[Resolved] ComboFix and HJT log

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Resolved] ComboFix and HJT log

Options

SkweRLyNutZ View Member Profile	Sep 30 2008, 05:24 AM Post #1
New Member Group: New Member Posts: 5 Joined: 30-September 08 Member No.: 81,743 Operating System: Windows XP	I recently got the outerinfo virus from what i can tell. i went here.. http://forums.whatthetech.com/How_To_Remov...elp_t72137.html and followed the instructions to the best of my ability. here are my combofix and HJTlogs combo fix ComboFix 08-09-28.03 - Administrator 2008-09-29 22:23:02.1 - NTFSx86 NETWORK Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519 [GMT -4:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\SkweRLy NutZ\Cookies\skwerly_nutz@ad.yieldmanager[2].txt C:\Documents and Settings\SkweRLy NutZ\Cookies\skwerly_nutz@delb.opt.fimserve[2].txt C:\Documents and Settings\SkweRLy NutZ\Cookies\skwerly_nutz@insightexpressai[2].txt C:\Documents and Settings\SkweRLy NutZ\Cookies\skwerly_nutz@media6degrees[1].txt C:\Documents and Settings\SkweRLy NutZ\Cookies\skwerly_nutz@statcounter[1].txt C:\Documents and Settings\SkweRLy NutZ\Cookies\skwerly_nutz@trafficmp[1].txt C:\Documents and Settings\SkweRLy NutZ\Cookies\skwerly_nutz@ww0.timeout[2].txt C:\Documents and Settings\SkweRLy NutZ\My Documents\CROSOF~1 C:\Documents and Settings\SkweRLy NutZ\My Documents\CROSOF~1\j?vaw.exe C:\Program Files\GetModule C:\Program Files\GetModule\dicik.gz C:\Program Files\GetModule\kwdik.gz C:\Program Files\GetModule\ozadik.gz C:\Program Files\VnrBlock C:\Program Files\VnrBlock\VnrBlock21.exe C:\Program Files\VnrBlock\xoffdic.gz C:\Program Files\VnrBlock\xtarga.gz C:\WINDOWS\asks~1 C:\WINDOWS\asks~1\?asks\ C:\WINDOWS\asks~1\msiexec.exe C:\WINDOWS\BM17bd3e96.txt C:\WINDOWS\BM17bd3e96.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\adKUFfhk.ini C:\WINDOWS\system32\adKUFfhk.ini2 C:\WINDOWS\system32\amnbfqhn.ini C:\WINDOWS\system32\Desktop_.ini C:\WINDOWS\system32\geBtQjKE.dll C:\WINDOWS\system32\gvqwhlbw.ini C:\WINDOWS\system32\khfFUKda.dll C:\WINDOWS\system32\xxywVlLD.dll ----- BITS: Possible infected sites ----- hxxp://resources.zune.net . ((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 ))))))))))))))))))))))))))))))) . 2008-09-29 18:25 . 2008-09-29 18:25 <DIR> d-------- C:\Documents and Settings\SkweRLy NutZ\Application Data\PC Tools 2008-09-29 18:22 . 2008-09-29 18:22 101,888 --a------ C:\WINDOWS\system32\ikhekniy.dll 2008-09-29 18:22 . 2008-09-29 18:22 67,072 --a------ C:\WINDOWS\system32\wblhwqvg.dll 2008-09-29 17:59 . 2008-09-29 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore 2008-09-29 17:58 . 2008-09-29 22:32 <DIR> d-------- C:\Program Files\PC Tools AntiVirus 2008-09-29 17:58 . 2008-09-29 17:58 <DIR> d-------- C:\Program Files\Common Files\PC Tools 2008-09-29 17:58 . 2008-09-29 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools 2008-09-29 17:58 . 2008-09-29 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools 2008-09-29 17:58 . 2007-12-06 15:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys 2008-09-29 17:58 . 2007-12-06 15:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys 2008-09-29 17:58 . 2008-02-12 10:44 21,904 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys 2008-09-29 17:51 . 2008-04-23 18:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek 2008-09-29 17:51 . 2008-09-29 17:52 <DIR> d-------- C:\Documents and Settings\Administrator 2008-09-29 00:46 . 2008-09-29 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-09-29 00:41 . 2008-09-29 00:41 25,740,800 --a------ C:\antivir_workstation_winu_en_hp.exe 2008-09-29 00:21 . 2008-09-29 00:21 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico 2008-09-29 00:20 . 2008-09-29 00:20 4,286 --a------ C:\WINDOWS\system32\Jamster.ico 2008-09-28 18:26 . 2008-09-28 18:26 128,000 --a------ C:\WINDOWS\system32\mimrqr.dll 2008-09-28 18:26 . 2008-09-28 18:26 128,000 --a------ C:\WINDOWS\system32\jrroiore.dll 2008-09-28 18:23 . 2008-09-28 18:23 71,168 --a------ C:\WINDOWS\system32\nhqfbnma.dll 2008-09-28 18:21 . 2008-09-28 18:21 105,984 --a------ C:\WINDOWS\system32\wfbwqjly.dll 2008-09-28 18:15 . 2008-09-26 14:27 184,320 --a------ C:\WINDOWS\system32\pxl.dll 2008-09-17 21:08 . 2008-05-02 09:25 465,920 --a------ C:\WINDOWS\system32\imapi2fs.dll 2008-09-17 21:08 . 2008-05-02 09:25 465,920 -----c--- C:\WINDOWS\system32\dllcache\imapi2fs.dll 2008-09-17 21:08 . 2008-05-02 09:25 317,952 --a------ C:\WINDOWS\system32\imapi2.dll 2008-09-17 21:08 . 2008-05-02 09:25 317,952 -----c--- C:\WINDOWS\system32\dllcache\imapi2.dll 2008-09-17 21:08 . 2008-05-02 06:49 62,976 -----c--- C:\WINDOWS\system32\dllcache\cdrom.sys 2008-09-12 18:48 . 2008-09-12 18:48 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe 2008-09-12 18:46 . 2008-09-12 18:46 61,856 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe 2008-09-08 01:19 . 2008-09-08 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-09-08 01:18 . 2008-09-08 01:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-09-08 01:17 . 2008-09-08 01:19 <DIR> d-------- C:\Program Files\QuickTime 2008-09-03 19:01 . 2008-09-03 19:01 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-09-03 19:01 . 2008-09-03 19:01 <DIR> d-------- C:\WINDOWS\system32\en 2008-09-03 19:01 . 2008-09-03 19:01 <DIR> d-------- C:\WINDOWS\system32\bits 2008-09-03 19:01 . 2008-09-03 19:01 <DIR> d-------- C:\WINDOWS\l2schemas 2008-08-26 19:35 . 2008-04-13 20:12 1,306,624 --a------ C:\WINDOWS\system32\msxml6.dll 2008-08-24 17:13 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-10 18:04 . 2008-08-10 18:04 0 --a------ C:\WINDOWS\BP.INI 2008-08-10 16:54 . 2008-08-10 16:54 24,626 --a------ C:\WINDOWS\FUJIGOLF.DAT 2008-08-10 16:54 . 2008-08-10 16:54 214 --a------ C:\WINDOWS\FUJIGOLF.INI 2008-08-10 16:12 . 2008-08-10 16:48 37,473 --a------ C:\WINDOWS\system32\muzika.xm 2008-08-09 22:10 . 2008-08-09 22:10 <DIR> d-------- C:\Program Files\Trymedia 2008-08-09 22:04 . 2008-08-18 00:24 157 --a------ C:\WINDOWS\popcinfo.dat 2008-08-09 21:56 . 2008-08-10 16:34 <DIR> d-------- C:\Program Files\PopCap Games . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-09-30 02:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-29 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2008-09-29 04:46 --------- d-----w C:\Program Files\Avira 2008-09-28 22:33 --------- d-----w C:\Program Files\SpywareBlaster 2008-09-28 02:44 --------- d-----w C:\Documents and Settings\SkweRLy NutZ\Application Data\LimeWire 2008-09-27 04:08 --------- d-----w C:\Documents and Settings\SkweRLy NutZ\Application Data\dvdcss 2008-09-18 01:14 --------- d-----w C:\Program Files\Zune 2008-09-12 22:32 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys 2008-09-10 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll 2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe 2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll 2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll 2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll 2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll 2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll 2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll 2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll 2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll 2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e0c7fb1-78b6-4dc0-9eea-39792d9851b0}] 2008-09-28 18:26 128000 --a------ C:\WINDOWS\system32\mimrqr.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E36FCB8C-2036-7CC7-187A-5C109D7C2790}] 2008-09-26 14:27 184320 --a------ C:\WINDOWS\system32\pxl.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Qikgbd"="C:\Documents and Settings\SkweRLy NutZ\My Documents\??crosoft\j?vaw.exe" [?] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360] "EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 53248] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 118784] "MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2008-04-13 208896] "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "VX3000"="C:\WINDOWS\vVX3000.exe" [2007-04-10 709992] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-28 766041] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2008-09-12 160160] "UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-08 413696] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497] "PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-09-25 1370000] "148e0d0a"="C:\WINDOWS\system32\wblhwqvg.dll" [2008-09-29 67072] "BM17bd3e96"="C:\WINDOWS\system32\ikhekniy.dll" [2008-09-29 101888] "SkyTel"="SkyTel.EXE" [2006-07-19 C:\WINDOWS\SkyTel.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-07-19 C:\WINDOWS\RTHDCPL.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 C:\WINDOWS\AGRSMMSG.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=mimrqr.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\PopCap Games\\AstroPop Deluxe\\WinAP.exe"= "C:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"= R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832] R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-07-11 164097] R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-06-12 258305] R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-05-09 41217] R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720] R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-09-12 40832] R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-09-12 61856] S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-09-12 245664] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{781665a9-cea1-11dc-bf65-81723855269b}] \Shell\AutoRun\command - wd_windows_tools\setup.exe . Contents of the 'Scheduled Tasks' folder . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file) BHO-{385DE08E-4F9B-43CA-8B89-2DB9AE93ED67} - C:\WINDOWS\system32\khfFUKda.dll HKCU-Run-SkinClock - F:\Atomic Alarm Clock v5.5\AtomicAlarmClock.exe HKCU-Run-Hwrc - C:\WINDOWS\ASKS~1\msiexec.exe HKCU-Run-GetModule23 - C:\Program Files\GetModule\GetModule23.exe HKCU-Run-VnrBlock21 - C:\Program Files\VnrBlock\VnrBlock21.exe HKCU-Run-Aim6 - (no file) HKLM-Run-INPROCOMMWireless - C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe Notify-WgaLogon - (no file) . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ O8 -: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd O16 -: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB C:\WINDOWS\Downloaded Program Files\PogoWebLauncher.ocx . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-09-29 22:30:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\BM17bd3e96.txt C:\WINDOWS\BM17bd3e96.xml scan completed successfully hidden files: 2 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\wblhwqvg.dll -> C:\WINDOWS\system32\ikhekniy.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\SKWERL~1\LOCALS~1\temp\RtkBtMnt.exe . ************************************************************************ . Completion time: 2008-09-29 22:37:56 - machine was rebooted [SkweRLy NutZ] ComboFix-quarantined-files.txt 2008-09-30 02:37:49 Pre-Run: 13,747,765,248 bytes free Post-Run: 16,103,464,960 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 260 --- E O F --- 2008-09-10 00:52:20 HJT Logfile of HijackThis v1.99.1 Scan saved at 06:25, on 2008-09-30 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\vVX3000.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe C:\Program Files\PC Tools AntiVirus\PCTAV.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe C:\DOCUME~1\SKWERL~1\LOCALS~1\Temp\RtkBtMnt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZuneBusEnum.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\MySpace\IM\MySpaceIM.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\AIM6\aolsoftware.exe C:\HJT\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN O4 - HKLM\..\Run: [148e0d0a] rundll32.exe "C:\WINDOWS\system32\wblhwqvg.dll",b O4 - HKLM\..\Run: [BM17bd3e96] Rundll32.exe "C:\WINDOWS\system32\ikhekniy.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Qikgbd] "C:\Documents and Settings\SkweRLy NutZ\My Documents\??crosoft\j?vaw.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll O10 - Broken Internet access because of LSP provider 'avsda.dll' missing O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD39/JSCDL/jd...ows-i586-jc.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: mimrqr.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe Any help would be appreciated. thank you

