You guys really pulled me (my computer) out of a big jam last year and got it running very very fast again. A little over a year has passed and it's running very slowly again, and the cooling fan (laptop) will increase its speed about every 10-20 minutes until it gets to its fastest speed then the computer will just shut off with the bottom of the computer being very very hot. I have an HP Pavilion dv6000 running XP Media Center version 2002, Service Pack 2. Any help is GREATLY appreciated.

Here is my HJT Log that I just ran:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:20 AM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Button Manager\BM.exe
C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/map/interac...om=hp_main_maps
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Button Manager.lnk = ?
O4 - Global Startup: Magic-i.lnk = C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate1c996c6aaa1b06b) (gupdate1c996c6aaa1b06b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7146 bytes



Thanks for any assistance anyone can offer.

Hi mattwest1,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

This could certainly be a hardware rather than a malware issue but let's have a look.

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

Then

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

Thank you for helping me out! I ran TFC as instructed with no issues.

Here is the Malware Bytes log:



Malwarebytes' Anti-Malware 1.38
Database version: 2369
Windows 5.1.2600 Service Pack 2

7/3/2009 7:25:33 PM
mbam-log-2009-07-03 (19-25-33).txt

Scan type: Quick Scan
Objects scanned: 99931
Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bajajiyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



And here is my new HJT Log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:38 PM, on 7/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\btdna.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Button Manager\BM.exe
C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/weather/map/interac...om=hp_main_maps
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Button Manager.lnk = ?
O4 - Global Startup: Magic-i.lnk = C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate1c996c6aaa1b06b) (gupdate1c996c6aaa1b06b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7175 bytes


Speed is mildly improved, but the cooling fan is still not cooperating with me.

I do fear this is a hardware issue. I got this computer new literally days after Vista came out which I believe was early 2007 or so...so it's not terribly old but I could be looking at something else entirely. I really do appreciate you taking a look at the malware though, as a good cleaning can never hurt. Let me know if you think there's anything more that can be done from the malware side of things.

Happy 4th of July!

mattwest1,

I had a good fourth. Hope you did too.

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

With the remnants showing, we need to dig deeper.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatthetech.com/How_Disable_...ams_t96260.html
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Wow I had no idea, thank you for spotting this! I was able to run ComboFix with no issues. Here is the log:



