All kinds of problems, please help, programs failing to initialize, NT shutdown, slow speed, etc Options

[goodfellow]

Hello. This weekend I casually visited some website and my Avira virus protection started picking up all kinds of stuff. I indicated that all these worms or whatever should be quarantined. But then my computer started freezing, undergoing different problems. I received messages that the uploading module (engine CRC) had changed for Avira and the program no longer worked all of a sudden. I was told that my attempts to access Malwarebytes were invalid due to address. Then I suddenly did not have sufficient resources to complete almost all computer oprations. When I restarted my computer, the display settings changed. All desktop icons and type/ font size were much larger. I had insufficient resources or memory to complete all operations. Finally, the whole system froze. I couldn't do anything but watch the mouse move.

Today, I started the system in Safe Mode, ran Malwarebytes. It picked up several things which I have pasted below. Malwarebytes only runs in Safe Mode. In Normal mode, I get a Code 703 (0,7) error message.

Sometimes I get messages that various programs failed to initialize (such as drwtsn32.exe). Once I experienced a sudden NT AUTHORITY/ SYSTEM shutdown--my system was shut off against my will and restarted.

Also, the system is now running very SLOW.

Sorry for the long post. I hope you can help. See logs below (Malware bytes, Avira, Hijackthis).







Malwarebytes' Anti-Malware 1.40
Database version: 2635
Windows 5.1.2600 Service Pack 3 (Safe Mode)

11/2/2009 1:17:27 PM
mbam-log-2009-11-02 (13-17-27).txt

Scan type: Quick Scan
Objects scanned: 89869
Time elapsed: 14 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sxodibk.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sxodibk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\user1\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv591256559586.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv611255594149.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv841255492056.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user1\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.











AVIRA LOG


Avira AntiVir Personal
Report file date: Monday, November 02, 2009 13:57

Scanning for 1851309 virus strains and unwanted programs.

Licensed to: Avira AntiVir Personal - FREE Antivirus
Serial number: 0000149996-ADJIE-0000001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: NCR

Version information:
BUILD.DAT : 8.2.0.354 17048 Bytes 10/23/2009 13:15:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/27/2008 02:39:34
AVSCAN.DLL : 8.1.4.0 40705 Bytes 7/19/2008 19:44:57
LUKE.DLL : 8.1.4.5 164097 Bytes 7/19/2008 19:45:06
LUKERES.DLL : 8.1.4.0 12033 Bytes 7/19/2008 19:45:06
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 21:59:23
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 01:16:35
ANTIVIR2.VDF : 7.1.6.160 5413376 Bytes 10/28/2009 01:42:13
ANTIVIR3.VDF : 7.1.6.173 71680 Bytes 10/30/2009 01:42:16
Engineversion : 8.2.1.53
AEVDF.DLL : 8.1.1.2 106867 Bytes 9/16/2009 01:30:24
AESCRIPT.DLL : 8.1.2.43 528764 Bytes 10/31/2009 01:42:56
AESCN.DLL : 8.1.2.5 127346 Bytes 9/5/2009 01:28:42
AERDL.DLL : 8.1.3.2 479604 Bytes 10/3/2009 01:33:40
AEPACK.DLL : 8.2.0.2 422263 Bytes 10/23/2009 01:37:13
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/18/2009 01:13:46
AEHEUR.DLL : 8.1.0.173 2064760 Bytes 10/31/2009 01:42:49
AEHELP.DLL : 8.1.7.0 237940 Bytes 9/5/2009 01:28:41
AEGEN.DLL : 8.1.1.70 364917 Bytes 10/31/2009 01:42:25
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 01:33:29
AECORE.DLL : 8.1.8.1 184693 Bytes 9/16/2009 01:30:18
AEBB.DLL : 8.1.0.3 53618 Bytes 10/16/2008 02:49:28
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/19/2008 19:44:58
AVPREF.DLL : 8.0.2.0 38657 Bytes 7/19/2008 19:44:57
AVREP.DLL : 8.0.0.3 155688 Bytes 4/20/2009 21:23:43
AVREG.DLL : 8.0.0.1 33537 Bytes 7/19/2008 19:44:57
AVARKT.DLL : 1.0.0.23 307457 Bytes 4/14/2008 22:36:50
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 7/19/2008 19:44:56
SQLITE3.DLL : 3.3.17.1 339968 Bytes 4/14/2008 22:37:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 7/19/2008 19:45:09
NETNT.DLL : 8.0.0.1 7937 Bytes 4/14/2008 22:37:01
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 7/19/2008 19:44:34
RCTEXT.DLL : 8.0.52.0 86273 Bytes 7/19/2008 19:44:34

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Monday, November 02, 2009 13:57

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'infocard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Hotsync.exe' - '1' Module(s) have been scanned
Scan process 'DvzIncMsgr.exe' - '1' Module(s) have been scanned
Scan process 'restorer32_a.exe' - '1' Module(s) have been scanned
Scan process 'sa23sl.exe' - '1' Module(s) have been scanned
Scan process 'MtdAcqu.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'restorer32_a.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\' <XP 10GB>
C:\pagefile.sys
[WARNING] The file could not be opened!


End of the scan: Monday, November 02, 2009 15:26
Used time: 1:28:55 Hour(s)

The scan has been done completely.

5769 Scanning directories
345331 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
345330 Files not concerned
2709 Archives were scanned
1 Warnings
0 Notes












HIJACK THIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:15 PM, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\restorer32_a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\WINDOWS\sa23sl.exe
C:\Documents and Settings\user1\restorer32_a.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Temp\wpv081257179558.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe
O4 - HKLM\..\Run: [Mbokeru] rundll32.exe "C:\WINDOWS\ewevidif.dll",Startup
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\Temp\wpv081257179558.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\sa23sl.exe
O4 - HKCU\..\Run: [restorer32_a] C:\Documents and Settings\user1\restorer32_a.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: zavupd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535179253
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535170821
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6434 bytes

[Rosty]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

[goodfellow]

Here is the combofix log you requested. Let me know what the trouble is/ was and if there are other steps I should complete.





ComboFix 09-11-03.01 - user1 11/03/2009 14:47.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.115 [GMT -5:00]
Running from: c:\documents and settings\user1\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk
c:\documents and settings\user1\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\ewevidif.dll
c:\windows\system32\cffii.ini
c:\windows\system32\cffii.ini2
c:\windows\system32\restorer32_a.exe
c:\windows\system32\stem32~1
c:\windows\system32\wqehlbhb.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.

2009-11-02 17:58 . 2009-11-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-02 17:57 . 2009-11-02 17:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-02 17:57 . 2009-11-02 17:57 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}
2009-10-31 21:03 . 2009-10-31 21:03 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\WMTools Downloaded Files
2009-10-31 18:50 . 2009-11-03 18:29 0 ----a-w- c:\windows\Xbahi.bin
2009-10-31 18:50 . 2009-11-03 18:29 120 ----a-w- c:\windows\Wfawevozuji.dat
2009-10-31 18:49 . 2009-10-31 18:49 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}
2009-10-31 18:46 . 2009-10-31 18:46 47104 ----a-w- c:\documents and settings\user1\restorer32_a.exe
2009-10-31 18:44 . 2009-10-31 18:44 36864 ----a-w- c:\windows\sa23sl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 19:35 . 2006-10-08 22:12 23512 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 18:31 . 2009-11-02 18:31 6435 ----a-w- c:\program files\hijackthis.log
2009-11-02 17:50 . 2006-10-16 00:06 -------- d-----w- c:\documents and settings\user1\Application Data\OpenOffice.org2
2009-10-07 20:30 . 2007-05-13 02:20 -------- d-----w- c:\documents and settings\user1\Application Data\U3
2009-10-01 20:18 . 2009-10-01 20:17 -------- d-----w- c:\program files\Intel
2009-10-01 20:10 . 2009-10-01 20:10 -------- d-----w- c:\program files\SystemRequirementsLab
2009-09-27 02:21 . 2009-09-27 02:21 -------- d-----w- c:\documents and settings\user1\Application Data\MSNInstaller
2009-09-27 01:36 . 2006-10-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-27 01:34 . 2008-07-04 21:31 -------- d-----w- c:\program files\Common Files\Real
2009-09-27 01:32 . 2009-05-13 17:38 -------- d-----w- c:\program files\Panda Security
2009-09-26 20:34 . 2009-09-26 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-24 00:28 . 2007-09-13 02:05 1636 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 04:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2006-10-08 21:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2006-10-08 21:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2006-10-08 22:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2006-10-08 21:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2006-10-08 21:40 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 04:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2006-10-08 21:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2007-11-20 20:35 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2007-07-30 23:18 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2006-10-08 21:40 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-05-13 20:53 . 2009-05-13 20:53 396288 ----a-w- c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"restorer32_a"="c:\documents and settings\user1\restorer32_a.exe" [2009-10-31 47104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-10-10 270336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-4-2 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [10/8/2006 12:28 PM 72832]
S3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2/18/2002 1:19 PM 303360]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-11-03 c:\windows\Tasks\User_Feed_Synchronization-{0BAEA8CC-473C-4E20-92A9-FF0C786FB0BB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-restorer32_a - c:\windows\system32\restorer32_a.exe
HKLM-Run-Mbokeru - c:\windows\ewevidif.dll
HKLM-Run-Regedit32 - c:\windows\system32\regedit.exe
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-03 15:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3580)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-11-03 15:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-03 20:27