Tomk View Member Profile	Sep 30 2008, 11:06 PM Post #2
Extrication Intern Group: Malware Team Posts: 3,296 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	Hi SkweRLyNutZ, My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following: I will be working on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for the issues on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. COMBOFIX-Script Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: CODE KILLALL:: File:: C:\WINDOWS\system32\ikhekniy.dll C:\WINDOWS\system32\wblhwqvg.dll C:\WINDOWS\system32\Jamster.ico C:\WINDOWS\system32\mimrqr.dll C:\WINDOWS\system32\jrroiore.dll C:\WINDOWS\system32\nhqfbnma.dll C:\WINDOWS\system32\wfbwqjly.dll Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e0c7fb1-78b6-4dc0-9eea-39792d9851b0}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Qikgbd"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "148e0d0a"=- "BM17bd3e96"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" Rootkit:: C:\WINDOWS\BM17bd3e96.txt C:\WINDOWS\BM17bd3e96.xml Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it). Please go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. Also "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

SkweRLyNutZ

Oct 1 2008, 03:25 PM

Post #3

New Member

Group: New Member
Posts: 5
Joined: 30-September 08
Member No.: 81,743
Operating System: Windows XP

Thank you for the reply. here are my logs.

COMBOFIX

ComboFix 08-09-30.03 - SkweRLy NutZ 2008-10-01 5:40:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1547 [GMT -4:00]
Running from: C:\Documents and Settings\SkweRLy NutZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SkweRLy NutZ\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ikhekniy.dll
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jrroiore.dll
C:\WINDOWS\system32\mimrqr.dll
C:\WINDOWS\system32\nhqfbnma.dll
C:\WINDOWS\system32\wblhwqvg.dll
C:\WINDOWS\system32\wfbwqjly.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BM17bd3e96.txt
C:\WINDOWS\BM17bd3e96.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gvqwhlbw.ini
C:\WINDOWS\system32\ikhekniy.dll
C:\WINDOWS\system32\Jamster.ico
C:\WINDOWS\system32\jrroiore.dll
C:\WINDOWS\system32\nhqfbnma.dll
C:\WINDOWS\system32\wblhwqvg.dll
C:\WINDOWS\system32\wfbwqjly.dll

----- BITS: Possible infected sites -----

hxxp://updates.smithmicro.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV

((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-09-30 20:25 . 2007-07-03 20:58 106,792 -ra------ C:\WINDOWS\system32\drivers\sscdmdm.sys
2008-09-30 20:25 . 2007-07-03 20:59 86,824 -ra------ C:\WINDOWS\system32\drivers\sscdserd.sys
2008-09-30 20:25 . 2007-07-03 20:54 80,552 -ra------ C:\WINDOWS\system32\drivers\sscdbus.sys
2008-09-30 20:25 . 2007-07-03 20:57 11,944 -ra------ C:\WINDOWS\system32\drivers\sscdmdfl.sys
2008-09-30 20:25 . 2007-07-03 21:00 9,256 -ra------ C:\WINDOWS\system32\drivers\sscdwhnt.sys
2008-09-30 20:25 . 2007-07-03 21:00 9,256 -ra------ C:\WINDOWS\system32\drivers\sscdwh.sys
2008-09-30 20:25 . 2007-07-03 20:56 9,256 -ra------ C:\WINDOWS\system32\drivers\sscdcmnt.sys
2008-09-30 20:25 . 2007-07-03 20:56 9,256 -ra------ C:\WINDOWS\system32\drivers\sscdcm.sys
2008-09-30 20:24 . 2008-09-30 20:24 <DIR> d-------- C:\Documents and Settings\SkweRLy NutZ\Application Data\Smith Micro
2008-09-30 20:20 . 2008-09-30 20:20 <DIR> d-------- C:\Program Files\Samsung
2008-09-30 20:18 . 2008-09-30 23:16 <DIR> d-------- C:\Program Files\Sprint Instinct Applications
2008-09-30 20:18 . 2008-09-30 20:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tarma Installer
2008-09-30 20:18 . 2008-06-05 03:59 222,552 --------- C:\WINDOWS\RM.exe
2008-09-30 06:21 . 2008-09-30 06:25 <DIR> d-------- C:\HJT
2008-09-29 22:43 . 2008-09-29 22:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-29 22:43 . 2008-09-29 22:43 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-29 22:43 . 2008-09-29 22:43 <DIR> d-------- C:\Documents and Settings\SkweRLy NutZ\Application Data\SUPERAntiSpyware.com
2008-09-29 22:43 . 2008-09-29 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-29 18:25 . 2008-09-29 18:25 <DIR> d-------- C:\Documents and Settings\SkweRLy NutZ\Application Data\PC Tools