ComboFix 09-07-05.04 - Owner 07/06/2009 13:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1356 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\{00604B54-C288-4153-8356-EF3471265D5D}
c:\documents and settings\Owner\Local Settings\Application Data\{00604B54-C288-4153-8356-EF3471265D5D}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{00604B54-C288-4153-8356-EF3471265D5D}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{00604B54-C288-4153-8356-EF3471265D5D}\chrome\content\c.js
c:\documents and settings\Owner\Local Settings\Application Data\{00604B54-C288-4153-8356-EF3471265D5D}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{00604B54-C288-4153-8356-EF3471265D5D}\install.rdf
c:\windows\Installer\1af85e.msi
c:\windows\kb913800.exe
c:\windows\system32\borazufu.dll
c:\windows\system32\tijawani.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-05 07:39 . 2009-07-05 07:42 -------- d-----w- c:\program files\FreePOPs
2009-07-05 07:36 . 2009-07-05 07:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Thunderbird
2009-07-05 07:36 . 2009-07-05 07:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Thunderbird
2009-07-05 07:35 . 2009-07-05 07:42 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-09 21:54 . 2009-06-09 21:54 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 01:56 . 2009-06-08 01:56 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-08 01:56 . 2009-07-02 03:38 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-06-08 01:55 . 2009-07-02 03:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-06-08 01:54 . 2009-06-08 01:54 -------- d-----w- c:\program files\Skype
2009-06-08 01:54 . 2009-06-08 01:54 -------- d-----w- c:\program files\Common Files\Skype
2009-06-08 01:29 . 2009-06-08 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2009-06-08 01:21 . 2009-06-08 01:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ArcSoft
2009-06-08 01:21 . 2009-06-11 20:11 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2009-06-08 01:20 . 2006-11-10 19:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2009-06-08 01:20 . 1995-08-01 08:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-06-08 01:19 . 2009-06-08 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-06-08 01:19 . 2007-07-02 19:08 15616 ----a-w- c:\windows\system32\drivers\ArcSoftVirtualCapture.sys
2009-06-08 01:19 . 2006-12-07 13:22 49152 ----a-w- c:\windows\system32\ArcFakeCapture.dll
2009-06-08 01:19 . 2009-06-08 01:19 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-06-08 01:19 . 2009-06-08 01:21 -------- d-----w- c:\program files\ArcSoft
2009-06-08 01:16 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-06-08 01:16 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-06-08 01:16 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-06-08 01:16 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 17:25 . 2007-04-18 00:19 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-06 15:06 . 2008-04-17 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-06 15:05 . 2007-04-18 00:19 -------- d-----w- c:\program files\BitTorrent_DNA
2009-07-04 06:23 . 2008-02-16 01:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-07-03 22:30 . 2009-02-04 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 02:57 . 2007-03-25 03:31 -------- d-----w- c:\program files\Yahoo! Games
2009-06-17 15:27 . 2009-02-04 21:03 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-04 21:03 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 23:37 . 2007-03-02 01:20 -------- d-----w- c:\program files\AIM6
2009-06-14 23:36 . 2007-03-02 01:21 -------- d-----w- c:\program files\Viewpoint
2009-06-14 23:36 . 2007-03-02 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-01 01:12 . 2009-05-01 01:12 118784 ----a-w- c:\windows\dsdxirmv.exe
2009-04-08 19:52 . 2009-04-08 19:52 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2007-06-21 04:19 . 2007-06-21 04:19 604 ---ha-w- c:\program files\STLL Notifier
2009-02-15 07:38 . 2009-02-15 07:38 2713 --sh--w- c:\windows\system32\dalegavo.dll
2009-02-13 19:38 . 2009-02-13 19:38 2713 --sh--w- c:\windows\system32\dehasavu.dll
2009-02-07 06:18 . 2009-02-07 06:18 2713 --sh--w- c:\windows\system32\devizeja.dll
2009-02-06 05:32 . 2009-02-06 05:32 2713 --sh--w- c:\windows\system32\dozibadi.dll
2009-02-21 22:58 . 2009-02-21 22:58 2713 --sh--w- c:\windows\system32\hagipugo.dll
2009-02-08 20:35 . 2009-02-08 20:35 2713 --sh--w- c:\windows\system32\hozutoza.dll
2009-02-16 22:24 . 2009-02-16 22:24 2713 --sh--w- c:\windows\system32\jarizasu.dll
2009-02-09 08:34 . 2009-02-09 08:34 2713 --sh--w- c:\windows\system32\jijoyowe.dll
2009-01-22 20:29 . 2009-01-22 20:29 2713 --sh--w- c:\windows\system32\kogokeli.dll
2009-02-14 19:38 . 2009-02-14 19:38 2713 --sh--w- c:\windows\system32\lezuyenu.dll
2009-03-11 19:58 . 1601-01-01 00:12 101376 --sha-w- c:\windows\system32\lifuremi.dll
2009-02-19 06:08 . 2009-02-19 06:08 2713 --sh--w- c:\windows\system32\luyudade.dll
2009-01-21 18:59 . 2009-01-21 18:59 2713 --sh--w- c:\windows\system32\nadusifa.dll
2009-02-02 15:09 . 2009-02-02 15:09 2713 --sh--w- c:\windows\system32\pogobiwu.dll
2009-02-24 05:54 . 2009-02-24 05:54 2713 --sh--w- c:\windows\system32\posetoma.dll
2009-03-07 22:04 . 1601-01-01 00:12 101888 --sha-w- c:\windows\system32\wiboniza.dll
2009-03-10 19:59 . 1601-01-01 00:12 101376 --sha-w- c:\windows\system32\yibavisu.dll
2009-02-03 03:07 . 2009-02-03 03:07 2713 --sh--w- c:\windows\system32\yigenomo.dll
.

------- Sigcheck -------

[7] 2005-05-26 03:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-14 01:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2006-03-16 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[7] 2005-05-26 03:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\program files\BitTorrent_DNA\btdna.exe" [2008-12-16 342848]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-6-7 266240]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2009-6-7 530944]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi5"=xgusb.cpl

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqwmiex"=2 (0x2)
"IDriverT"=3 (0x3)
"LightScribeService"=2 (0x2)
"Vongo Service"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"iPod Service"=3 (0x3)
"btwdins"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\BitTorrent_DNA\\btdna.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\bin\\btwdins.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\ZuneBusEnum.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/12/2009 4:32 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/30/2008 11:59 AM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/12/2009 4:32 PM 677128]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/14/2009 7:36 PM 24652]
S1 c377109c;c377109c;c:\windows\system32\drivers\c377109c.sys --> c:\windows\system32\drivers\c377109c.sys [?]
S1 vdmzmty5;AVZ-BC Kernel Driver;\??\c:\windows\system32\Drivers\vdmzmty5.sys --> c:\windows\system32\Drivers\vdmzmty5.sys [?]
S2 gupdate1c996c6aaa1b06b;Google Update Service (gupdate1c996c6aaa1b06b);c:\program files\Google\Update\GoogleUpdate.exe [2/24/2009 5:27 PM 133104]
S2 kjtahoyq;kjtahoyq;c:\windows\System32\svchost.exe -k netsvcs [3/16/2006 14336]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [3/17/2006 7:34 PM 1544704]
S4 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys --> c:\windows\system32\Drivers\5U870CAP.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Kjtahoyq

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-07-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-17 21:30]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:27]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:27]

2009-07-06 c:\windows\Tasks\User_Feed_Synchronization-{093592A9-671E-4241-9C3D-A7D7146614B6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weather.com/weather/map/interactive/?from=hp_main_maps
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7t1ert72.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/findfriends.php#/home.php?ref=home
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7t1ert72.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\BitTorrent_DNA\plugins\npbtdna.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 13:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\xgusb.cpl

- - - - - - - > 'lsass.exe'(1004)
c:\windows\system32\xgusb.cpl
.
Completion time: 2009-07-06 13:34
ComboFix-quarantined-files.txt 2009-07-06 17:34

Pre-Run: 56,621,109,248 bytes free
Post-Run: 56,672,026,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

236 --- E O F --- 2008-11-23 06:38

mattwest1,

BitTorrent and Limewire
You have BitTorrent and Limewire, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
[url=http://www.internetworldstats.com/articles/art053.htm]http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm


I would recommend that you uninstall BitTorrent and Limewire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Download Rooter.exe to your desktop

• Then doubleclick it to start the tool
  
• A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  
  CODE
  File::
  c:\windows\system32\dalegavo.dll
  c:\windows\system32\dehasavu.dll
  c:\windows\system32\devizeja.dll
  c:\windows\system32\dozibadi.dll
  c:\windows\system32\hagipugo.dll
  c:\windows\system32\hozutoza.dll
  c:\windows\system32\jarizasu.dll
  c:\windows\system32\jijoyowe.dll
  c:\windows\system32\kogokeli.dll
  c:\windows\system32\lezuyenu.dll
  c:\windows\system32\lifuremi.dll
  c:\windows\system32\luyudade.dll
  c:\windows\system32\nadusifa.dll
  c:\windows\system32\pogobiwu.dll
  c:\windows\system32\posetoma.dll
  c:\windows\system32\wiboniza.dll
  c:\windows\system32\yibavisu.dll
  c:\windows\system32\yigenomo.dll
  
  NetSvc::
  Kjtahoyq
  
  Driver::
  kjtahoyq
  c377109c
  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Everything executed flawlessly. Here is the log from Rooter:



Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 2
[32_bits] - x86 Family 6 Model 15 Stepping 6, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 7.0.5730.11
.
C:\ [Fixed-NTFS] .. ( Total:99 Go - Free:52 Go )
D:\ [Fixed-FAT32] .. ( Total:11 Go - Free:1 Go )
E:\ [CD_Rom]
.
Scan : 18:45.37
Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (856)
______ \??\C:\WINDOWS\system32\csrss.exe (924)
______ \??\C:\WINDOWS\system32\winlogon.exe (948)
______ C:\WINDOWS\system32\services.exe (992)
______ C:\WINDOWS\system32\lsass.exe (1004)
______ C:\WINDOWS\system32\svchost.exe (1212)
______ C:\WINDOWS\system32\svchost.exe (1284)
______ C:\WINDOWS\System32\svchost.exe (1328)
______ C:\WINDOWS\system32\svchost.exe (1372)
______ C:\WINDOWS\system32\svchost.exe (1560)
______ C:\WINDOWS\system32\svchost.exe (1596)
______ C:\WINDOWS\system32\spoolsv.exe (1912)
______ C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (632)
______ C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (680)
______ C:\Program Files\Java\jre6\bin\jusched.exe (688)
______ C:\WINDOWS\system32\ctfmon.exe (700)
______ C:\Program Files\BitTorrent_DNA\btdna.exe (708)
______ C:\Program Files\Windows Media Player\WMPNSCFG.exe (776)
______ C:\Program Files\ArcSoft\Magic-i 3\Magic-i.exe (1556)
______ C:\WINDOWS\system32\msdtc.exe (1960)
______ C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (488)
______ C:\WINDOWS\eHome\ehRecvr.exe (540)
______ C:\WINDOWS\eHome\ehSched.exe (500)
______ C:\WINDOWS\System32\svchost.exe (1268)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1972)
______ C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe (2108)
______ C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (2212)
______ C:\WINDOWS\system32\svchost.exe (2400)
______ C:\WINDOWS\system32\svchost.exe (2444)
______ C:\Program Files\Viewpoint\Common\ViewpointService.exe (2596)
______ c:\WINDOWS\system32\ZuneBusEnum.exe (2636)
______ C:\WINDOWS\ehome\mcrdsvc.exe (2724)
______ C:\WINDOWS\system32\mqsvc.exe (2800)
______ C:\Program Files\Windows Media Player\WMPNetwk.exe (2952)
______ C:\WINDOWS\system32\mqtgsvc.exe (3488)
______ C:\WINDOWS\system32\dllhost.exe (3916)
______ C:\WINDOWS\System32\alg.exe (1520)
______ C:\WINDOWS\system32\wscntfy.exe (2456)
______ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (1156)
______ C:\WINDOWS\explorer.exe (1152)
______ C:\Program Files\Mozilla Firefox\firefox.exe (2676)
______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (5452)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:106393964544)
\Device\Harddisk0\Partition2 (Start_Offset:106402222080 | Length:12551777280)
\Device\Harddisk0\Partition3 (Start_Offset:118953999360 | Length:1077511680)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Google Software Updater.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{093592A9-671E-4241-9C3D-A7D7146614B6}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 18:45.42
.
C:\Rooter$\Rooter_1.txt - (06/07/2009 | 18:45.42)




And here is the combofix log:



ComboFix 09-07-05.04 - Owner 07/06/2009 19:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1367 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FILE ::
"c:\windows\system32\dalegavo.dll"
"c:\windows\system32\dehasavu.dll"
"c:\windows\system32\devizeja.dll"
"c:\windows\system32\dozibadi.dll"
"c:\windows\system32\hagipugo.dll"
"c:\windows\system32\hozutoza.dll"
"c:\windows\system32\jarizasu.dll"
"c:\windows\system32\jijoyowe.dll"
"c:\windows\system32\kogokeli.dll"
"c:\windows\system32\lezuyenu.dll"
"c:\windows\system32\lifuremi.dll"
"c:\windows\system32\luyudade.dll"
"c:\windows\system32\nadusifa.dll"
"c:\windows\system32\pogobiwu.dll"
"c:\windows\system32\posetoma.dll"
"c:\windows\system32\wiboniza.dll"
"c:\windows\system32\yibavisu.dll"
"c:\windows\system32\yigenomo.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dalegavo.dll
c:\windows\system32\dehasavu.dll
c:\windows\system32\devizeja.dll
c:\windows\system32\dozibadi.dll
c:\windows\system32\hagipugo.dll
c:\windows\system32\hozutoza.dll
c:\windows\system32\jarizasu.dll
c:\windows\system32\jijoyowe.dll
c:\windows\system32\kogokeli.dll
c:\windows\system32\lezuyenu.dll
c:\windows\system32\lifuremi.dll
c:\windows\system32\luyudade.dll
c:\windows\system32\nadusifa.dll
c:\windows\system32\pogobiwu.dll
c:\windows\system32\posetoma.dll
c:\windows\system32\wiboniza.dll
c:\windows\system32\yibavisu.dll
c:\windows\system32\yigenomo.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kjtahoyq
-------\Service_c377109c
-------\Service_kjtahoyq