Pre-Run: 1,993,531,392 bytes free
Post-Run: 2,062,561,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

[goodfellow]

Hi. It has been several days since I was instructed to download Combofix, run it, and post the log to my thread. Still waiting on a reply. My computer is working much better now but I would like for someone to take a look at the Combofix log and let me know if everything is okay. Also, can someone tell me what was wrong with my computer?

Thanks

[Rosty]

Hi,

sorry for the delay!! I've overlooked your topic.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\documents and settings\user1\restorer32_a.exe
c:\windows\sa23sl.exe
c:\windows\Wfawevozuji.dat
c:\windows\Xbahi.bin

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"restorer32_a"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[goodfellow]

Thanks. Below are the new Combofix and Hijackthis log files that you requested.




ComboFix 09-11-05.05 - user1 11/06/2009 15:56.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.107 [GMT -5:00]
Running from: c:\documents and settings\user1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user1\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\user1\restorer32_a.exe"
"c:\windows\sa23sl.exe"
"c:\windows\Wfawevozuji.dat"
"c:\windows\Xbahi.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}
c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{C3052C9C-5887-4B65-819A-50A5ABEADD56}\install.rdf
c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}
c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}\chrome.manifest
c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}\chrome\content\_cfg.js
c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}\chrome\content\overlay.xul
c:\documents and settings\user1\Local Settings\Application Data\{8DF5B707-E645-4D92-83EA-10ABB965D1F2}\install.rdf
c:\windows\Wfawevozuji.dat
c:\windows\Xbahi.bin

.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-05 23:51 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 23:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 23:50 . 2009-11-05 23:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 23:10 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-05 23:10 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-05 23:10 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-05 23:10 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-05 23:09 . 2009-11-05 23:09 -------- d-----w- c:\program files\Avira
2009-11-05 23:09 . 2009-11-05 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-02 17:58 . 2009-11-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-02 17:57 . 2009-11-02 17:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 21:03 . 2009-10-31 21:03 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\WMTools Downloaded Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 23:51 . 2009-05-13 17:48 -------- d-----w- c:\documents and settings\user1\Application Data\Malwarebytes
2009-11-05 23:50 . 2009-05-13 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 19:45 . 2006-10-16 00:06 -------- d-----w- c:\documents and settings\user1\Application Data\OpenOffice.org2
2009-11-05 08:24 . 2007-09-13 02:05 2296 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 19:35 . 2006-10-08 22:12 23512 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 20:30 . 2007-05-13 02:20 -------- d-----w- c:\documents and settings\user1\Application Data\U3
2009-10-01 20:18 . 2009-10-01 20:17 -------- d-----w- c:\program files\Intel
2009-10-01 20:10 . 2009-10-01 20:10 -------- d-----w- c:\program files\SystemRequirementsLab
2009-09-27 02:21 . 2009-09-27 02:21 1244648 ----a-w- c:\documents and settings\user1\Application Data\MSNInstaller\msnauins.exe
2009-09-27 02:21 . 2009-09-27 02:21 -------- d-----w- c:\documents and settings\user1\Application Data\MSNInstaller
2009-09-27 01:36 . 2006-10-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-27 01:34 . 2008-07-04 21:31 -------- d-----w- c:\program files\Common Files\Real
2009-09-27 01:32 . 2009-05-13 17:38 -------- d-----w- c:\program files\Panda Security
2009-09-26 20:34 . 2009-09-26 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-22 18:07 . 2009-09-22 18:05 17204720 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\rp\.exe
2009-09-22 18:05 . 2009-09-22 18:05 8406648 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-22 18:04 . 2009-09-22 18:04 10309448 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-22 18:02 . 2009-09-22 18:02 64000 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-22 18:02 . 2009-09-22 18:02 52288 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-22 18:02 . 2009-09-22 18:02 50688 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-22 18:02 . 2009-09-22 18:02 81920 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 04:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-13 20:53 . 2009-05-13 20:53 396288 ----a-w- c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-03_20.11.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-11-06 00:15 . 2009-11-06 00:15 16384 c:\windows\temp\Perflib_Perfdata_1b0.dat
+ 2007-11-19 02:22 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-11-05 23:00 . 2009-11-05 23:00 228352 c:\windows\Installer\d5d61.msi
+ 2009-11-06 08:00 . 2009-11-06 08:00 195584 c:\windows\Installer\1aafe01.msi
+ 2009-11-05 02:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-05 02:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2004-08-04 04:56 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2004-08-04 04:56 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-05 02:00 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"restorer32_a"="c:\windows\system32\restorer32_a.exe" [BU]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-10-10 270336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-4-2 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [10/8/2006 12:28 PM 72832]
S3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2/18/2002 1:19 PM 303360]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-11-06 c:\windows\Tasks\User_Feed_Synchronization-{0BAEA8CC-473C-4E20-92A9-FF0C786FB0BB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 16:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-06 16:27
ComboFix-quarantined-files.txt 2009-11-06 21:26
ComboFix2.txt 2009-11-03 20:27

Pre-Run: 1,906,896,896 bytes free
Post-Run: 2,000,027,648 bytes free

- - End Of File - - 64255F8F14C9742C7642758CF87EDDDD










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:07 PM, on 11/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535179253
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535170821
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5657 bytes

[Rosty]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\Installer\d5d61.msi
c:\windows\Installer\1aafe01.msi

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"restorer32_a"=-
Renv::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[goodfellow]

Okay. Here are the Hijackthis and combofix files you requested. I really appreciate your help.







ComboFix 09-11-07.02 - user1 11/07/2009 19:50.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.143 [GMT -5:00]
Running from: c:\documents and settings\user1\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user1\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\Installer\1aafe01.msi"
"c:\windows\Installer\d5d61.msi"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\1aafe01.msi
c:\windows\Installer\d5d61.msi

.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-05 23:51 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-05 23:50 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 23:50 . 2009-11-05 23:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-05 23:10 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-05 23:10 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-05 23:10 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-05 23:10 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-05 23:09 . 2009-11-05 23:09 -------- d-----w- c:\program files\Avira
2009-11-05 23:09 . 2009-11-05 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-02 17:58 . 2009-11-02 17:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-02 17:57 . 2009-11-02 17:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-31 21:03 . 2009-10-31 21:03 -------- d-----w- c:\documents and settings\user1\Local Settings\Application Data\WMTools Downloaded Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 00:36 . 2006-10-16 00:06 -------- d-----w- c:\documents and settings\user1\Application Data\OpenOffice.org2
2009-11-06 21:35 . 2009-11-06 21:35 5658 ----a-w- c:\program files\hijackthis.log
2009-11-05 23:51 . 2009-05-13 17:48 -------- d-----w- c:\documents and settings\user1\Application Data\Malwarebytes
2009-11-05 23:50 . 2009-05-13 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-05 08:24 . 2007-09-13 02:05 2296 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 19:35 . 2006-10-08 22:12 23512 ----a-w- c:\documents and settings\user1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 20:30 . 2007-05-13 02:20 -------- d-----w- c:\documents and settings\user1\Application Data\U3
2009-10-01 20:18 . 2009-10-01 20:17 -------- d-----w- c:\program files\Intel
2009-10-01 20:10 . 2009-10-01 20:10 -------- d-----w- c:\program files\SystemRequirementsLab
2009-09-27 02:21 . 2009-09-27 02:21 1244648 ----a-w- c:\documents and settings\user1\Application Data\MSNInstaller\msnauins.exe
2009-09-27 02:21 . 2009-09-27 02:21 -------- d-----w- c:\documents and settings\user1\Application Data\MSNInstaller
2009-09-27 01:36 . 2006-10-19 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-27 01:34 . 2008-07-04 21:31 -------- d-----w- c:\program files\Common Files\Real
2009-09-27 01:32 . 2009-05-13 17:38 -------- d-----w- c:\program files\Panda Security
2009-09-26 20:34 . 2009-09-26 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-09-22 18:07 . 2009-09-22 18:05 17204720 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\rp\.exe
2009-09-22 18:05 . 2009-09-22 18:05 8406648 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-22 18:04 . 2009-09-22 18:04 10309448 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-22 18:02 . 2009-09-22 18:02 64000 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-22 18:02 . 2009-09-22 18:02 52288 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-22 18:02 . 2009-09-22 18:02 50688 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-22 18:02 . 2009-09-22 18:02 81920 ----a-w- c:\documents and settings\user1\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 04:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-13 20:53 . 2009-05-13 20:53 396288 ----a-w- c:\program files\HijackThis.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-03_20.11.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-11-07 19:07 . 2009-11-07 19:07 16384 c:\windows\temp\Perflib_Perfdata_1c8.dat
- 2001-08-23 15:00 . 2009-11-03 20:16 67312 c:\windows\system32\perfc009.dat
+ 2001-08-23 15:00 . 2009-11-07 19:41 67312 c:\windows\system32\perfc009.dat
+ 2007-11-19 02:22 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
- 2001-08-23 15:00 . 2009-11-03 20:16 432356 c:\windows\system32\perfh009.dat
+ 2001-08-23 15:00 . 2009-11-07 19:41 432356 c:\windows\system32\perfh009.dat
+ 2009-11-05 02:00 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-05 02:00 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2004-08-04 04:56 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2004-08-04 04:56 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-05 02:00 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AtiPTA"="Atiptaxx.exe" - c:\windows\system32\atiptaxx.exe [2001-10-10 270336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2008-4-2 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/5/2009 6:10 PM 108289]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\windows\system32\drivers\cwbwdm.sys [10/8/2006 12:28 PM 72832]
S3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2/18/2002 1:19 PM 303360]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-11-08 c:\windows\Tasks\User_Feed_Synchronization-{0BAEA8CC-473C-4E20-92A9-FF0C786FB0BB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} - hxxp://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-08 20:19
ComboFix-quarantined-files.txt 2009-11-08 01:18
ComboFix2.txt 2009-11-06 21:27
ComboFix3.txt 2009-11-03 20:27

Pre-Run: 2,024,112,128 bytes free
Post-Run: 2,045,112,320 bytes free

- - End Of File - - 9C1A199B9B9033CF6C1536820B1EC5C3











Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:33 PM, on 11/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab...reqlab_srlx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535179253
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188535170821
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5466 bytes

[Rosty]

How are things running know?

[goodfellow]

Everything seems to be in order. Thanks for your assistance. The only problem I encounter now and then is the taskbar of my window will turn black, making it impossible to see the words on the bar. But I can still use the taskbar. I'm not sure this is a virus problem. The black color comes and goes. Let me know if you have a remedy for this.

[Rosty]

Your computer now seems to be clean.

The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.

• Go to Start
• Click on Run
• Type ComboFix /u (Note: This command is case sensitive.)
  

1. Clean out Temporary Files etc.
   This program is for Vista, XP and Windows 2000 only
   Please download ATF Cleaner by Atribune.
   
   1. Double-click ATF-Cleaner.exe to run the program.
   2. Under Main choose: Select All. Then remove the check mark for cookies
   3. Click the Empty Selected button.
   
   If you use Firefox browser
   • Click Firefox at the top and choose: Select All
   • Click the Empty Selected button.
   • Remove the check mark for Cookies
   • NOTE: If you would like to keep your saved passwords, please click No at the prompt if asked .
   If you use Opera browser
   • Click Opera at the top and
   • choose: Select All.
   • Remove the check mark for Cookies
   • Click the Empty Selected button.
   It is a good idea to do this every few weeks as a lot of junk collects there over time.
   
   
2. Create a new, clean System Restore point which you can use in case of future system problems:
   Press Start->All Programs->Accessories->System Tools->System Restore
   Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
   
   Now remove old, infected System Restore points:
   Next click Start->Run and type cleanmgr in the box and press OK
   Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
   Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
   Press OK and Yes to confirm
   
   
3. Set correct settings for files that should be hidden in Windows XP
   
   • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
   • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
   • If unchecked please checkHide protected operating system files (Recommended)
   • If necessary check "Display content of system folders"
   • If necessary Uncheck Hide file extensions for known file types.
   • Click OK
   
   
   
4. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
   
5. Download and install the free version of Malwarebytes' Anti-Malware to your desktop. Check for the latest updates and perform a full system scan. This is an on-demand scanner and runs very well with Winpatrol.
   
6. If you are using Internet Explorer v. 7 please read and follow the recommendations at this site. http://surfthenetsafely.com/ieseczone8.htm
   
7. Update your Anti Virus Software - It is imperative that you update your Anti virus software at least a few times a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.
   
8. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recommended.
   Be restrictive with granting access to the Internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.
   
9. Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.
   
10. Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.
    
11. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    
12. Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html that will give you more information on some of the points above.
    
    
13. Please check out Tony Klein's article "How did I get infected in the first place?"

Follow this list and your potential for being infected again will reduce dramatically. (preventionspeech by Elrond)



Regards,

Rosty.