Antivirus XP 2008 eradication help!

Computing.Net > Forums > Security and Virus > Antivirus XP 2008 eradication help!

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Antivirus XP 2008 eradication help!

Name: wohdin
Date: August 25, 2008 at 10:04:28 Pacific
OS: Windows XP SP2
CPU/Ram: P4 2.x/512MB
Product: Dell Dimension 2350

Comment:

Yes, this computer is ancient. No, you're not allowed to laugh. D:
Anyway. Apparently there are numerous "variants" to this damn anti-antivirus such as "Antivirus XP", "Antivirus XP 2008", "Antivirus 2008", "XP Antivirus 2008", etc. and they all apparently infect differently. The one I got stuck with was the "Antivirus XP 2008" one.
First off, let me clarify: I have no idea how I got this. I can't imagine how it could have "wormed" its way through beyond it being just that - a worm. Where it came from is beyond my knowledge.
One thing I do know, however, is that it must be primarily a browser hijacker, because basically everything internet is all out of whack.
By the way, I use Opera and Avast, and both are highly customised for optimal security.
I googled the name, trying out several solutions (Malwarebytes and others, manual eradication based on what several sites told me, HijackThis (which really had nothing out of the ordinary) and even triple-scanned for everything with Avast) and even though the popups and stuff are for the most part gone, I can't help but think it's still here. Lurking.
Reason being my internet is still OUT OF WHACK. Badly. Half the web pages I try to load simply don't (as if they're being blocked), most others will only load halfway, and some even actively try to redirect to the AVXP 2008 page (which I have since manually blocked through HOSTS). Also, several web sites just act funky in general, like not being able to click anywhere and being forced to navigate with the keyboard (on, for instance, LiveJournal), or reloading indefinitely after it completes. Not only all of this, but while this is all happening, my computer is LAGGING TO DEATH. Seriously, I can barely type right now. In an IM I'll have to pause for several MINUTES, literally, waiting on the text I just typed to appear on-screen before I send it. That's not even the full extent of this lag, either.
Anyone got an idea as to the source of the problem? If so, got any suggestions? I can't find it... anywhere. I really need help ASAP, because I won't be able to buy a new system for at least another month or two, and this one needs to last at least until then, even if it's on its metaphorical death bed.
That is not dead which can eternal lie, and with strange aeons even Death may die.

Sponsored Link

Ads by Google

Response Number 1

Name: Beginner1
Date: August 25, 2008 at 12:35:31 Pacific

Reply:

http://www.windowsvistaplace.com/xp...
Jim R

Response Number 2

Name: wohdin
Date: August 25, 2008 at 13:49:28 Pacific

Reply:

Thank you for, uh, NOT reading, I suppose. I have Antivirus XP 2008, not XP Antivirus 2008. Yes, they're different (VERY different).
Also, I've already done all of that. My biggest issue at the moment is trying to get my internet working in its normal state, and to fix the horrendous lag that devestates my computer at the moment.
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 3

Name: jabuck
Date: August 25, 2008 at 14:28:26 Pacific

Reply:

Reset the host file first, should get part of the internet pages resolved.
.
Please download HostsXpert from the following link:
HostsXpert
Extract the HostsXpert.zip by doing the following:Right-click HostsXpert.zip and select extract all – Follow the wizard and extract it to your DesktopClick Finish. Double-click the HostsXpert folder and then double-click HostsXpert.exe. Click “ Restore MS Hosts File” and press OK.Exit the program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 4

Name: iamwec
Date: August 25, 2008 at 14:31:00 Pacific

Reply:

Well, I have had this problem before with two or three different versions, and I have always found that Kaspersky Internet Security does a GREAT job of erasing his stuff, any kind of virus or worm or...
At http://www.kaspersky.com/internet_s...
William E C
I AM WEC!!!
http://iamwec.wordpress.com/
"If ast first you don't succeed, redefine success!" - Anonymous

Response Number 5

Name: wohdin
Date: August 25, 2008 at 14:58:13 Pacific

Reply:

For some reason it won't let me post the whole thing, so I'll have to do it by parts. (It's part of the internet thing - it cuts off any in/out packets at a certain point, regardless of the source)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:03, on 08/08/25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\LiteStep\litestep.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Gizmo Project for LJ Talk\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O1 - Hosts: 208.69.57.87 game01.us.segaonline.jp
O1 - Hosts: 208.69.57.87 patch01.us.segaonline.jp
O2 - BHO: (no name) - {0015967B-E352-4A2E-AF30-FA4D4123252C} - (no file)
O2 - BHO: (no name) - {0114D594-0E82-4681-998E-FF9E64249CE1} - (no file)
O2 - BHO: (no name) - {013CB586-F80A-4628-A51C-6188AFFA6325} - (no file)
O2 - BHO: (no name) - {020124FB-39ED-43A4-A8C6-B806EBAD51AC} - (no file)
O2 - BHO: (no name) - {03F41CFB-93F3-4BAA-B571-A93551647876} - (no file)
O2 - BHO: (no name) - {04F5E346-8CD0-4A04-A461-EB9413C781F2} - (no file)
O2 - BHO: (no name) - {06008DA1-EF21-4DC3-AA51-E14AE9EC9739} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {093E2749-C60C-417B-926E-829B6E0AA3DE} - (no file)
O2 - BHO: (no name) - {0D39CB8F-9492-4813-AB34-7F058128A15A} - (no file)
O2 - BHO: (no name) - {0EECE65D-9C93-476B-B9B5-370A9B8427BE} - (no file)
O2 - BHO: (no name) - {0F096B24-69FF-4348-8F00-7094058AF987} - (no file)
O2 - BHO: (no name) - {110A6DA9-F4D2-4A87-AE55-3F2648F80B15} - (no file)
O2 - BHO: (no name) - {123A12EA-3EF3-41E0-8214-2563DC3EEB72} - (no file)
O2 - BHO: (no name) - {124A7F0C-4432-4B9C-BAD0-355DDD111D1F} - (no file)
O2 - BHO: (no name) - {12B7F361-D87D-4DB9-9B5A-1A8D4E1E21E0} - (no file)
O2 - BHO: (no name) - {1307C68D-E524-4F49-BC99-3DE64ECA5DE7} - (no file)
O2 - BHO: (no name) - {15688FC1-74C4-4B21-BDD2-771C7BECEA10} - (no file)
O2 - BHO: (no name) - {17824773-C0CA-4BF6-B685-8A8CE585F42D} - (no file)
O2 - BHO: (no name) - {17BC9D3F-90F6-4B96-A8FB-AABE9EE71EB5} - (no file)
O2 - BHO: (no name) - {1818CB3A-7D74-437E-A63A-CEBC2A30294C} - (no file)
O2 - BHO: (no name) - {1822B177-45C8-4221-A2D2-47D76F1483FA} - (no file)
O2 - BHO: (no name) - {19FF0185-8609-4F21-AE1F-AEE64FE4B034} - (no file)
O2 - BHO: (no name) - {1AB432E6-23BA-4F3C-9DB2-7BA349A299A0} - (no file)
O2 - BHO: (no name) - {1B1647E0-E3D0-4A84-87B6-9F56B547EFD7} - (no file)
O2 - BHO: (no name) - {1C628523-182F-4210-8615-71D1E52B0E09} - (no file)
O2 - BHO: (no name) - {1D61D82B-2D87-47E2-8B87-D944DEC6B9C7} - (no file)
O2 - BHO: (no name) - {1E789B3E-E8E0-4964-BC4D-B62C9EBE25F2} - (no file)
O2 - BHO: (no name) - {1E9DB02D-C95A-4E3D-87DE-EFF10A38A686} - (no file)
O2 - BHO: (no name) - {2154085A-C4DC-4EC4-856A-50DD610925D5} - (no file)
O2 - BHO: (no name) - {21753477-387A-42EA-8E99-2D3B7200135A} - (no file)
O2 - BHO: (no name) - {2193A287-650A-41ED-8378-D476EFEA179C} - (no file)
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: (no name) - {26B3331F-E698-4C37-B947-3D0E84634A3B} - (no file)
O2 - BHO: (no name) - {2796D6AB-7D07-4203-A49A-03452B43CAC5} - (no file)
O2 - BHO: (no name) - {27BB03F1-AAE0-46C6-930F-51356D8308FE} - (no file)
O2 - BHO: (no name) - {2BDF4B4E-223E-4BD8-8C30-D987B410C170} - (no file)
O2 - BHO: (no name) - {2C2CEEDB-F1FA-43C0-94E7-1C14EE920C90} - (no file)
O2 - BHO: (no name) - {2ECC49AB-6193-4153-95EB-9EBBA92A376F} - (no file)
O2 - BHO: (no name) - {3022BBBD-A414-499E-B1A7-BE849599A6FE} - (no file)
O2 - BHO: (no name) - {30EA0DC1-4111-464C-841E-51398CB2BBF7} - (no file)
That is not dead which can eternal lie, and with strange aeons even Death may die.