((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 23:08 . 2009-07-06 23:08 -------- d-----w- C:\9082d3cf39ea3e8a37
2009-07-06 22:42 . 2009-07-06 22:45 -------- d-----w- C:\Rooter$
2009-07-05 07:39 . 2009-07-05 07:42 -------- d-----w- c:\program files\FreePOPs
2009-07-05 07:36 . 2009-07-05 07:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Thunderbird
2009-07-05 07:36 . 2009-07-05 07:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Thunderbird
2009-07-05 07:35 . 2009-07-05 07:42 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-09 21:54 . 2009-06-09 21:54 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-08 01:56 . 2009-06-08 01:56 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-08 01:56 . 2009-07-02 03:38 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-06-08 01:55 . 2009-07-02 03:58 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-06-08 01:54 . 2009-06-08 01:54 -------- d-----w- c:\program files\Skype
2009-06-08 01:54 . 2009-06-08 01:54 -------- d-----w- c:\program files\Common Files\Skype
2009-06-08 01:29 . 2009-06-08 01:29 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2009-06-08 01:21 . 2009-06-08 01:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ArcSoft
2009-06-08 01:21 . 2009-06-11 20:11 -------- d-----w- c:\documents and settings\Owner\Application Data\ArcSoft
2009-06-08 01:20 . 2006-11-10 19:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2009-06-08 01:20 . 1995-08-01 08:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-06-08 01:19 . 2009-06-08 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-06-08 01:19 . 2007-07-02 19:08 15616 ----a-w- c:\windows\system32\drivers\ArcSoftVirtualCapture.sys
2009-06-08 01:19 . 2006-12-07 13:22 49152 ----a-w- c:\windows\system32\ArcFakeCapture.dll
2009-06-08 01:19 . 2009-06-08 01:19 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-06-08 01:19 . 2009-06-08 01:21 -------- d-----w- c:\program files\ArcSoft
2009-06-08 01:16 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-06-08 01:16 . 2008-04-13 18:45 60032 ----a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-06-08 01:16 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-06-08 01:16 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 23:06 . 2007-04-18 00:19 -------- d-----w- c:\program files\BitTorrent_DNA
2009-07-06 23:06 . 2007-04-18 00:19 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-07-06 22:35 . 2007-03-06 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-07-06 22:35 . 2007-04-18 00:20 -------- d-----w- c:\program files\BitTorrent
2009-07-06 15:06 . 2008-04-17 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-04 06:23 . 2008-02-16 01:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-07-03 22:30 . 2009-02-04 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 02:57 . 2007-03-25 03:31 -------- d-----w- c:\program files\Yahoo! Games
2009-06-17 15:27 . 2009-02-04 21:03 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2009-02-04 21:03 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 23:37 . 2007-03-02 01:20 -------- d-----w- c:\program files\AIM6
2009-06-14 23:36 . 2007-03-02 01:21 -------- d-----w- c:\program files\Viewpoint
2009-06-14 23:36 . 2007-03-02 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-01 01:12 . 2009-05-01 01:12 118784 ----a-w- c:\windows\dsdxirmv.exe
2009-04-08 19:52 . 2009-04-08 19:52 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2007-06-21 04:19 . 2007-06-21 04:19 604 ---ha-w- c:\program files\STLL Notifier
.

------- Sigcheck -------

[7] 2005-05-26 03:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-14 01:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2006-03-16 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[7] 2005-05-26 03:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\tcpip.sys
[-] 2008-04-13 19:20 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-06_17.32.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-30 20:45 . 2008-09-30 20:45 91656 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2009-07-06 23:08 . 2009-07-06 23:08 32768 c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
+ 2009-07-06 23:08 . 2009-07-06 23:08 432640 c:\windows\Installer\2a18b.msi
+ 2008-09-30 20:42 . 2008-09-30 20:42 1286152 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 20:43 . 2008-09-30 20:43 1286152 c:\windows\system32\msxml4.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BitTorrent DNA"="c:\program files\BitTorrent_DNA\btdna.exe" [2008-12-16 342848]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Button Manager.lnk - c:\program files\HP\Button Manager\BM.exe [2009-6-7 266240]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2009-6-7 530944]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi5"=xgusb.cpl

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqwmiex"=2 (0x2)
"IDriverT"=3 (0x3)
"LightScribeService"=2 (0x2)
"Vongo Service"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"iPod Service"=3 (0x3)
"btwdins"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\BitTorrent_DNA\\btdna.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"c:\\Program Files\\WIDCOMM\\Bluetooth Software\\bin\\btwdins.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\ZuneBusEnum.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/12/2009 4:32 PM 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [7/30/2008 11:59 AM 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [1/12/2009 4:32 PM 677128]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/14/2009 7:36 PM 24652]
S1 vdmzmty5;AVZ-BC Kernel Driver;\??\c:\windows\system32\Drivers\vdmzmty5.sys --> c:\windows\system32\Drivers\vdmzmty5.sys [?]
S2 gupdate1c996c6aaa1b06b;Google Update Service (gupdate1c996c6aaa1b06b);c:\program files\Google\Update\GoogleUpdate.exe [2/24/2009 5:27 PM 133104]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [3/17/2006 7:34 PM 1544704]
S4 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\Drivers\5U870CAP.sys --> c:\windows\system32\Drivers\5U870CAP.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-07-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-17 21:30]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:27]

2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:27]

2009-07-06 c:\windows\Tasks\User_Feed_Synchronization-{093592A9-671E-4241-9C3D-A7D7146614B6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 17:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weather.com/weather/map/interactive/?from=hp_main_maps
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7t1ert72.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/findfriends.php#/home.php?ref=home
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7t1ert72.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\BitTorrent_DNA\plugins\npbtdna.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 19:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\xgusb.cpl

- - - - - - - > 'lsass.exe'(1008)
c:\windows\system32\xgusb.cpl

- - - - - - - > 'explorer.exe'(696)
c:\windows\system32\xgusb.cpl
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\ArcSoft\Magic-i 3\uMgiSvr.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-07-06 19:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 23:12
ComboFix2.txt 2009-07-06 17:34

Pre-Run: 56,727,388,160 bytes free
Post-Run: 56,670,093,312 bytes free

281 --- E O F --- 2009-07-06 23:09

mattwest1,

Let's get an online scan to make sure there isn't something I'm not seeing. Be prepared, this scan takes hours. Nothing to see so find something to do other than stare at the screen.


Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Also let me have a new HijackThis log at tell me how things seem to you now as far as how the computer is running.

Uh-oh, my first issue. I got to the website and downloaded the definitions and scanner as instructed with no problems. I clicked on "My Computer" and the scan begun. Roughly 15-20 minutes into the scan, the computer overheated and shut off. I haven't done anything further as I thought I should check back here for what to do next.

mattwest1,

It's probably not going to work because the scan will take hours.

Let's try this instead (you may have to wait until your computer cools down).


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

So sorry for the delay. I'm actually posting from a public computer because the laptop in question has really run into some troubles. The computer can't even get to the starting desktop without overheating and cutting off. I'm afraid I've got a very serious hardware issue that will have to be taken care of before I will be able to do any more to take care of the backdoor trojan. I really appreciate the assistance you've offered me up to now but I have to get this taken care of before I can move forward. Thanks so much for taking the time to help.

mattwest1,

Sorry to here about the hardware trouble.

Good luck.

mattwest1,

How's it going?

Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log