2008-09-29 17:59 . 2008-09-29 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\acccore
2008-09-29 17:58 . 2008-10-01 05:46 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2008-09-29 17:58 . 2008-09-29 17:58 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-09-29 17:58 . 2008-09-29 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-09-29 17:58 . 2008-09-29 17:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-09-29 17:58 . 2007-12-06 15:51 28,568 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2008-09-29 17:58 . 2007-12-06 15:51 21,912 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2008-09-29 17:58 . 2008-02-12 10:44 21,904 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2008-09-29 17:51 . 2008-04-23 18:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-09-29 17:51 . 2008-09-29 17:52 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-29 00:46 . 2008-09-29 00:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-09-29 00:41 . 2008-09-29 00:41 25,740,800 --a------ C:\antivir_workstation_winu_en_hp.exe
2008-09-29 00:21 . 2008-09-29 00:21 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-09-17 21:08 . 2008-05-02 09:25 465,920 --a------ C:\WINDOWS\system32\imapi2fs.dll
2008-09-17 21:08 . 2008-05-02 09:25 465,920 -----c--- C:\WINDOWS\system32\dllcache\imapi2fs.dll
2008-09-17 21:08 . 2008-05-02 09:25 317,952 --a------ C:\WINDOWS\system32\imapi2.dll
2008-09-17 21:08 . 2008-05-02 09:25 317,952 -----c--- C:\WINDOWS\system32\dllcache\imapi2.dll
2008-09-17 21:08 . 2008-05-02 06:49 62,976 -----c--- C:\WINDOWS\system32\dllcache\cdrom.sys
2008-09-12 18:48 . 2008-09-12 18:48 245,664 --a------ C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2008-09-12 18:46 . 2008-09-12 18:46 61,856 --a------ C:\WINDOWS\system32\ZuneBusEnum.exe
2008-09-08 01:19 . 2008-09-08 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-08 01:18 . 2008-09-08 01:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-08 01:17 . 2008-09-08 01:19 <DIR> d-------- C:\Program Files\QuickTime
2008-09-03 19:01 . 2008-09-03 19:01 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-03 19:01 . 2008-09-03 19:01 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-03 19:01 . 2008-09-03 19:01 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-03 19:01 . 2008-09-03 19:01 <DIR> d-------- C:\WINDOWS\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 09:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 00:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-29 22:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-29 04:46 --------- d-----w C:\Program Files\Avira
2008-09-28 22:33 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-28 02:44 --------- d-----w C:\Documents and Settings\SkweRLy NutZ\Application Data\LimeWire
2008-09-27 04:08 --------- d-----w C:\Documents and Settings\SkweRLy NutZ\Application Data\dvdcss
2008-09-18 01:14 --------- d-----w C:\Program Files\Zune
2008-09-12 22:32 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-09-10 00:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-10 20:34 --------- d-----w C:\Program Files\PopCap Games
2008-08-10 02:10 --------- d-----w C:\Program Files\Trymedia
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-29_22.36.56.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-30 02:43:41 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-30 02:43:41 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-10-01 00:20:36 45,056 ----a-r C:\WINDOWS\Installer\{E9ED0801-253D-4FE9-AB20-F63DEFE72547}\ARPPRODUCTICON.exe
- 2008-09-29 22:46:47 60,624 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-01 00:26:36 61,026 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-09-29 22:46:47 400,464 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-01 00:26:36 401,032 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 118784]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2008-04-13 208896]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2007-04-10 709992]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-28 766041]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-08 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-09-25 1370000]
"SkyTel"="SkyTel.EXE" [2006-07-19 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 8720384]