kiba-dock yum fedora 11 halo combat evolved pc mods bin.clearspring.com	bin.clearspring.com TDSSserv bin.clearspring.sol
See More

Response Number 6

Name: wohdin
Date: August 25, 2008 at 15:00:22 Pacific

Reply:

O2 - BHO: (no name) - {3323C645-0ED4-47DE-9E34-2DD9DACBE2AA} - (no file)
O2 - BHO: (no name) - {36EA3C1A-CBF0-4D5F-8526-FFE6D5687F2C} - (no file)
O2 - BHO: (no name) - {3A821754-218C-4B56-BA61-2D9FC275B956} - (no file)
O2 - BHO: (no name) - {3BFA257C-27D7-5895-19D3-0339302B8E37} - (no file)
O2 - BHO: (no name) - {3C1E12BF-EFEB-4584-8229-9C69EB98FA93} - (no file)
O2 - BHO: (no name) - {3CA1B2A4-8BB4-45C7-9D13-EBEF41E7CA62} - (no file)
O2 - BHO: (no name) - {3CD4215A-92D5-4AFB-89FC-AA5DA8C4B73D} - (no file)
O2 - BHO: (no name) - {3DA3AA3B-878D-475F-BE9E-F25CF1442BDE} - (no file)
O2 - BHO: (no name) - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - (no file)
O2 - BHO: (no name) - {3F22B352-DE25-4C53-B19F-0E10CDEE360A} - (no file)
O2 - BHO: (no name) - {41616BDD-C3D7-4CBB-81FE-D47A6F166F34} - (no file)
O2 - BHO: (no name) - {419B56BE-079C-4323-8197-B4996AC67477} - (no file)
O2 - BHO: (no name) - {46268E8D-28FC-4079-B6CD-C671647FF2A1} - (no file)
O2 - BHO: (no name) - {469B896E-10EB-47FF-A153-6D45FDDDE0BA} - (no file)
O2 - BHO: (no name) - {47356BFD-CC7E-4D91-B9A2-4F9478DDEBCE} - (no file)
O2 - BHO: (no name) - {4741AA59-DC53-4F01-A4E2-B34D16E7DFBC} - (no file)
O2 - BHO: (no name) - {486D9E35-54D2-4AD9-9682-E2588004C8AB} - (no file)
O2 - BHO: (no name) - {489354A6-766C-480E-9D8E-9F23F88798EE} - (no file)
O2 - BHO: (no name) - {48B3AC60-8C05-4317-981F-7ECFCB24DA1E} - (no file)
O2 - BHO: (no name) - {4A3F9CC5-5FF3-4DEC-B615-1A9C5B5CA63B} - (no file)
O2 - BHO: (no name) - {4AF32A7A-767E-4566-8A44-71DF9A0B07C9} - (no file)
O2 - BHO: (no name) - {4EBFD922-B044-47D3-B8CB-82522A2E5433} - (no file)
O2 - BHO: (no name) - {4F47890C-4F86-47DA-9C95-ADCF27F232A0} - (no file)
O2 - BHO: (no name) - {4FCA8BC7-24AA-493A-B686-5B6CDB0CC4CD} - (no file)
O2 - BHO: (no name) - {504333F8-626B-435D-AFEF-B070A5F6474C} - (no file)
O2 - BHO: (no name) - {50E1EC53-5E26-4FC4-B400-9EE5C8C38B7D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549E505D-45F3-435B-8E61-9786DB467840} - (no file)
O2 - BHO: (no name) - {56E80539-B6A9-4545-A890-A340BECB744C} - (no file)
O2 - BHO: (no name) - {57624E4F-1F7F-40AA-A847-A9CD8C8C2467} - (no file)
O2 - BHO: (no name) - {57E8BDFE-6F66-4C96-8534-DA4DF1D32FBB} - (no file)
O2 - BHO: (no name) - {59E82A5F-714D-4D40-A64B-BE525137251D} - (no file)
O2 - BHO: (no name) - {5E3E8438-E98B-4AD9-AF1A-533541FD0E4A} - (no file)
O2 - BHO: (no name) - {5ECEA90B-C54B-4815-88F5-0492BDA6A8F2} - (no file)
O2 - BHO: (no name) - {5F308A76-26DC-4B7A-82D7-06941B9EB507} - (no file)
O2 - BHO: (no name) - {5F8904D0-C71C-4BCA-8BCF-7C79E77AFD5A} - (no file)
O2 - BHO: (no name) - {60925464-81DB-4261-B8DB-7BA0700A3B4C} - (no file)
O2 - BHO: (no name) - {63A5139A-687F-4BA4-B582-E2DCF7ECC2F8} - (no file)
O2 - BHO: (no name) - {648592A3-44B7-9AF8-BACA-02859776A1CD} - (no file)
O2 - BHO: (no name) - {66C68E79-2E07-4013-93D0-B25F8DCA68AE} - (no file)
O2 - BHO: (no name) - {6745D3CC-E327-4932-B4B5-5DA73DA0D88C} - (no file)
O2 - BHO: (no name) - {675F7FF0-382C-41B9-B4FB-D5F035A9B3F6} - (no file)
O2 - BHO: (no name) - {67B40015-60F6-4008-A883-242AA5398188} - (no file)
O2 - BHO: (no name) - {684AD82A-9BF3-4034-B17E-97CE8CFDC1DF} - (no file)
O2 - BHO: (no name) - {6BD687BA-7FC5-434E-93E6-E2CB37C6B529} - (no file)
O2 - BHO: (no name) - {6C3637FF-B8C1-4349-8AE5-4B5A81707A5D} - (no file)
O2 - BHO: (no name) - {6CE33A49-F019-4653-891B-FA4DCEF9D53B} - (no file)
O2 - BHO: (no name) - {6CF3BC80-96B0-434F-96DD-3264ABA25862} - (no file)
O2 - BHO: (no name) - {6D836B13-93DD-46AC-8901-8B4AD9570710} - (no file)
O2 - BHO: (no name) - {6EA1A199-AD11-4BDD-BF8E-E2F6FB9F3413} - (no file)
O2 - BHO: (no name) - {6FAD25F7-6608-4E6B-BE27-24CCA6037DEA} - (no file)
O2 - BHO: (no name) - {7035EFE9-76BE-4B8C-B56D-D410126C810B} - (no file)
O2 - BHO: (no name) - {722002E4-46B2-4464-A64A-A1AD63989246} - (no file)
O2 - BHO: (no name) - {73C219EE-A916-4D91-861E-CCF76B94CF53} - (no file)
O2 - BHO: (no name) - {748A8384-7239-494D-B107-EC1A829C6FFD} - (no file)
O2 - BHO: (no name) - {753F9841-2C1E-4A51-9871-E137F6073D29} - (no file)
O2 - BHO: (no name) - {75805EA6-C8C7-4F46-9C49-D83901B857FE} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {76359CC5-7F0C-4812-98BC-DA37CE414A68} - (no file)
O2 - BHO: (no name) - {77DB515F-76FD-4F2B-B258-24EA3A820ADF} - (no file)
O2 - BHO: (no name) - {7882944C-ED61-4178-BC3D-3BCD652A7FA7} - (no file)
O2 - BHO: (no name) - {79692954-F6F1-4B7F-AD79-38B82C14AFEC} - (no file)
O2 - BHO: (no name) - {7C2AC96E-9AE0-4C85-8993-ED1BE07B5FB0} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {7E96D742-B3A7-4E09-814E-40515E6C5D9F} - (no file)
O2 - BHO: (no name) - {807CB714-7545-4C78-9BDB-BBE07E68E222} - (no file)
O2 - BHO: (no name) - {86626250-FBD8-4149-8BD4-75E28FEEFA7A} - (no file)
O2 - BHO: (no name) - {871052D0-B37C-4E9D-ACC4-07B54CF8FEBD} - (no file)
O2 - BHO: (no name) - {8A10909D-E539-4E14-9532-89EADB863EE0} - (no file)
O2 - BHO: (no name) - {8AEE2997-7FD6-414D-8085-A8E425ACDE3E} - (no file)
O2 - BHO: (no name) - {8B3EAD54-55AF-4BEE-9791-460D9E467A15} - (no file)
O2 - BHO: (no name) - {8B40C8E6-6EFD-4AE2-AB1A-2F5761E1D59D} - (no file)
O2 - BHO: (no name) - {8BDF351B-E132-4811-8B8D-0B6C86351358} - (no file)
O2 - BHO: (no name) - {8DBF348F-40B7-4BB8-AFC5-425F06AAE94C} - (no file)
O2 - BHO: (no name) - {8DD8B522-2395-4AB2-9D4E-C76E83FF0305} - (no file)
O2 - BHO: (no name) - {8F682530-7F7B-4892-9ACE-7EA1393B1AE3} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {90CC01C0-BCF0-440E-B4C8-97A51E9DC2C0} - (no file)
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 7

Name: wohdin
Date: August 25, 2008 at 15:02:01 Pacific

Reply:

O2 - BHO: (no name) - {91C5D2D2-9779-4EF2-8FD6-DEF4A350C3FA} - (no file)
O2 - BHO: (no name) - {91D775AA-5819-466A-8261-81724782B991} - (no file)
O2 - BHO: (no name) - {92B770F1-4776-4C74-8BAD-E66E127A9201} - (no file)
O2 - BHO: (no name) - {952FC05B-AA0C-4071-945E-9B7463323D8E} - (no file)
O2 - BHO: (no name) - {95B87AAF-97DA-4C54-A819-0A34FAB00857} - (no file)
O2 - BHO: (no name) - {98A75A5C-1036-40A7-8606-7EE82A3ADB54} - (no file)
O2 - BHO: (no name) - {9922C518-BCD1-480F-870A-809033BC6DEE} - (no file)
O2 - BHO: (no name) - {9ADC0A5E-7423-4DA9-AB5A-01E2AD248439} - (no file)
O2 - BHO: (no name) - {9D001354-C21C-41EB-A1C9-8B9EAFCDB74A} - (no file)
O2 - BHO: (no name) - {A0298A22-5388-4A4A-8AEA-6F78928E6802} - (no file)
O2 - BHO: (no name) - {A0888CA7-A9FF-449C-A882-AC51DBFF4278} - (no file)
O2 - BHO: (no name) - {A13DD935-0A6B-4A9E-93B7-814501ADBCFC} - (no file)
O2 - BHO: (no name) - {A25A7668-56CA-421D-A0B2-7F82B734EDA9} - (no file)
O2 - BHO: (no name) - {A341E0E0-7994-4C38-8B59-263F1369F415} - (no file)
O2 - BHO: (no name) - {A4586AEF-57DA-44DD-8E95-0D31ED084194} - (no file)
O2 - BHO: (no name) - {A50386C3-00BA-4828-9A4B-F4D31C9F2535} - (no file)
O2 - BHO: (no name) - {A7C0CE8F-D239-4611-8863-479034858AE3} - (no file)
O2 - BHO: (no name) - {A803F749-DBBA-4F07-8641-41C74FA290A0} - (no file)
O2 - BHO: (no name) - {A87501F1-72FE-41F7-B354-C790CE746CFE} - (no file)
O2 - BHO: (no name) - {A9F8F49D-C51A-4A2B-9157-2346A1E0E11C} - (no file)
O2 - BHO: (no name) - {AA28967A-AF2A-43AA-9CDD-A8D1215002B5} - (no file)
O2 - BHO: (no name) - {ADB1F278-BFC6-4F34-A838-D0BF085396E3} - (no file)
O2 - BHO: (no name) - {AF78371F-F0C6-4600-8518-AAC9D9B60AC9} - (no file)
O2 - BHO: (no name) - {B141D03B-F133-4F1C-8DA2-80431FCBB56C} - (no file)
O2 - BHO: (no name) - {B209E9C0-3AF8-4CE0-A09E-9D198CF084B2} - (no file)
O2 - BHO: (no name) - {B2925861-3B7C-43CF-91F6-32239EC5A40B} - (no file)
O2 - BHO: (no name) - {B52EA380-466B-486E-85A5-707B825E4726} - (no file)
O2 - BHO: (no name) - {B884F564-C550-47E4-A1F2-A7F355845278} - (no file)
O2 - BHO: (no name) - {B979B623-8999-4D23-8CB3-5011A3C91BDB} - (no file)
O2 - BHO: (no name) - {BA2AFEF5-9BE3-4E62-831E-FD89C308DF34} - (no file)
O2 - BHO: (no name) - {BDF59EE1-FEEB-494C-9992-5E50163E9DD5} - (no file)
O2 - BHO: (no name) - {BE7C39AD-69DA-4960-9CC5-BD8040653958} - (no file)
O2 - BHO: (no name) - {BF92740C-BABF-48C7-82D5-B81A36C4DE24} - (no file)
O2 - BHO: (no name) - {C027E161-56AB-4D88-9E2F-E0A335A5FC77} - (no file)
O2 - BHO: (no name) - {C0DE4B99-49C3-444C-8EFB-CCBBE45E6C52} - (no file)
O2 - BHO: (no name) - {C0FCEF8D-FD5E-4D04-BEB5-DD93B533C055} - (no file)
O2 - BHO: (no name) - {C44B80DB-EAA2-43C6-A9A8-C9AB527B1A10} - (no file)
O2 - BHO: (no name) - {CC64C51F-234C-4C7F-AF7F-199D2BBC1B9D} - (no file)
O2 - BHO: (no name) - {CD53F245-A9E4-448F-8E6F-EDF881E04C9C} - (no file)
O2 - BHO: (no name) - {CF643E7C-882C-4375-8DFC-9B6D60AAB65B} - (no file)
O2 - BHO: (no name) - {D08EDC58-EB17-451B-83E2-7BB268633F2E} - (no file)
O2 - BHO: (no name) - {D11E7E63-C927-441F-A99F-FB067D294FA8} - (no file)
O2 - BHO: (no name) - {D28E8A3D-F803-449D-949D-BE15FEC9CA3A} - (no file)
O2 - BHO: (no name) - {D2FA2907-5C5E-43D2-AD2A-41BFBAB32F02} - (no file)
O2 - BHO: (no name) - {D4252BCF-5746-4E35-83EC-585ED9275605} - (no file)
O2 - BHO: (no name) - {D4A0626B-C9E6-4E1B-A7C5-548CDA088AC4} - (no file)
O2 - BHO: (no name) - {D51C7E0E-1790-41DA-B977-0B047F0378AF} - (no file)
O2 - BHO: (no name) - {D51DC760-03D6-4522-8875-EDACFF22496E} - (no file)
O2 - BHO: (no name) - {D5525138-C48D-4892-BD52-432B76B5C466} - (no file)
O2 - BHO: (no name) - {D6D2D05D-151F-4B01-83BD-22F54F356F4C} - (no file)
O2 - BHO: (no name) - {D82988B4-6691-47A5-8965-88751FD0FDBA} - (no file)
O2 - BHO: (no name) - {D83A298E-0A13-4F3B-B3FF-496965E411EE} - (no file)
O2 - BHO: (no name) - {D9972060-D483-42CB-B23D-2F43640A5811} - (no file)
O2 - BHO: (no name) - {D9CBC8D1-624F-4AAB-AD25-910EE7FEA353} - (no file)
O2 - BHO: (no name) - {DC6AD3D3-25EC-44FF-ABF1-D631ECE72A35} - (no file)
O2 - BHO: (no name) - {DECF44D8-C19A-4301-83AB-92FD10440097} - (no file)
O2 - BHO: (no name) - {DF4555B3-FBDD-4A61-8B4C-964BDFF27421} - (no file)
O2 - BHO: (no name) - {E262C6AE-CE08-4701-9FAE-003F0ECF9170} - (no file)
O2 - BHO: (no name) - {E43E50EF-2B71-45D4-9C13-8A3E48928A7B} - (no file)
O2 - BHO: (no name) - {E73C0935-92A7-43F9-A3F2-A147B05ABF33} - (no file)
O2 - BHO: (no name) - {E7AC425B-9441-4A1E-A8D4-DD96CF3DBD6A} - (no file)
O2 - BHO: (no name) - {E8176E71-2071-4BA4-AD6C-3FF812E2EF09} - (no file)
O2 - BHO: (no name) - {E875FB61-515A-4299-BA40-A86B04CCD8BA} - (no file)
O2 - BHO: (no name) - {EA6FE282-1DD6-43C0-B70B-45B15A00A096} - (no file)
O2 - BHO: (no name) - {ED030A82-D0D4-4743-9D13-629C09D2C395} - (no file)
O2 - BHO: (no name) - {ED424A64-5FFF-414C-BDC1-F6E47A58FAF2} - (no file)
O2 - BHO: (no name) - {EE978B9E-A7D5-4648-9E2B-9548B9E5DDEE} - (no file)
O2 - BHO: (no name) - {EF64E762-0C74-4FD6-9AC4-CB05759F6DEE} - (no file)
O2 - BHO: (no name) - {EF949B93-0535-4D4B-9A47-0A7C534608BD} - (no file)
O2 - BHO: (no name) - {F0A5180E-442D-4D90-8318-AAFA5147096F} - (no file)
O2 - BHO: (no name) - {F1230BF0-920B-4CB7-8684-0F97D4598322} - (no file)
O2 - BHO: (no name) - {F1DBA494-86C9-40F5-AA62-1C5D9A4FDD7F} - (no file)
O2 - BHO: (no name) - {F342EDBC-4281-4163-9E1F-023DA38735DE} - (no file)
O2 - BHO: (no name) - {F380AC9A-683E-4252-8E26-41AE93D21275} - (no file)
O2 - BHO: (no name) - {F39D83B9-9805-4774-855E-35EB24DDDC30} - (no file)
O2 - BHO: (no name) - {F3F6C80D-653F-42E2-B26D-DDB9B88D0825} - (no file)
O2 - BHO: (no name) - {F415F9F7-C75F-4B67-8041-1659F554A0A8} - (no file)
O2 - BHO: (no name) - {F6176F17-E30B-4126-9B08-EB96DE5D1282} - (no file)
O2 - BHO: (no name) - {F7904699-D422-4EB0-9BA8-9FE8E909304E} - (no file)
O2 - BHO: (no name) - {F7A4D375-003B-4DC0-8E2A-E52A706F25DE} - (no file)
O2 - BHO: (no name) - {F951018B-09C5-4631-9F66-8971DE95E34A} - (no file)
O2 - BHO: (no name) - {FA7DBB83-1CFA-405C-BAFF-7B289F41D730} - (no file)
O2 - BHO: (no name) - {FB430CA8-67A8-4A68-AF9A-2E1B9E98FE3D} - (no file)
O2 - BHO: (no name) - {FD43E35D-EBEF-4C18-AA04-93858B4C4A58} - (no file)
O2 - BHO: (no name) - {FD95135D-FC5E-4563-9E7E-B10DF539C53F} - (no file)
O2 - BHO: (no name) - {FF0A83EA-8DF7-4B69-936D-2F09551B9767} - (no file)
O2 - BHO: (no name) - {FF330056-752F-410B-8C40-1E527E1C3C67} - (no file)
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 8

Name: wohdin
Date: August 25, 2008 at 15:06:31 Pacific

Reply:

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Aqua Dock] C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - HKLM\..\Run: [LogonStudio] rem "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Gizmo Project for LJ Talk] C:\Program Files\Gizmo Project for LJ Talk\Gizmo-LJ.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Policies\Explorer\Run: [{00089AEC-0702-1041-1028-020409200001}] "C:\Program Files\Common Files\{00089AEC-0702-1041-1028-020409200001}\Update.exe" mc-110-12-0000272
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Lastfm\LastFMHelper.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://care.alltel.com
O15 - Trusted Zone: http://login.myspace.com
O15 - Trusted Zone: http://www.myspace.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binar...
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 9

Name: wohdin
Date: August 25, 2008 at 15:07:53 Pacific

Reply:

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gam...
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binar...
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay105.hotmail.msn.c...
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project for LJ Talk\mDNSResponder.exe
O23 - Service: iPod サービス (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--

Sorry about all that, but this is how badly I'm being crippled. The two HOSTS entries are mine, and I still can't find anything out of the ordinary except for the insane number of (no file) entries.
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 10

Name: jabuck
Date: August 25, 2008 at 15:11:58 Pacific

Reply:

Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
Be sure to the directions in step 6. when the scan completes.

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
In your case go offline, shut down avast, run Combofix, restart the computer to get avast running again then post the log.

Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 11

Name: wohdin
Date: August 25, 2008 at 16:49:10 Pacific

Reply:

Sorry, but I had already done a MalwareBytes scan, and I didn't happen to save the log. Also, I tried ComboFix several times and no matter what I did, it never produced a log - or anything, for that matter. I just ran the .exe and it showed a small window labeled "ComboFix" with a scanning bar and then told me it had "detected rootkit activity" and needed to reboot, and did the same thing when I rebooted without the message, producing no further windows or instructions.
I'm so lost. :(
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 12

Name: jabuck
Date: August 25, 2008 at 18:27:46 Pacific

Reply:

Delete the host files as suggested below that are yours you will have to put them back in later.
Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of these items and press "fix checked:
O1 - Hosts: 208.69.57.87 game01.us.segaonline.jp

O1 - Hosts: 208.69.57.87 patch01.us.segaonline.jp
All the 02's that look like this:
O2 - BHO: (no name) - {0015967B-E352-4A2E-AF30-FA4D4123252C} - (no file)
O4 - HKCU\..\Policies\Explorer\Run: [{00089AEC-0702-1041-1028-020409200001}] "C:\Program Files\Common Files\{00089AEC-0702-1041-1028-020409200001}\Update.exe" mc-110-12-0000272
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} -

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -

O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
Run HostXpert as suggested in Response #3 then run Combofix immediately, if possible, as running the host tool may allow it to work.
You will get a warning from your antivirus when you run this tool, just ignore it and run the tool.
Please download SmitFraudFix from this link:
SmitfraudFix
Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky and other antivirus programs) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Response Number 13

Name: wohdin
Date: August 25, 2008 at 18:54:56 Pacific

Reply:

Okay, so woah.
I haven't done HostXpert or SmitfraudFix yet (working on it) but I just did the HJT fix and did a re-scan just to be safe -
and it gave me several O18 entries that, well, don't quite look friendly.
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6}
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~3\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol hijack: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}
Oh, dear.
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 14

Name: wohdin
Date: August 25, 2008 at 19:54:42 Pacific

Reply:

Here be yon SmitFraudFix log. I guess it caught something too, huh.
---
SmitFraudFix v2.339
Scan done at 22:28:48.50, 08/08/25
Run from D:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode
ｻ Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Gizmo Project for LJ Talk\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\LiteStep\litestep.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\conime.exe
C:\327882R2FWJFW\NirCmd.cfexe
C:\WINDOWS\system32\cmd.exe
ｻ hosts

ｻ C:\

ｻ C:\WINDOWS

ｻ C:\WINDOWS\system

ｻ C:\WINDOWS\Web

ｻ C:\WINDOWS\system32
C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\tdssservers.dat detected, use a Rootkit scanner
C:\WINDOWS\system32\tdssadw.dll detected, use a Rootkit scanner
C:\WINDOWS\system32\tdssinit.dll detected, use a Rootkit scanner
C:\WINDOWS\system32\tdssl.dll detected, use a Rootkit scanner
C:\WINDOWS\system32\drivers\tdssserv.sys detected, use a Rootkit scanner
ｻ C:\WINDOWS\system32\LogFiles

ｻ C:\Documents and Settings\[USERNAME]

ｻ C:\Documents and Settings\[USERNAME]\Application Data

ｻ Start Menu

ｻ

ｻ Desktop

ｻ C:\Program Files

ｻ Corrupted keys

ｻ Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Documents and Settings\\[USERNAME]\\Desktop\\1024\\wallpaper.html"
"SubscribedURL"="C:\\Documents and Settings\\[USERNAME]\\Desktop\\1024\\wallpaper.html"
"FriendlyName"=""
ｻ IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
ｻ VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

ｻ 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

ｻ Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

ｻ AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
ｻ Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""

ｻ RK
ｻ DNS
Description: ARRIS TOUCHSTONE DEVICE - Packet Scheduler Miniport
DNS Server Search Order: 192.168.254.254
Description: ARRIS TOUCHSTONE DEVICE - Packet Scheduler Miniport
DNS Server Search Order: 205.171.3.65
DNS Server Search Order: 65.248.170.9
DNS Server Search Order: 65.248.170.7
HKLM\SYSTEM\CCS\Services\Tcpip\..\{12463390-1F4D-40E7-908A-F66B3AF03B7B}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D7E3BD93-6208-4BD4-9A44-24868C550BA8}: DhcpNameServer=205.171.3.65 65.248.170.9 65.248.170.7
HKLM\SYSTEM\CS1\Services\Tcpip\..\{12463390-1F4D-40E7-908A-F66B3AF03B7B}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{12463390-1F4D-40E7-908A-F66B3AF03B7B}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D7E3BD93-6208-4BD4-9A44-24868C550BA8}: DhcpNameServer=205.171.3.65 65.248.170.9 65.248.170.7
HKLM\SYSTEM\CS3\Services\Tcpip\..\{12463390-1F4D-40E7-908A-F66B3AF03B7B}: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D7E3BD93-6208-4BD4-9A44-24868C550BA8}: DhcpNameServer=205.171.3.65 65.248.170.9 65.248.170.7
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.171.3.65 65.248.170.9 65.248.170.7
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.254.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=205.171.3.65 65.248.170.9 65.248.170.7
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=205.171.3.65 65.248.170.9 65.248.170.7

ｻ Scanning for wininet.dll infection

ｻ End
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 15

Name: jabuck
Date: August 26, 2008 at 03:34:05 Pacific

Reply:

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Response Number 16

Name: wohdin
Date: August 26, 2008 at 09:25:25 Pacific

Reply:

[b]SDFix: Version 1.219 [/b]
Run by Administrator on 08-26-2008 at 11:38
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:

Restoring Default Security Values
Restoring Default Hosts File
Rebooting

[b]Checking Files [/b]:
Trojan Files Found:
C:\WINDOWS\system32\a.exe - Deleted
C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted
C:\WINDOWS\system32\tdssadw.dll - Deleted
C:\WINDOWS\system32\tdssinit.dll - Deleted
C:\WINDOWS\system32\tdssl.dll - Deleted
C:\WINDOWS\system32\tdssservers.dat - Deleted
Removing Temp Files
[b]ADS Check [/b]:

[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 12:03:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:84,11,07,98,b5,99,79,34,cc,64,bc,f1,00,48,02,26,29,06,35,91,0c,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:1f040282
"s1"=dword:d9d0f77d
"s2"=dword:6c9bb502
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:ec,13,85,21,46,52,21,79,96,e8,17,c6,b5,10,21,f0,94,df,9e,d3,49,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:ec,13,85,21,46,52,21,79,96,e8,17,c6,b5,10,21,f0,94,df,9e,d3,49,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DocFolderPaths]
"\x30fbg\xf8f3r\xf8f3\x30fb\x30fb\x30fbg\xf8f3\x30fb\x80\xf8f3|\xf8f3\x30fbV?I?I???????"="C:\Documents and Settings\\xff8c\xff67\xff72\xff87\xff99\xff8c\xff67\xff9d\xff80\xff7c\xff9eVII\My Documents"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"$\xf8f3&\xf8f3P?O?P?\xff730\x30fbW?1?2? ?&? ?$\xf8f3&\xf8f30\xf8f3P?O?P?\xff730\x30fbW?1?2? ?&? ?$\xf8f3&\xf8f3'\xf8f3P?O?P?\xff730\x30fbW?1?2? ?(?T?r?u?e?T?y?p?e?)????"="Pococ.TTC"
"$\xf8f3&\xf8f3\xff6f0\x30fb\xff950\xff880JK?7? ?&? ?$\xf8f3&\xf8f30\xf8f3\xff6f0\x30fb\xff950\xff880JK?7? ?&? ?$\xf8f3&\xf8f3'\xf8f3\xff6f0\x30fb\xff950\xff880JK?7? ?(?T?r?u?e?T?y?p?e?)???????"="cry7.TTC"
"$\xf8f3&\xf8f3\xff960\x30fb\xff830\xff770\x30fb2\xf8f3$\xf8f3W?1?2? ?&? ?$\xf8f3&\xf8f30\xf8f3\xff960\x30fb\xff830\xff770\x30fb2\xf8f3$\xf8f3W?1?2? ?&? ?$\xf8f3&\xf8f3'\xf8f3\xff960\x30fb\xff830\xff770\x30fb2\xf8f3$\xf8f3W?1?2? ?(?T?r?u?e?T?y?p?e?)???????"="brrc___0.TTC"
"$\xf8f3&\xf8f3\xff960\x30fb\xff830\xff770\x30fb3\xf8f31\xf8f3W?1?2? ?&? ?$\xf8f3&\xf8f30\xf8f3\xff960\x30fb\xff830\xff770\x30fb3\xf8f31\xf8f3W?1?2? ?&? ?$\xf8f3&\xf8f3'\xf8f3\xff960\x30fb\xff830\xff770\x30fb3\xf8f31\xf8f3W?1?2? ?(?T?r?u?e?T?y?p?e?)???????"="brsc.TTC"
"$\xf8f3&\xf8f3~0\x30fb\x30fbX0SOW?3? ?&? ?$\xf8f3&\xf8f30\xf8f3~0\x30fb\x30fbX0SOW?3? ?(?T?r?u?e?T?y?p?e?)?????"="Dfmrmw3.TTC"
"$\xf8f3&\xf8f3ui*Y8N\xff740\xff770\xff830\xff6f0SO ?&? ?$\xf8f3&\xf8f30\xf8f3ui*Y8N\xff740\xff770\xff830\xff6f0SO ?&? ?$\xf8f3&\xf8f3'\xf8f3ui*Y8N\xff740\xff770\xff830\xff6f0SO ?(?T?r?u?e?T?y?p?e?)?"="Mrgc.TTC"
"$\xf8f3&\xf8f3\xff91hOW?3? ?(?T?r?u?e?T?y?p?e?)???"="DFSOKN3.TTF"
"$\xf8f3&\xf8f3\x30fbui*Y8N\xff740\xff770\xff830\xff6f0SO ?&? ?$\xf8f3&\xf8f30\xf8f3\x30fbui*Y8N\xff740\xff770\xff830\xff6f0SO ?&? ?$\xf8f3&\xf8f3'\xf8f3\x30fbui*Y8N\xff740\xff770\xff830\xff6f0SO ?(?T?r?u?e?T?y?p?e?)????"="mrge.TTC"
"$\xf8f3&\xf8f3\x30fbui*Ywi\xe606SO ?&? ?$\xf8f3&\xf8f30\xf8f3\x30fbui*Ywi\xe606SO ?&? ?$\xf8f3&\xf8f3'\xf8f3\x30fbui*Ywi\xe606SO ?(?T?r?u?e?T?y?p?e?)???????"="kaie.TTC"
"$\xf8f3&\xf8f3\xff68P｡OW?1?2? ?&? ?$\xf8f3&\xf8f30\xf8f3\xff68P｡OW?1?2? ?&? ?$\xf8f3&\xf8f3'\xf8f3\xff68P｡OW?1?2? ?(?T?r?u?e?T?y?p?e?)???????"="fuuc.TTC"
"&\xf8f3!\xf8f3 ?\xff740\xff770\xff830\xff6f0"\xf8f3 ?(?T?r?u?e?T?y?p?e?)?"="FANGOT7.TTF"
"&\xf8f3!\xf8f3 ?\xff9d0\xff830\xff970"\xf8f3 ?(?T?r?u?e?T?y?p?e?)?"="FADPOP7.TTF"
"&\xf8f3!\xf8f3 ?8N\xff740\xff770\xff830\xff6f0-\xf8f3 ?(?T?r?u?e?T?y?p?e?)?"="FANRGO5.TTF"
"&\xf8f3!\xf8f3 ?Ye\xff91y\xe606-\xf8f3 ?(?T?r?u?e?T?y?p?e?)??"="FANKYO5.TTF"
"&\xf8f3!\xf8f3 ?^tF{Lf-\xf8f3 ?(?T?r?u?e?T?y?p?e?)??"="FANGYO5.TTF"
"&\xf8f3!\xf8f3 ?\xff77Sf-\xf8f3 ?(?T?r?u?e?T?y?p?e?)??"="FADREI5.TTF"
"(\xf8f3'\xf8f3z\xf8f3\x30fb|\xf8f3o\xf8f3x\xf8f3E?-?P?R?O? ?(?T?r?u?e?T?y?p?e?)??"="hgrgep.TTF"
"\xff730\x30fb\xff910\xff790\xff9bkF{wi\xe606SO ?(?T?r?u?e?T?y?p?e?)???"="FGTCOMKM.TTF"
"\xff730\x30fb\xff910\xff790\xff9bkF{LfSO ?(?T?r?u?e?T?y?p?e?)???"="FGTCOMGM.TTF"
"K`\x3303\xff9a0\x30fbW[ ?(?T?r?u?e?T?y?p?e?)???"="BGPENKB.TTF"
"\tg\xff64owi\xe606 ?(?T?r?u?e?T?y?p?e?)??"="FAKAIM_0.TTF"
"\tg\xff64oLf ?(?T?r?u?e?T?y?p?e?)??"="FAGGM_0.TTF"
"_l8b\xff98R\xff6dNAm ?&? ?_l8b\xff98R\xff6dNAm0\xf8f3 ?(?T?r?u?e?T?y?p?e?)?"="EDOKAN.TTC"
"eyWSLfSO ?(?T?r?u?e?T?y?p?e?)??"="FGTshgyo.TTF"
"ZvwLf ?(?T?r?u?e?T?y?p?e?)???"="FGGYM_0.TTF"
"アm\xff77Sf ?(?T?r?u?e?T?y?p?e?)???"="BGREIRR.TTF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes]
"\31jｨ\16f\35g?"="-3 "
"\31jｨ\xff740\xff770\xff830\xff6f0?"="-3 \x30b4\x30b7\x30c3\x30af"
"\xff740\xff770\xff830\xff6f0"="-3 \x30b4\x30b7\x30c3\x30af"
"z\xf8f3\x30fb|\xf8f3o\xf8f3x\xf8f3?"="-3 \x30b4\x30b7\x30c3\x30af"
"x\xf8f3p\xf8f3\x30fbt\xf8f3?"="Courier"
"\x80\xf8f3r\xf8f3\x30fb}\xf8f3\x30fb\x30fb\x30fb\x30fb?????"="Times New Roman"
"\x30fb\x30fb\x30fb\x30fb\x30fbv\xf8f3?????"="Arial"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"H:\syobon-action\x30fbMﾚZK｡ﾜ\x30fbMﾚZK｡ﾜ.exe????????????????????"="饅xa6駸・饅xb1饅xa6磚祚齋粡糜"
"D:\game\dojin\\xff75cade\mcd.exe"="mcd"
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Games\\HALO - Combat Evolved\\halo.exe"="C:\\Program Files\\Microsoft Games\\HALO - Combat Evolved\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe"="C:\\Program Files\\Wizet\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\MTG Apprentice\\Appr.exe"="C:\\Program Files\\MTG Apprentice\\Appr.exe:*:Enabled:Appr"
"C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe"="C:\\Program Files\\Wizet\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\GBAEMU\\VisualBoyAdvance.exe"="C:\\Program Files\\GBAEMU\\VisualBoyAdvance.exe:*:Enabled:VisualBoyAdvance emulator"
"C:\\Program Files\\EMULATOR\\EMUSNES\\ZSNESW.exe"="C:\\Program Files\\EMULATOR\\EMUSNES\\ZSNESW.EXE:*:Enabled:ZSNESW"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Opera\\Opera.exe"="C:\\Program Files\\Opera\\Opera.exe:*:Enabled:Opera"
"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"
"D:\\game\\sm\\40\\Program\\StepMania.exe"="D:\\game\\sm\\40\\Program\\StepMania.exe:*:Enabled:StepMania"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Psi\\psi.exe"="C:\\Program Files\\Psi\\psi.exe:*:Enabled:psi"
"C:\\Program Files\\Gizmo Project for LJ Talk\\mDNSResponder.exe"="C:\\Program Files\\Gizmo Project for LJ Talk\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Gizmo Project for LJ Talk\\Gizmo-LJ.exe"="C:\\Program Files\\Gizmo Project for LJ Talk\\Gizmo-LJ.exe:*:Enabled:Gizmo Project for LJ Talk"
"C:\\Program Files\\Miranda IM\\miranda32.exe"="C:\\Program Files\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
"C:\\LiteStep\\litestep.exe"="C:\\LiteStep\\litestep.exe:*:Enabled:An Alternative Win32 Shell"
"D:\\game\\sm\\StepMania_CVS2\\StepMania CVS2\\Program\\StepMania.exe"="D:\\game\\sm\\StepMania_CVS2\\StepMania CVS2\\Program\\StepMania.exe:*:Enabled:StepMania"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:Disabled:a"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
[b]Remaining Files [/b]:

File Backups: - C:\SDFix\backups\backups.zip
[b]Files with Hidden Attributes [/b]:
Sat 31 Jan 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 20 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 1 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1ed1b59d1a09d907b309130a93a4867a\BIT1A8.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\523d056929e13eacf8392044f602e53e\BIT3.tmp"
Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT2.tmp"
Thu 28 Jun 2007 3,096,576 A..H. --- "C:\Documents and Settings\[USERNAME]\Application Data\U3\temp\Launchpad Removal.exe"
Wed 12 Dec 2007 70,144 A..H. --- "C:\Documents and Settings\[USERNAME]\Desktop\wir\porten\~WRL0001.tmp"
Tue 4 Dec 2007 68,608 A..H. --- "C:\Documents and Settings\[USERNAME]\Desktop\wir\porten\~WRL0002.tmp"
Wed 12 Dec 2007 40,960 A..H. --- "C:\Documents and Settings\[USERNAME]\Desktop\wir\porten\~WRL0005.tmp"
Wed 12 Dec 2007 41,472 A..H. --- "C:\Documents and Settings\[USERNAME]\Desktop\wir\porten\~WRL1899.tmp"
[b]Finished![/b]

[EDIT] Awesome! It seems that pretty much all my previous issues have been resolved. Internet's back to normal, nothing is lagging (in fact, it seems even smoother) and all my browsers seem completely unhooked from this menace. Thanks so much!

Response Number 17

Name: jabuck
Date: August 26, 2008 at 15:06:11 Pacific

Reply:

I doubt if your computer is clean yet, it may get reinfected.
Please follow the directions in response #10 and post their los please.

Response Number 18

Name: wohdin
Date: August 26, 2008 at 19:07:45 Pacific

Reply:

ComboFix worked this time, yay
ComboFix 08-08-26.02 - [USERNAME] 2008-08-26 21:31:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.1.1033.18.242 [GMT -4:00]
Running from: C:\Documents and Settings\[USERNAME]\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\[USERNAME]\Application Data\macromedia\Flash Player\#SharedObjects\AAWGBQGT\bin.clearspring.com
C:\Documents and Settings\[USERNAME]\Application Data\macromedia\Flash Player\#SharedObjects\AAWGBQGT\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\[USERNAME]\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\[USERNAME]\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\[USERNAME]\Cookies\[USERNAME]@a12.bellsouth[2].txt
C:\Documents and Settings\[USERNAME]\Cookies\[USERNAME]@insightexpressai[2].txt
C:\Documents and Settings\[USERNAME]\Cookies\[USERNAME]@spamblockerutility[2].txt
C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Common Files\{00089~1
C:\WINDOWS\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\winhelp.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Legacy_TDSSSERV
-------\Service_Iprip
-------\Service_tdssserv

((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.
2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ C:\WINDOWS\system32\LXBOUSCI.INI
2008-08-26 12:42 . 2008-08-26 12:52 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-26 11:05 . 2008-08-26 11:05 <DIR> d-------- C:\WINDOWS\erunt
2008-08-26 11:03 . 2008-08-26 11:03 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-26 10:38 . 2008-08-26 12:18 <DIR> d-------- C:\SDFix
2008-08-25 22:25 . 2008-08-25 22:30 2,512 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-25 01:16 . 2008-08-25 01:16 <DIR> d-------- C:\Program Files\Opera 9
2008-08-25 00:42 . 2008-08-25 00:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-24 13:47 . 2008-08-24 13:47 <DIR> d-------- C:\Program Files\CCleaner
2008-08-23 23:06 . 2008-08-23 23:06 <DIR> d-------- C:\Documents and Settings\[USERNAME]\Application Data\Malwarebytes
2008-08-23 23:04 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 23:03 . 2008-08-23 23:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 23:03 . 2008-08-23 23:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 23:03 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-22 22:54 . 2008-08-22 22:54 <DIR> d-------- C:\Documents and Settings\[USERNAME]\.AnywherePEViewer
2008-08-17 14:56 . 2008-08-17 14:56 <DIR> d-------- C:\WINDOWS\Logs
2008-08-14 11:09 . 2008-05-01 10:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 08:54 . 17 C:\WINDOWS\Case Maker
2008-08-13 08:50 . 2008-08-13 08:51 <DIR> d-------- C:\Program Files\Phoenix Wright Case Maker
2008-08-08 00:51 . 2008-08-08 00:51 <DIR> d-------- C:\Documents and Settings\[USERNAME]\Application Data\vlc
2008-08-08 00:42 . 2008-08-08 00:42 <DIR> d-------- C:\Program Files\VideoLAN
2008-08-07 21:42 . 2004-08-04 02:08 142,976 --a--c--- C:\WINDOWS\system32\dllcache\usbport.sys
2008-08-06 04:41 . 2008-08-06 04:41 <DIR> d-------- C:\Program Files\WinDirStat
2008-07-31 14:17 . 2008-07-31 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 01:29 --------- d-----w C:\Documents and Settings\[USERNAME]\Application Data\uTorrent
2008-08-26 16:51 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-26 04:55 --------- d-----w C:\Program Files\Dictionary
2008-08-24 17:59 --------- d-----w C:\Program Files\Premium Booster
2008-08-24 17:58 --------- d-----w C:\Program Files\Joost
2008-08-19 17:11 --------- d-----w C:\Program Files\LIVEUPDATE
2008-08-14 18:46 --------- d-----w C:\Program Files\Java
2008-08-07 20:58 --------- d-----w C:\Program Files\ATLAS V13
2008-08-06 05:39 --------- d-----w C:\Program Files\GBAEMU
2008-08-04 16:21 --------- d-----w C:\Documents and Settings\[USERNAME]\Application Data\OpenOffice.org2
2008-08-01 21:57 --------- d-----w C:\Program Files\No$GBA
2008-07-31 18:10 --------- d-----w C:\Program Files\TVUPlayer
2008-07-27 16:08 --------- d-----w C:\Program Files\Project64 1.6
2008-01-26 18:28 500,936 ----a-w C:\Documents and Settings\[USERNAME]\_osume.exe
2008-01-26 18:28 1,620,311 ----a-w C:\Documents and Settings\[USERNAME]\libraries.zip
2007-12-13 10:40 275 ----a-w C:\Documents and Settings\[USERNAME]\score.dat
2007-12-11 03:07 17,651 ----a-w C:\Documents and Settings\[USERNAME]\scoreth10.dat
2007-01-19 05:30 67 ----a-w C:\Program Files\rem_cdk.bat
2002-08-29 06:05 233,632 ----a-w C:\Program Files\ntldr
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 06:23 1365504]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogonStudio"="rem" [X]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 09:59 155648]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 01:31 208952]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 22:39 59392]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 22:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 22:39 455168]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 06:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03 81920]
"Openwares LiveUpdate"="C:\Program Files\LiveUpdate\LiveUpdate.exe" [2003-12-13 13:17 61440]
"Aqua Dock"="C:\Program Files\Aqua Dock\Aqua Dock.exe" [2003-11-01 08:58 386560]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"Gizmo Project for LJ Talk"="C:\Program Files\Gizmo Project for LJ Talk\Gizmo-LJ.exe" [2006-10-13 18:45 2985984]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 10:38 78008]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 04:48 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\[USERNAME]\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
Rainmeter.lnk - C:\Program Files\Rainmeter\Rainmeter.exe [2006-01-21 07:41:56 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\[USERNAME]\Desktop\1024\wallpaper.html
FriendlyName=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.CTRX"= ctrxvid.drv
"VIDC.GTCC"= GTCODEC.DLL
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.avis"= ff_acm.acm
"VIDC.XFR1"= xfcodec.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windstream Broadband Check-up Center.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windstream Broadband Check-up Center.lnk
backup=C:\WINDOWS\pss\Windstream Broadband Check-up Center.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^[USERNAME]^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Documents and Settings\[USERNAME]\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\WINDOWS\pss\MagicDisc.lnkStartup
[HKLM\~\startupfolder\^BritannicaReadyReferencePrefs]
path=\BritannicaReadyReferencePrefs
backup=C:\WINDOWS\pss\BritannicaReadyReferencePrefsCommon Startup
[HKLM\~\startupfolder\^lolmuzak.txt]
path=\lolmuzak.txt
backup=C:\WINDOWS\pss\lolmuzak.txtCommon Startup
[HKLM\~\startupfolder\^osu!.cfg]
path=\osu!.cfg
backup=C:\WINDOWS\pss\osu!.cfgCommon Startup
[HKLM\~\startupfolder\^score.dat]
path=\score.dat
backup=C:\WINDOWS\pss\score.datCommon Startup
[HKLM\~\startupfolder\^scoreth10.dat]
path=\scoreth10.dat
backup=C:\WINDOWS\pss\scoreth10.datCommon Startup
[HKLM\~\startupfolder\^th08.cfg]
path=\th08.cfg
backup=C:\WINDOWS\pss\th08.cfgCommon Startup
[HKLM\~\startupfolder\^th10.cfg]
path=\th10.cfg
backup=C:\WINDOWS\pss\th10.cfgCommon Startup
[HKLM\~\startupfolder\^_osume.exe]
path=\_osume.exe
backup=C:\WINDOWS\pss\_osume.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 09:59 126976 C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stisvc"=2 (0x2)
"idsvc"=3 (0x3)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"SCardSvr"=3 (0x3)
"wscsvc"=2 (0x2)
"Spooler"=2 (0x2)
"SysmonLog"=3 (0x3)
"usnjsvc"=3 (0x3)
"SwPrv"=3 (0x3)
"dmadmin"=3 (0x3)
"IDriverT"=3 (0x3)
"ImapiService"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IpWins"=C:\Program Files\ipwins\ipwins.exe
"Lexmark X84-X85 Button Manager"=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
"Lexmark X84-X85 Button Monitor"=C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\MTG Apprentice\\Appr.exe"=
"C:\\Program Files\\GBAEMU\\VisualBoyAdvance.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"D:\\game\\sm\\40\\Program\\StepMania.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Gizmo Project for LJ Talk\\mDNSResponder.exe"=
"C:\\Program Files\\Gizmo Project for LJ Talk\\Gizmo-LJ.exe"=
"C:\\Program Files\\Miranda IM\\miranda32.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\LiteStep\\litestep.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5005:UDP"= 5005:UDP:RTCP - Real Time Control Protocol (open for LJTalk)
"64064:UDP"= 64064:UDP:Gizmo default for SIP messaging (open for LJTalk)
"5004:UDP"= 5004:UDP:Gizmo default for RTP traffic (open for LJTalk)
"7070:TCP"= 7070:TCP:SRS relay and Jabber protocol (open for LJTalk)
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
S3 DCamUSBDXGTech;Dual-Mode DSC (Video Camera);C:\WINDOWS\system32\Drivers\GT891x1.SYS []
S3 GT890x;Dual-Mode DSC (Still Camera);C:\WINDOWS\system32\Drivers\GT890x.SYS []
S3 npkycryp;npkycryp;C:\Program Files\Gravity\RO\npkycryp.sys []
S3 XPAD910;XPADFilter Service 910;C:\WINDOWS\system32\DRIVERS\xpad910.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{169144bb-0cde-11dd-83f0-0013a3e12d1b}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1f7bac5-53ff-11d8-8128-806d6172696f}]
\Shell\AutoRun\command - D:\start.exe
.
Contents of the 'Scheduled Tasks' folder
2008-08-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
2004-06-23 C:\WINDOWS\Tasks\UPS System Shutdown Program.job
- C:\Documents and Settings\[USERNAME]\My Documents\Power Alarm.txt []
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
Notify-MCPClient - (no file)
Notify-zsnotify - (no file)
MSConfigStartUp-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\[USERNAME]\Application Data\Mozilla\Firefox\Profiles\40x8nxv1.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://home.winzy.com/i
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-26 21:44:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

C:\WINDOWS\TEMP\_avast4_\unp206973230.tmp 3220992 bytes executable

**************************************************************************
.
r Running Proce
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Gizmo Project for LJ Talk\mDNSResponder.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-26 22:03:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-27 02:02:44
Pre-Run: 6,490,112,000 bytes free
Post-Run: 8,539,000,832 bytes free
275 --- E O F --- 2008-08-26 16:52:17
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 19

Name: jabuck
Date: August 27, 2008 at 03:41:10 Pacific

Reply:

Please go to Virus Total and upload the following file for analysis:
C:\Documents and Settings\[USERNAME]\_osume.exe

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".
Post the results in your reply.

Response Number 20

Name: wohdin
Date: August 27, 2008 at 09:40:53 Pacific

Reply:

I know what osume is, and it's definitely not a viral file, but if you insist...

Antivirus Version Last Update Result
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
F-Secure 7.60.13501.0 2008.08.27 -
Fortinet 3.14.0.0 2008.08.26 -
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3393 2008.08.27 -
Norman 5.80.02 2008.08.27 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.27 -
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.27 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -
Additional information
File size: 181760 bytes
MD5...: 1f629d633baf4313f13a8d9829c22f5f
SHA1..: 2ddbb4692404f9f832e7a30cc63e93fe1936f66d
SHA256: 5a6f91a59cabedb89bf459842939fca1d59117d92759b5b06378311b6ffe9ab0
SHA512: 02cafa491efc7e788a98c8f15a828caf60b66252b0ce13d04d55f5c2b7a9da7a
3f416d919f831d60e5a1496d4029d6e1e22249c419d6765a8d4f9b3a2d3d4435
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x41dac8
timedatestamp.....: 0x4897a5eb (Tue Aug 05 00:59:23 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.rsrc 0x2000 0x8368 0x8400 5.16 d040eac65b6c6d67faed57cb2d434e52
.text 0xc000 0x23c20 0x23e00 6.08 0c96f7948178c31055d39aa2cae67306
.reloc 0x30000 0xc 0x200 0.12 8036543b7f7e4ee74b6ee8f94caeef14
( 1 imports )
> mscoree.dll: _CorExeMain
( 0 exports )
That is not dead which can eternal lie, and with strange aeons even Death may die.

Response Number 21

Name: jabuck
Date: August 27, 2008 at 14:20:19 Pacific

Reply:

Great, empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Go to start> run> type in combofix /u (note the space after combofix) then press enter. This will uninstall combofix.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Sponsored Link

Ads by Google

Tricky Virus or Spyware

Virus Alert in Taskbar (p...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Antivirus XP 2008 eradication help!

Antivirus XP 2008 VIRUS!!

Summary

www.computing.net/answers/security/antivirus-xp-2008-virus/23293.html

Advanced XP fixer

Summary

www.computing.net/answers/security/advanced-xp-fixer-/22983.html

Need help removing fake Windows Def

Summary

www.computing.net/answers/security/need-help-removing-fake-windows-def/23215.html

From the Geek Dictionary
486 SX - A budget 80486 Intel processor without a math coprocessor.

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
Share Folder Between 2 Win2003

Recovery Disc

i removed

XD card recovery

XP stuck in a loop will not boot to desktop

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE