCommunicationsManager"="i:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"avast!"="i:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 i:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 i:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 i:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 i:\windows\AGRSMMSG.exe]

i:\documents and settings\Gloom\Start Menu\Programs\Startup\
Adobe Gamma.lnk - i:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 11:21 50472 i:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2008-08-14 16:15 2407184 i:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 i:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 i:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"i:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"i:\\Program Files\\MSN Messenger\\livecall.exe"=
"i:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"i:\\Program Files\\AIM6\\aim6.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"i:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

R1 aswSP;avast! Self Protection;i:\windows\system32\drivers\aswSP.sys [2009-02-14 114768]
R2 aswFsBlk;aswFsBlk;i:\windows\system32\drivers\aswFsBlk.sys [2009-02-14 20560]
R2 TabletServiceWacom;TabletServiceWacom;i:\windows\system32\Wacom_Tablet.exe [2008-08-15 3406120]
R3 wacmoumonitor;Wacom Mode Helper;i:\windows\system32\drivers\wacmoumonitor.sys [2008-08-15 15656]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - i:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 18:50:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-436374069-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:b4,ff,9e,8d,b4,75,9a,85,02,b3,62,19,11,9a,a4,1c,4c,71,5d,14,de,
b0,33,43,c4,96,5a,5e,8f,b7,07,fa,ef,89,35,d5,31,3f,04,b3,d5,fd,01,9f,da,10,\
"rkeysecu"=hex:9f,ca,16,75,83,0a,d6,fd,d2,a5,ab,cb,c1,0d,12,f7
.
Completion time: 2009-02-15 18:51:19
ComboFix-quarantined-files.txt 2009-02-15 22:51:17

Pre-Run: 141,017,333,760 bytes free
Post-Run: 141,273,047,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
i:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

149

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:40 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
I:\Program Files\Alwil Software\Avast4\ashServ.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Java\jre6\bin\jusched.exe
I:\WINDOWS\system32\igfxtray.exe
I:\WINDOWS\system32\hkcmd.exe
I:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
I:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\Wacom_Tablet.exe
I:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
I:\WINDOWS\system32\Wacom_Tablet.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
I:\WINDOWS\system32\ctfmon.exe
I:\WINDOWS\explorer.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Documents and Settings\Gloom\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - I:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - I:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] I:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] I:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] I:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "I:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] I:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "I:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://I:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.co.../sysreqlab3.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-27-0.cab
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - I:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - I:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - I:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - I:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - I:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - I:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - I:\WINDOWS\system32\Wacom_Tablet.exe

--
End of file - 7077 bytes

[emeraldnzl]

Good decision there was more there.

In light of finding that bot infection I think we should do this now to make absolutely sure.

Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

[Gloom]

SDFix: Version 1.240
Run by Gloom on Sun 02/15/2009 at 11:43 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: I:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 23:50:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"I:\\Program Files\\BitTornado\\btdownloadgui.exe"="I:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"I:\\Program Files\\MSN Messenger\\msnmsgr.exe"="I:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"I:\\Program Files\\MSN Messenger\\livecall.exe"="I:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"I:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="I:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"I:\\Program Files\\AIM6\\aim6.exe"="I:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"I:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="I:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"I:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="I:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"I:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"="I:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"I:\\Program Files\\MSN Messenger\\msnmsgr.exe"="I:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"I:\\Program Files\\MSN Messenger\\livecall.exe"="I:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 28 Jan 2009 56 ..SHR --- I:\WINDOWS\SYSTEM32\9E1725~1.SYS
Sat 31 Jan 2009 1,682 A.SH. --- I:\WINDOWS\SYSTEM32\KGYGAAVL.SYS
Sat 18 Oct 2008 4,348 ..SH. --- I:\DOCUME~1\ALLUSE~1\DRM\DRMV1.BAK
Sun 17 Aug 2008 0 A.SH. --- I:\DOCUME~1\ALLUSE~1\DRM\CACHE\INDIV01.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\0CEFBD~1\BIT20.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\0ED7E4~1\BIT36.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\1ECCCA~1\BIT3E.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\22C1ED~1\BIT30.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\244220~1\BIT37.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\4CDDF1~1\BIT3B.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\607DA2~1\BIT3D.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\6363BF~1\BIT3C.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\831BAD~1\BIT35.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\88AEDD~1\BIT33.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\BF30BB~1\BIT39.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\CF719F~1\BIT34.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\EB1C9D~1\BIT2F.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\F4AF55~1\BIT26.TMP
Wed 27 Aug 2008 857 ...HR --- I:\DOCUME~1\GLOOM\APPLIC~1\SECUROM\USERDATA\SECURO~1.BAK
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\326097~1\DOWNLOAD\BIT41.TMP
Mon 9 Feb 2009 0 A..H. --- I:\WINDOWS\SOFTWA~1\DOWNLOAD\FA57C8~1\DOWNLOAD\BIT43.TMP

Finished!

[emeraldnzl]

You may already have AFT Cleaner. If you do please Select All and run it. If not please follow the instructions below to download and run.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

Post a copy of the report back here.

[Gloom]

I saved the report before I "cured" the issues. Hope that doesn't make things confusing.

ComboFix.exe/data002\32788R22FWJFW\c.bat;I:\Documents and Settings\Gloom\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;I:\Documents and Settings\Gloom\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;I:\Documents and Settings\Gloom\Desktop;Archive contains infected objects;;
ComboFix.exe;I:\Documents and Settings\Gloom\Desktop;Container contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;I:\Documents and Settings\Gloom\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe;I:\Documents and Settings\Gloom\Desktop;Archive contains infected objects;Moved.;
Process.exe;I:\SDFix\apps;Tool.Prockill;;
A0016908.bat;I:\System Volume Information\_restore{22CF968A-2925-4ACA-B31E-9921D10BB8D0}\RP238;Probably BATCH.Virus;;
A0017015.exe\SDFix\apps\Process.exe;I:\System Volume Information\_restore{22CF968A-2925-4ACA-B31E-9921D10BB8D0}\RP238\A0017015.exe;Tool.Prockill;;
A0017015.exe;I:\System Volume Information\_restore{22CF968A-2925-4ACA-B31E-9921D10BB8D0}\RP238;Archive contains infected objects;Moved.;

[emeraldnzl]

Hello Gloom,

Looking pretty good there.

How is your computer performing now?

[Gloom]

Well, IE hasn't frozen yet.

The card reader is still not working properly, but i guess I'll take that to the tech forum.

Thanks for all your help!

[emeraldnzl]

The card reader is still not working properly, but i guess I'll take that to the tech forum.

Yes I am afraid that is outside my expertise. Tell them you have been here and give them a link to this thread.

We have a couple of last steps to perform and then you're all set.

Follow these steps to uninstall Combofix and some tools used in the removal of malware

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

After that please go here to download OTCleanIt.

Run this psrogram to remove the remaining tools we have been using.

You will be asked to reboot the machine to finish the Cleanup process choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. Erunt can also be uninstalled via the add/remove programs utility, for some though, it may be a useful back up program to hold on to. The AFT folder can be deleted but you might like to keep it too. I run it once a week to remove temporary bits and pieces that are not required and can be a security risk. HijackThis can be uninstalled via the Add or Remove Programs utility in the Control Panel. Delete the DrWebCureIt download files.

-------------------------------------------------------------------------------------------------------------------

A reminder now: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at:

---------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (Note: this as an added benefit!) that I have seen. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

• If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting
  
• Microsoft Windows Update
  
  monthly. And to keep your system clean run these free malware scanners
  
• AdAware SE Personal
  
• Spybot Search & Destroy
  
  weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!

[emeraldnzl]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.