C:\Documents and Settings\SkweRLy NutZ\Start Menu\Programs\Startup\
Sprint media monitor.lnk - C:\WINDOWS\RM.exe [2008-09-30 222552]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\PopCap Games\\AstroPop Deluxe\\WinAP.exe"=
"C:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2008-07-11 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE [2008-06-12 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-05-09 41217]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-09-12 40832]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-09-12 61856]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-09-12 245664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{781665a9-cea1-11dc-bf65-81723855269b}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-01 05:44:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\DOCUME~1\SKWERL~1\LOCALS~1\temp\RtkBtMnt.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
.
**************************************************************************
.
Completion time: 2008-10-01 5:50:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 09:50:19
ComboFix2.txt 2008-09-30 02:37:58

Pre-Run: 15,800,619,008 bytes free
Post-Run: 15,904,358,400 bytes free

222 --- E O F --- 2008-09-10 00:52:20

KASPERSKY

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, October 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, October 01, 2008 15:26:15
Records in database: 1280123
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 92384
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:17:31

File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\ASKS~1\msiexec.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\geBtQjKE.dll.vir Infected: Trojan.Win32.Agent.afbr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nhqfbnma.dll.vir Infected: Trojan.Win32.Monder.qkq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wfbwqjly.dll.vir Infected: Trojan.Win32.Monder.qkr 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xxywVlLD.dll.zip Infected: Trojan.Win32.Agent.afbr 1

The selected area was scanned.

HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 17:19, on 2008-10-01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\alg.exe
C:\DOCUME~1\SKWERL~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\SkweRLy NutZ\Local Settings\temp\jkos-SkweRLy NutZ\binaries\ScanningProcess.exe
C:\Documents and Settings\SkweRLy NutZ\Local Settings\temp\jkos-SkweRLy NutZ\binaries\ScanningProcess.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra b