Copy.exe/Temp2 Virus (Possibly multiple viruses)

I have the copy.exe/temp2 virus, but upon removal of the virus (via PRT), it came back and with a vengeance. It removed my folder options, the Run command when you click Start isn't there anymore, and worse of all, my Ctrl+Alt+Del does not pop up my task manager anymore. Any help is appreciated, thanks.

HijackThis Log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:11 PM, on 4/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anthony Stark\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\temp1.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uklotttery.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Anthony Stark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: MSconfig.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1227943305215
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227943388465
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5283 bytes



DDS Log




DDS (Ver_10-03-17.01) - NTFSx86
Run by Anthony Stark at 15:03:40.31 on Fri 04/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1536.1070 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anthony Stark\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\temp1.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Documents and Settings\Anthony Stark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://uklotttery.us/
uInternet Settings,ProxyOverride = local
uWindows: load=c:\windows\svchost.exe
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\anthony stark\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoRun = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {05317530-B882-449D-9421-18D94FA3ED34} - hxxp://www.sis.com/ocis/OSInfo.cab
DPF: {16095503-786F-4097-AED6-5D567A26D760} - hxxp://www.sis.com/ocis/SiSAutodetectNT.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227943305215
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227943388465
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\anthon~1\applic~1\mozilla\firefox\profiles\7gz090qi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\mozilla firefox 3.5 beta 4\components\CheckTudouVa.dll
FF - plugin: c:\documents and settings\anthony stark\application data\mozilla\firefox\profiles\7gz090qi.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\documents and settings\anthony stark\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npwachk.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-4-15 33792]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2009-1-25 547744]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;\??\c:\windows\system32\drivers\awrtpd.sys --> c:\windows\system32\drivers\AWRTPD.sys [?]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;\??\c:\windows\system32\drivers\awrtrd.sys --> c:\windows\system32\drivers\AWRTRD.sys [?]
S3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\wpro_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2010-04-02 21:53:37 35346 ----a-w- c:\windows\system32\temp1.exe
2010-04-02 05:36:35 70207 --sha-r- C:\host.exe
2010-04-02 05:36:35 34 --sha-r- C:\autorun.inf
2010-04-02 05:36:35 1211 --sha-r- C:\copy.exe
2010-04-02 05:36:28 2085 ----a-w- c:\windows\system32\temp2.exe
2010-04-02 05:36:27 70207 --sha-r- c:\windows\svchost.exe
2010-04-02 05:36:27 1211 --sha-r- c:\windows\xcopy.exe
2010-03-24 03:35:53 0 d-----w- c:\windows\system32\Adobe
2010-03-13 01:46:13 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-18 06:30:48 348160 ----a-w- c:\windows\system32\msvcr71.dll
2006-05-21 01:19:32 70207 --sha-r- c:\windows\svchost.exe
2006-05-13 12:40:56 1211 --sha-r- c:\windows\xcopy.exe

============= FINISH: 15:04:24.81 ===============



GMER Log



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-02 17:09:24
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\ANTHON~1\LOCALS~1\Temp\pwlcapow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs B5E26400

---- EOF - GMER 1.0.15 ----

Forgot to attach this

Merged posts. ~ OB

Edited by Orange Blossom, 02 April 2010 - 08:42 PM.

Sorry for bump, but really need to get rid of this virus.

Help please?

Hi unbreakabl3
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Thanks for helping me out, here's the ComboFix log.


ComboFix 10-04-06.01 - Anthony Stark 04/07/2010 0:27.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1536.1126 [GMT -7:00]
Running from: c:\documents and settings\Anthony Stark\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\boot.exe
C:\copy.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\MSconfig.exe
c:\documents and settings\Anthony Stark\Application Data\inst.exe
c:\documents and settings\Anthony Stark\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\Anthony Stark\Local Settings\Temporary Internet Files\sph264.dll
c:\documents and settings\Anthony Stark\Local Settings\Temporary Internet Files\spmpeg4.dll
c:\documents and settings\Anthony Stark\Local Settings\Temporary Internet Files\sptheo.dll
c:\documents and settings\Anthony Stark\Local Settings\Temporary Internet Files\StreamPlug.dll
C:\host.exe
c:\windows\autorun.inf
c:\windows\svchost.exe
c:\windows\system32\temp1.exe
c:\windows\system32\temp2.exe
c:\windows\xcopy.exe
D:\Autorun.inf
D:\copy.exe
D:\host.exe
E:\autorun.inf
E:\copy.exe
E:\host.exe
F:\autorun.inf
F:\copy.exe
F:\host.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-03-07 to 2010-04-07 )))))))))))))))))))))))))))))))
.

2010-04-07 07:20 . 2008-04-14 00:12 146432 -c--a-w- c:\windows\system32\dllcache\regedit.exe
2010-04-07 07:20 . 2008-04-14 00:12 146432 ----a-w- c:\windows\regedit.exe
2010-04-07 03:36 . 2010-04-07 03:36 -------- d-----w- c:\documents and settings\Anthony Stark\Local Settings\Application Data\HandBrake
2010-04-07 03:36 . 2010-04-07 03:36 -------- d-----w- c:\documents and settings\Anthony Stark\Application Data\HandBrake
2010-04-06 22:05 . 2010-04-06 22:05 -------- d-----w- c:\documents and settings\Anthony Stark\Application Data\dvdcss
2010-04-06 19:21 . 2010-04-06 22:13 -------- d-----w- c:\documents and settings\Anthony Stark\Application Data\Vso
2010-04-06 19:21 . 2010-04-06 19:21 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-04-06 19:21 . 2010-02-09 22:37 65602 ----a-w- c:\windows\system32\cook3260.dll
2010-04-06 19:21 . 2010-02-09 22:37 217127 ----a-w- c:\windows\system32\drv43260.dll
2010-04-06 19:21 . 2010-02-09 22:37 208935 ----a-w- c:\windows\system32\drv33260.dll
2010-04-06 19:21 . 2010-02-09 22:37 176165 ----a-w- c:\windows\system32\drv23260.dll
2010-04-06 19:21 . 2010-02-09 22:37 102439 ----a-w- c:\windows\system32\sipr3260.dll
2010-04-06 19:21 . 2010-02-09 22:37 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2010-04-06 19:21 . 2010-02-09 22:37 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll
2010-04-06 19:21 . 2010-04-06 19:21 -------- d-----w- c:\program files\VSO
2010-04-06 19:03 . 2010-04-06 19:03 -------- d-----w- c:\program files\Pegasys Inc
2010-04-06 19:02 . 2010-04-06 19:02 -------- d-----w- c:\program files\ffdshow
2010-03-24 03:35 . 2010-03-24 03:35 -------- d-----w- c:\windows\system32\Adobe
2010-03-13 01:46 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-07 07:17 . 2009-06-10 07:49 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2010-04-07 07:15 . 2009-08-01 09:51 -------- d-----w- c:\documents and settings\Anthony Stark\Application Data\vlc
2010-04-06 19:47 . 2009-01-12 08:42 -------- d-----w- c:\program files\Common Files\Apple
2010-04-06 19:21 . 2010-04-06 19:21 47360 ----a-w- c:\documents and settings\Anthony Stark\Application Data\pcouffin.sys
2010-04-06 19:21 . 2010-04-06 19:21 47360 ----a-w- c:\documents and settings\Anthony Stark\Application Data\pcouffin.sys
2010-04-06 19:14 . 2009-10-28 09:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-06 19:03 . 2008-11-29 06:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-31 08:28 . 2010-03-30 04:14 152576 ----a-w- c:\documents and settings\Anthony Stark\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-03-13 07:07 . 2009-02-02 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 19:44 . 2008-11-29 09:36 -------- d-----w- c:\documents and settings\Anthony Stark\Application Data\Winamp
2010-02-23 18:26 . 2008-11-29 09:36 -------- d-----w- c:\program files\Winamp
2010-02-23 18:06 . 2010-02-23 18:06 -------- d-----w- c:\program files\Winamp Detect
2010-01-18 06:30 . 2010-01-18 06:30 348160 ----a-w- c:\windows\system32\msvcr71.dll
2008-07-04 02:33 . 2009-03-13 08:59 24576 -c--a-w- c:\program files\mozilla firefox\components\CheckTudouVa.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Anthony Stark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-29 133104]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony Stark^Start Menu^Programs^Startup^Internet Explorer.lnk]
path=c:\documents and settings\Anthony Stark\Start Menu\Programs\Startup\Internet Explorer.lnk
backup=c:\windows\pss\Internet Explorer.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony Stark^Start Menu^Programs^Startup^Raptr.lnk]
path=c:\documents and settings\Anthony Stark\Start Menu\Programs\Startup\Raptr.lnk
backup=c:\windows\pss\Raptr.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Anthony Stark^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk]
path=c:\documents and settings\Anthony Stark\Start Menu\Programs\Startup\Æô¶¯·ÉËÙÍÁ¶¹.lnk
backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
U??? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-02-14 20:59 88107 -c--a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-03-29 08:15 133104 -c--atw- c:\documents and settings\Anthony Stark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 -c--a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 22:01 1630208 -c--a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 04:05 204288 -c----w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"libusbd"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"WMP54Gv4SVC"=2 (0x2)
"wlidsvc"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"NVSvc"=2 (0x2)
"npggsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox 3.5 Beta 4\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [12/19/2001 11:45 AM 8576]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [4/15/2009 11:39 PM 33792]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [1/25/2009 7:33 PM 547744]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]
S4 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1659004503-1417001333-1004Core.job
- c:\documents and settings\Anthony Stark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-29 08:15]

2010-04-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-1659004503-1417001333-1004UA.job
- c:\documents and settings\Anthony Stark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-29 08:15]

2010-04-06 c:\windows\Tasks\User_Feed_Synchronization-{B7EEB6DB-6F20-4501-9951-BB954D2B1142}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uklotttery.us/
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Anthony Stark\Application Data\Mozilla\Firefox\Profiles\7gz090qi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox 3.5 Beta 4\components\CheckTudouVa.dll
FF - plugin: c:\documents and settings\Anthony Stark\Application Data\Mozilla\Firefox\Profiles\7gz090qi.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\documents and settings\Anthony Stark\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox 3.5 Beta 4\plugins\npwachk.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - (no file)
HKLM-Run-SonneDVDCreator - c:\program files\Jam DVD Copy\DVDCreator.exe
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe
MSConfigStartUp-ANIWZCS2Service - c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
MSConfigStartUp-D-Link Wireless G WDA-1320 - c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe
MSConfigStartUp-HDDHealth - c:\program files\HDD Health\hddhealth.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Launch LCDMon - c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe
MSConfigStartUp-Launch LGDCore - c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe
MSConfigStartUp-LcdStudio - c:\program files\LcdStudio\LcdStudio.exe
MSConfigStartUp-nmapp - c:\program files\Pure Networks\Network Magic\nmapp.exe
MSConfigStartUp-nmctxth - c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
MSConfigStartUp-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSConfigStartUp-VeohPlugin - c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
MSConfigStartUp-Yahoo! Pager - d:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-07 00:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\documents and settings\Anthony Stark\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2010-04-07 00:48:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-07 07:47

Pre-Run: 759,422,976 bytes free
Post-Run: 51,081,216 bytes free

- - End Of File - - 7529F84CBF764E26CD2FA87AE4C538E1

Hi
How is the machine running now?

Can you tell me what this is?

C:^Documents and Settings^Anthony Stark^Start Menu^Programs^Startup^Æô¶¯·ÉËÙÍÁ¶¹.lnk]
path=c:\documents and settings\Anthony Stark\Start Menu\Programs\Startup\Æô¶¯·ÉËÙÍÁ¶¹.lnk
backup=c:\windows\pss\Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup

I see you have Malwarebytes, please run it this way and post the log.

Launch Malwarebytes' Anti-Malware, Click on the “Update� Tab.

• Click on the "Check for Updates button".
• If an update is found, it will download and install the latest version.
• Once the program has Updated, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Also please read this,

I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file sharing as a major conduit to spread their wares and their infections. See here and here

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

Please let me know how things are running and post the MBAM log.

Thanks
maranatha

Edited by maranatha, 07 April 2010 - 10:37 PM.

Æô¶¯·ÉËÙÍÁ¶¹.lnkStartup is a Tudou/Youku download accelerator. Tudou/Youku is like a Chinese version of Youtube. I've removed the P2P software, I only used it once and that was 2 years ago to get some P90X videos.


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/8/2010 10:31:19 AM
mbam-log-2010-04-08 (10-31-19).txt

Scan type: Quick scan
Objects scanned: 106284
Time elapsed: 13 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi

Very good choice, I'm glad you did so.

OK lets get a on line scan, please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.
Close ATF Cleaner


Now this.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on Accept, If your pop up blocker blocks any windows from opening.

Read then Click Accept on the Information page.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side, Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
maranatha

Hi
If you still require help. please respond to this thread or it will be closed in 48 hours.

Thanks
maranatha

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.