Random Window Popups: Unknown malware/virus

Hi,
A week or two ago, my computer started acting kind of funny all of a sudden. It would open up internet windows and different programs with the usual advertising messages. I've been trying to get rid of the viruses or malware that causes this ever since. I've run Ad-Aware, Spybot, AVG, Malwarebytes, and more, which has gotten rid of some of the problems, but some still exist. Whenever I open firefox and try to surf the web, random windows open up with advertisements or ip addresses from foreign countries. A lot of them open with a sagipsul.com address, but its not so much that anymore, just a lot of different addresses. Whenever I start my computer, my AVG reports that it detected multiple trojans and other viruses. I always click heal but it doesn't always work.Also when I start my computer, my windows(xp) automatic updates are always turned off automatically, which is weird. If anyone could help it would be really appreciated!



DDS (Ver_09-01-07.01) - NTFSx86
Run by Ben at 18:54:47.34 on Wed 01/07/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1348 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {55008b37-ec45-339b-5414-395058a2f074}: {470f2a85-0593-4145-b933-54ce73b80055} - c:\windows\system32\eschbn.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\ign\download manager\dlm.exe /windowsstart /startifwork
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll eschbn.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\6atifwtv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll

============= SERVICES / DRIVERS ===============

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-11-18 10368]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-30 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-30 26824]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-27 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-27 31504]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-27 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-27 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-30 76040]
R4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2008-12-27 618232]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2008-9-22 320384]
S3 pohci13F;pohci13F;\??\c:\docume~1\ben\locals~1\temp\pohci13f.sys --> c:\docume~1\ben\locals~1\temp\pohci13F.sys [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-23 11:37 22,328 ac------ c:\windows\system32\drivers\PnkBstrK.sys
2008-12-23 11:37 22,328 ac------ c:\docume~1\ben\applic~1\PnkBstrK.sys
2008-12-23 11:36 103,736 a------- c:\windows\system32\PnkBstrB.exe
2008-12-23 11:36 669,184 a------- c:\windows\system32\pbsvc.exe
2008-12-23 11:36 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-23 11:26 5,370 a------- c:\windows\system32\ealregsnapshot1.reg
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 19:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-13 09:56 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-02-07 16:07 1 ac------ c:\documents and settings\ben\SI.bin

============= FINISH: 18:55:26.12 ===============

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Extra note... I see you have the Comodo firewall installed. This one interferes with Combofix and may damage it, that's why I suggest you temporary uninstall Comodo.

Hi, thanks a lot for your help. I uninstalled Comodo firewall and undid my AVG anti-virus before I ran combofix, so I think everything worked out fine.

Combofix log:

ComboFix 09-01-08.05 - Ben 2009-01-09 15:10:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1631 [GMT -6:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hkdaqeql.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-02 13:59 . 2009-01-02 13:59 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 17:02 . 2009-01-09 14:58 <DIR> d-------- c:\program files\COMODO
2008-12-27 16:12 . 2009-01-02 10:54 <DIR> d-------- c:\documents and settings\Ben\Application Data\Twain
2008-12-27 16:07 . 2008-12-27 16:50 <DIR> d-------- c:\program files\Webtools
2008-12-23 12:00 . 2009-01-02 11:29 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~1
2008-12-23 11:36 . 2009-01-02 11:29 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~0
2008-12-18 22:05 . 2008-12-18 22:08 1,475 --a------ c:\windows\tefview.ini
2008-12-18 22:04 . 2008-12-18 22:04 <DIR> d-------- c:\program files\TablEdit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 20:52 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-02 17:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 17:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-27 22:59 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-12-27 22:14 --------- d-----w c:\program files\Steam
2008-12-25 01:11 --------- d-----w c:\documents and settings\Ben\Application Data\Free Download Manager
2008-12-23 17:37 22,328 -c--a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-23 17:37 22,328 -c--a-w c:\documents and settings\Ben\Application Data\PnkBstrK.sys
2008-12-23 17:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 17:27 --------- d-----w c:\program files\Electronic Arts
2008-12-23 09:56 --------- d-----w c:\documents and settings\Ben\Application Data\IGN_DLM
2008-12-23 04:03 --------- d-----w c:\documents and settings\Ben\Application Data\Skype
2008-12-23 02:09 --------- d-----w c:\documents and settings\Ben\Application Data\skypePM
2008-12-19 03:59 --------- d-----w c:\program files\THQ
2008-12-10 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-02 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-02 00:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-02 00:19 --------- d-----w c:\program files\AGEIA Technologies
2008-11-26 22:57 --------- d-----w c:\program files\Google
2008-11-26 22:00 --------- d-----w c:\program files\iTunes
2008-11-26 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 21:59 --------- d-----w c:\program files\iPod
2008-11-26 21:58 --------- d-----w c:\program files\QuickTime
2008-11-26 21:58 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 00:48 --------- d-----w c:\program files\MFInstall
2008-11-22 02:24 --------- d-----w c:\program files\Family Tree Maker 2009
2008-11-22 02:23 --------- d-----w c:\program files\Microsoft.NET
2008-11-22 02:23 --------- d-----w c:\program files\Microsoft WSE
2008-11-22 02:23 --------- d-----w c:\program files\BCL Technologies
2008-11-21 22:13 --------- d-----w c:\program files\Paradox Interactive
2008-11-12 20:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-02-07 22:07 1 -c--a-w c:\documents and settings\Ben\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aspnet_state"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\kingdoms.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe"=
"c:\\Program Files\\Asus\\AsusUpdate\\Update.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-ALX.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-11-18 10368]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-30 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-27 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-27 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-30 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2008-09-22 320384]
S3 pohci13F;pohci13F;\??\c:\docume~1\Ben\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\Ben\LOCALS~1\Temp\pohci13F.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bc12a1f-ff30-11db-b6f4-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{470f2a85-0593-4145-b933-54ce73b80055} - c:\windows\system32\eschbn.dll
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\6atifwtv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 15:13:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5190702D-FD9A-B30B-8D40-77FA3EB0D420}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*NULL*]
"??"=hex:f7,e3,26,5e,05,2a,6b,a1,7c,c8,f5,03,0d,c7,7f,cc,73,00,d6,2a,80,8b,89,
8a,d3,b1,93,fe,1a,cd,c5,32,09,8d,49,69,2a,1a,a1,2e,6c,85,3c,a2,58,9c,34,80,\
"??"=hex:b0,72,ea,7d,40,32,9a,d3,48,3f,49,8d,0d,59,01,96

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\SecuROM\License information*NULL*]
"datasecu"=hex:eb,16,0a,8e,37,04,7f,9e,46,85,d3,c8,3f,50,f4,50,1d,12,71,04,b0,
c2,76,4b,1e,91,77,8f,93,45,f7,1c,e6,f3,91,b7,30,55,3f,9e,2e,5f,36,6f,66,e5,\
"rkeysecu"=hex:6c,8a,a1,bb,3f,6e,1f,02,65,44,ff,78,02,b3,1f,13
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\sessmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-09 15:15:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 21:15:56

Pre-Run: 46,369,116,160 bytes free
Post-Run: 46,286,536,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

204 --- E O F --- 2009-01-09 20:39:57







Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:26 PM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\sessmgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\dlm.exe /windowsstart /startifwork
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1178919209328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178919312953
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6629 bytes

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
c:\program files\Webtools
Driver::
pohci13F
Dirlook::
c:\documents and settings\All Users\Application Data\~1
c:\documents and settings\All Users\Application Data\~0

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

ComboFix 09-01-08.05 - Ben 2009-01-09 16:09:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1592 [GMT -6:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ben\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Webtools
c:\windows\system32\acccbJlm.ini
c:\windows\system32\acccbJlm.ini2
c:\windows\system32\drivers\senekaosdlytxo.sys
c:\windows\system32\Drivers\TDSSqjso.sys
c:\windows\system32\jkkHwuVm.dll
c:\windows\system32\kvesdyuq.dll
c:\windows\system32\mlJbccca.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\quydsevk.ini
c:\windows\system32\rjnebr.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekabeyykaml.dll
c:\windows\system32\senekadf.dat
c:\windows\system32\senekadmmhihqi.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\ssqQjHYR.dll
c:\windows\system32\TDSSbvkw.dll
c:\windows\system32\tuvuVnKD.dll
c:\windows\system32\ugvawqdg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_POHCI13F
-------\Service_pohci13F


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-09 15:59 . 2009-01-09 15:59 <DIR> d-------- c:\documents and settings\Ben\Application Data\cogad
2009-01-02 13:59 . 2009-01-02 13:59 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 17:02 . 2009-01-09 14:58 <DIR> d-------- c:\program files\COMODO
2008-12-27 16:12 . 2009-01-02 10:54 <DIR> d-------- c:\documents and settings\Ben\Application Data\Twain
2008-12-23 12:00 . 2009-01-02 11:29 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~1
2008-12-23 11:36 . 2009-01-02 11:29 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\~0
2008-12-18 22:05 . 2008-12-18 22:08 1,475 --a------ c:\windows\tefview.ini
2008-12-18 22:04 . 2008-12-18 22:04 <DIR> d-------- c:\program files\TablEdit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-09 20:52 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-02 17:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-27 22:59 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-12-27 22:14 --------- d-----w c:\program files\Steam
2008-12-25 01:11 --------- d-----w c:\documents and settings\Ben\Application Data\Free Download Manager
2008-12-23 17:37 22,328 -c--a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-23 17:37 22,328 -c--a-w c:\documents and settings\Ben\Application Data\PnkBstrK.sys
2008-12-23 17:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 17:27 --------- d-----w c:\program files\Electronic Arts
2008-12-23 09:56 --------- d-----w c:\documents and settings\Ben\Application Data\IGN_DLM
2008-12-23 04:03 --------- d-----w c:\documents and settings\Ben\Application Data\Skype
2008-12-23 02:09 --------- d-----w c:\documents and settings\Ben\Application Data\skypePM
2008-12-19 03:59 --------- d-----w c:\program files\THQ
2008-12-10 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-02 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-02 00:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-02 00:19 --------- d-----w c:\program files\AGEIA Technologies
2008-11-26 22:57 --------- d-----w c:\program files\Google
2008-11-26 22:00 --------- d-----w c:\program files\iTunes
2008-11-26 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 21:59 --------- d-----w c:\program files\iPod
2008-11-26 21:58 --------- d-----w c:\program files\QuickTime
2008-11-26 21:58 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 00:48 --------- d-----w c:\program files\MFInstall
2008-11-22 02:24 --------- d-----w c:\program files\Family Tree Maker 2009
2008-11-22 02:23 --------- d-----w c:\program files\Microsoft.NET
2008-11-22 02:23 --------- d-----w c:\program files\Microsoft WSE
2008-11-22 02:23 --------- d-----w c:\program files\BCL Technologies
2008-11-21 22:13 --------- d-----w c:\program files\Paradox Interactive
2008-11-12 20:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-02-07 22:07 1 -c--a-w c:\documents and settings\Ben\SI.bin
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\~0 ----

2008-08-11 12:26 581125 -----c--- c:\documents and settings\All Users\Application Data\~0\mia.lib
2008-08-11 12:26 2864992 -----c--- c:\documents and settings\All Users\Application Data\~0\setup.exe

---- Directory of c:\documents and settings\All Users\Application Data\~1 ----

2008-10-13 04:53 581125 -----c--- c:\documents and settings\All Users\Application Data\~1\mia.lib
2008-10-13 04:53 2667744 -----c--- c:\documents and settings\All Users\Application Data\~1\CrysisWars_patch1.exe


((((((((((((((((((((((((((((( snapshot@2009-01-09_15.15.27.86 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 16:40:51 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-09 21:44:42 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-06-14 16:40:51 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-09 21:44:42 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-14 16:40:51 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-09 21:44:42 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rjnebr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aspnet_state"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\kingdoms.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe"=
"c:\\Program Files\\Asus\\AsusUpdate\\Update.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-ALX.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-11-18 10368]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-30 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-27 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-27 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-30 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2008-09-22 320384]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bc12a1f-ff30-11db-b6f4-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1991943c-2d77-451c-a672-c9daadf570e1} - c:\windows\system32\rjnebr.dll
BHO-{63249AD7-249C-4F99-90B7-0625ADFC8AE3} - c:\windows\system32\mlJbccca.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\6atifwtv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 16:14:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5190702D-FD9A-B30B-8D40-77FA3EB0D420}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*NULL*]
"??"=hex:f7,e3,26,5e,05,2a,6b,a1,7c,c8,f5,03,0d,c7,7f,cc,73,00,d6,2a,80,8b,89,
8a,d3,b1,93,fe,1a,cd,c5,32,09,8d,49,69,2a,1a,a1,2e,6c,85,3c,a2,58,9c,34,80,\
"??"=hex:b0,72,ea,7d,40,32,9a,d3,48,3f,49,8d,0d,59,01,96

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\SecuROM\License information*NULL*]
"datasecu"=hex:eb,16,0a,8e,37,04,7f,9e,46,85,d3,c8,3f,50,f4,50,1d,12,71,04,b0,
c2,76,4b,1e,91,77,8f,93,45,f7,1c,e6,f3,91,b7,30,55,3f,9e,2e,5f,36,6f,66,e5,\
"rkeysecu"=hex:6c,8a,a1,bb,3f,6e,1f,02,65,44,ff,78,02,b3,1f,13
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\sessmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-09 16:18:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 22:17:58
ComboFix2.txt 2009-01-09 21:15:59

Pre-Run: 46,451,994,624 bytes free
Post-Run: 46,436,507,648 bytes free

243 --- E O F --- 2009-01-09 20:39:57

Hi,

Not sure how you did it, but it looks like you got reinfected in a meanwhile. I'm pretty sure you got infected because of the use of illegal software / hacks / patches and cracks.
We'll have to give this another run. Keep in mind to change all your passwords afterwards as well because the malware you were dealing with could have gathered them.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
c:\documents and settings\Ben\Application Data\cogad
c:\documents and settings\Ben\Application Data\Twain
c:\documents and settings\All Users\Application Data\~1
c:\documents and settings\All Users\Application Data\~0
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Hi, thanks for your continued support. I don't have anything illegal or any hacks on my pc, but I do have patches. I fired up comboscript with that txt file and it said I had to close AVG. I did so according to this sites instructions, but it said I hadn't. So I went ahead and closed down everything with AVG in the title on my running processes. Just a little fyi. Everything else worked fine.

ComboFix 09-01-09.03 - Ben 2009-01-10 9:31:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1627 [GMT -6:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\~0
c:\documents and settings\All Users\Application Data\~0\mia.lib
c:\documents and settings\All Users\Application Data\~0\setup.exe
c:\documents and settings\All Users\Application Data\~1
c:\documents and settings\All Users\Application Data\~1\CrysisWars_patch1.exe
c:\documents and settings\All Users\Application Data\~1\mia.lib
c:\documents and settings\Ben\Application Data\cogad
c:\documents and settings\Ben\Application Data\cogad\cogad.exe
c:\documents and settings\Ben\Application Data\Twain

.
((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-02 13:59 . 2009-01-02 13:59 <DIR> d-------- c:\program files\Trend Micro
2008-12-27 17:02 . 2009-01-09 14:58 <DIR> d-------- c:\program files\COMODO
2008-12-18 22:05 . 2008-12-18 22:08 1,475 --a------ c:\windows\tefview.ini
2008-12-18 22:04 . 2008-12-18 22:04 <DIR> d-------- c:\program files\TablEdit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 02:58 --------- d-----w c:\program files\Steam
2009-01-09 21:32 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-09 20:52 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-02 17:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-27 22:59 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8
2008-12-25 01:11 --------- d-----w c:\documents and settings\Ben\Application Data\Free Download Manager
2008-12-23 17:37 22,328 -c--a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-23 17:37 22,328 -c--a-w c:\documents and settings\Ben\Application Data\PnkBstrK.sys
2008-12-23 17:36 669,184 ----a-w c:\windows\system32\pbsvc.exe
2008-12-23 17:36 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-12-23 17:36 103,736 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-23 17:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 17:27 --------- d-----w c:\program files\Electronic Arts
2008-12-23 17:26 5,370 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-12-23 09:56 --------- d-----w c:\documents and settings\Ben\Application Data\IGN_DLM
2008-12-23 04:03 --------- d-----w c:\documents and settings\Ben\Application Data\Skype
2008-12-23 02:09 --------- d-----w c:\documents and settings\Ben\Application Data\skypePM
2008-12-19 03:59 --------- d-----w c:\program files\THQ
2008-12-10 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-02 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2008-12-02 00:20 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-02 00:19 --------- d-----w c:\program files\AGEIA Technologies
2008-11-26 22:57 --------- d-----w c:\program files\Google
2008-11-26 22:00 --------- d-----w c:\program files\iTunes
2008-11-26 22:00 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 21:59 --------- d-----w c:\program files\iPod
2008-11-26 21:58 --------- d-----w c:\program files\QuickTime
2008-11-26 21:58 --------- d-----w c:\program files\Common Files\Apple
2008-11-25 00:48 --------- d-----w c:\program files\MFInstall
2008-11-22 02:24 --------- d-----w c:\program files\Family Tree Maker 2009
2008-11-22 02:23 --------- d-----w c:\program files\Microsoft.NET
2008-11-22 02:23 --------- d-----w c:\program files\Microsoft WSE
2008-11-22 02:23 --------- d-----w c:\program files\BCL Technologies
2008-11-21 22:13 --------- d-----w c:\program files\Paradox Interactive
2008-11-12 19:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-13 15:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
2008-02-07 22:07 1 -c--a-w c:\documents and settings\Ben\SI.bin
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_15.15.27.86 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 16:40:51 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-09 21:44:42 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-06-14 16:40:51 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-09 21:44:42 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\IGN\Download Manager\dlm.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-27 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aspnet_state"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\medieval2.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\SEGA\\Medieval II Total War\\kingdoms.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-BI.exe"=
"c:\\Program Files\\Asus\\AsusUpdate\\Update.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\The Creative Assembly\\Rome - Total War\\RomeTW-ALX.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\raiden327\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2004-11-18 10368]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-30 97928]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-30 76040]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2008-09-22 320384]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-27 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-27 231704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1bc12a1f-ff30-11db-b6f4-806d6172696f}]
\Shell\AutoRun\command - D:\ASUSACPI.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\6atifwtv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 09:33:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5190702D-FD9A-B30B-8D40-77FA3EB0D420}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f7,e3,26,5e,05,2a,6b,a1,7c,c8,f5,03,0d,c7,7f,cc,73,00,d6,2a,80,8b,89,
8a,d3,b1,93,fe,1a,cd,c5,32,09,8d,49,69,2a,1a,a1,2e,6c,85,3c,a2,58,9c,34,80,\
"??"=hex:b0,72,ea,7d,40,32,9a,d3,48,3f,49,8d,0d,59,01,96

[HKEY_USERS\S-1-5-21-1177238915-688789844-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:eb,16,0a,8e,37,04,7f,9e,46,85,d3,c8,3f,50,f4,50,1d,12,71,04,b0,
c2,76,4b,1e,91,77,8f,93,45,f7,1c,e6,f3,91,b7,30,55,3f,9e,2e,5f,36,6f,66,e5,\
"rkeysecu"=hex:6c,8a,a1,bb,3f,6e,1f,02,65,44,ff,78,02,b3,1f,13
.
Completion time: 2009-01-10 9:35:12
ComboFix-quarantined-files.txt 2009-01-10 15:35:09
ComboFix2.txt 2009-01-09 22:18:02
ComboFix3.txt 2009-01-09 21:15:59

Pre-Run: 46,400,925,696 bytes free
Post-Run: 46,378,262,528 bytes free

208 --- E O F --- 2009-01-09 20:39:57

Hi,

This looks OK again

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Ok, I uninstalled it and everything works perfectly again! Malwarebytes didn't bring up anything. Thank you so much, I really appreciate your help.

Have a good new year,
Ben

Edited by bmurray, 11 January 2009 - 04:58 PM.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.