Inactive [InActive] "Trojan-Downloader.Win32.Agent variant"

So I'm at work, and my wife just called me. World of Warcraft gave her a message, something like: Trojan-Downloader.Win32.Agent variant found. I had her disconnect the computer from the network, and run spybot and AVG scans. Spybot found a trojan (I don't have the exact name) and AVG is still running. Before disconnecting the computer, I remote controlled it, tried to get to windows update and a few other sites, the couldn't get there. I found the DNS servers are set to 85.255.112.21 and 85.255.112.* (forgot the second one). A quick google search shows that those are poisoned DNS servers.

OK so after some research I want to run fixwareout.exe, but I cannot find this file anywhere. The links to the .exe return a 404. For example http://download.bleepingcomputer.com/lonny/Fixwareout.exe; and http://downloads.subratam.org/Fixwareout.exe; I tried these links from my work computer (not infected). When I get home I'm going to try to remove it with Spybot and AVG. Any suggestions?

 

S'more info

Spybot found
Zlob.DNSCHanger.rtk;C:\Windows\System32\kdgwm.exe

AVG Is still scanning but it found already:
C:\resycled[sic]\boot.com; "Trojan horse SHeur.CQRY "

 

Welcome to WindowsBBS joeguitar

Fixwareout has been removed for public use by it's developer. Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Then,

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool.
• At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Please post the contents of log.txt here in another reply.

 

Hey noahdfear, thanks for the reply!

Just to let you know what I have already done: I had AVG delete three files (C:\resycled\boot.com, one on my d:\ and one on my h:\) and spybot repaired the Zlob.DNSCHanger.rtk;C:\Windows\System32\kdgwm.exe on it's own (supposedly). After doing this, I still had my DNS servers set as 85.255.112.21. So I deleted all entries for nameserver from the registry, and reinstalled my network adapter from the device manager. I then had valid DNS servers from my ISP.

I then checked here, and decided to run ComboFix.exe per your request. I will run the next program immediately after this post.

Here is the log:

ComboFix 08-10-25.01 - joe 2008-10-26 22:13:08.2 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.1963 [GMT -6:00]
Running from: C:\Users\joe\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
.
---- Previous Run -------
.
C:\autorun.inf
D:\Autorun.inf
H:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://lp2.patch.station.sony.com:7000
.
((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2008-10-25 23:48 . 2008-10-25 23:48 88 --a------ C:\Windows\wininit.ini
2008-10-25 14:36 . 2008-10-25 14:36 <DIR> d-------- C:\Users\All Users\ALM
2008-10-25 14:36 . 2008-10-25 14:36 <DIR> d-------- C:\ProgramData\ALM
2008-10-25 14:18 . 2008-04-07 05:38 22,872 -ra------ C:\Windows\System32\AdobePDFUI.dll
2008-10-25 14:11 . 2008-10-25 14:11 <DIR> d-------- C:\Program Files\Adobe Media Player
2008-10-25 14:09 . 2008-10-25 14:09 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-25 13:58 . 2008-10-25 13:58 29,192 --a------ C:\Windows\System32\drivers\ndisprot.sys
2008-10-25 12:54 . 2008-05-30 14:11 3,850,760 --a------ C:\Windows\System32\D3DX9_38.dll
2008-10-25 12:54 . 2008-05-30 14:11 1,491,992 --a------ C:\Windows\System32\D3DCompiler_38.dll
2008-10-25 12:54 . 2008-05-30 14:19 507,400 --a------ C:\Windows\System32\XAudio2_1.dll
2008-10-25 12:54 . 2008-05-30 14:11 467,984 --a------ C:\Windows\System32\d3dx10_38.dll
2008-10-25 12:54 . 2008-05-30 14:18 238,088 --a------ C:\Windows\System32\xactengine3_1.dll
2008-10-25 12:54 . 2008-10-25 12:54 107,888 --a------ C:\Windows\System32\CmdLineExt.dll
2008-10-25 12:54 . 2008-05-30 14:17 65,032 --a------ C:\Windows\System32\XAPOFX1_0.dll
2008-10-25 12:54 . 2008-05-30 14:17 25,608 --a------ C:\Windows\System32\X3DAudio1_4.dll
2008-10-25 12:45 . 2008-10-25 12:45 <DIR> d-------- C:\Games
2008-10-24 23:22 . 2008-10-24 23:22 <DIR> d-------- C:\Program Files\QuickPar
2008-10-24 22:46 . 2008-10-24 22:46 <DIR> d-------- C:\Program Files\AltBinz
2008-10-24 02:19 . 2008-10-24 02:19 <DIR> d-------- C:\Program Files\Microsoft LifeChat
2008-10-22 15:43 . 2008-10-22 15:43 <DIR> d-------- C:\Program Files\Maxis
2008-10-22 15:42 . 1995-08-01 18:49 258,560 --a------ C:\Windows\uninst.exe
2008-10-21 23:56 . 2008-10-25 17:41 <DIR> d-------- C:\Starcraft
2008-10-21 23:56 . 2008-10-21 23:58 94,208 --a------ C:\Windows\ScUnin.exe
2008-10-21 23:56 . 2008-10-21 23:58 27,209 --a------ C:\Windows\scunin.dat
2008-10-21 23:56 . 2008-10-21 23:58 967 --a------ C:\Windows\ScUnin.pif
2008-10-19 23:50 . 2008-10-19 23:50 <DIR> d-------- C:\Program Files\JitBit
2008-10-19 23:44 . 2008-10-19 23:45 <DIR> d-------- C:\Program Files\Workspace Macro Pro 6.5
2008-10-19 23:30 . 2008-10-19 23:30 <DIR> d-------- C:\asdf
2008-10-19 23:23 . 2008-10-19 23:29 <DIR> d-------- C:\Program Files\AutoMacroRecorder
2008-10-19 22:16 . 2008-10-20 21:07 <DIR> d-------- C:\Users\joe\AppData\Roaming\EVEMon
2008-10-19 22:16 . 2008-10-19 22:16 <DIR> d-------- C:\Program Files\EVEMon
2008-10-19 16:26 . 2008-10-19 16:26 <DIR> d-------- C:\Users\All Users\CCP
2008-10-19 16:26 . 2008-10-19 16:26 <DIR> d-------- C:\ProgramData\CCP
2008-10-19 16:24 . 2008-10-19 16:24 <DIR> d-------- C:\Program Files\CCP
2008-10-16 19:38 . 2008-10-17 08:46 <DIR> d-------- C:\Program Files\StarWarsGalaxies
2008-10-15 20:27 . 2008-10-15 20:27 <DIR> d-------- C:\Users\All Users\Blizzard
2008-10-15 20:27 . 2008-10-15 20:27 <DIR> d-------- C:\ProgramData\Blizzard
2008-10-13 16:24 . 2008-10-13 16:24 <DIR> d-------- C:\Users\joe\AppData\Roaming\Screaming Bee
2008-10-13 16:24 . 2008-10-13 20:44 <DIR> d-------- C:\Users\All Users\Screaming Bee
2008-10-13 16:24 . 2008-10-13 20:44 <DIR> d-------- C:\ProgramData\Screaming Bee
2008-10-13 16:20 . 2008-10-13 17:04 <DIR> d-------- C:\Program Files\Screaming Bee
2008-10-13 16:20 . 2008-10-13 16:20 <DIR> d-------- C:\Program Files\Common Files\Screaming Bee
2008-10-13 13:28 . 2008-10-13 13:28 <DIR> d-------- C:\Program Files\Xponaut
2008-10-13 13:19 . 2008-10-25 17:46 <DIR> d-------- C:\Users\joe\AppData\Roaming\skypePM
2008-10-13 13:19 . 2008-10-13 13:19 56 --ah----- C:\Users\All Users\ezsidmv.dat
2008-10-13 13:19 . 2008-10-13 13:19 56 --ah----- C:\ProgramData\ezsidmv.dat
2008-10-13 13:18 . 2008-10-25 23:45 <DIR> d-------- C:\Users\joe\AppData\Roaming\Skype
2008-10-13 13:17 . 2008-10-13 13:17 <DIR> d-------- C:\Users\All Users\Skype
2008-10-13 13:17 . 2008-10-13 13:17 <DIR> d-------- C:\ProgramData\Skype
2008-10-13 13:17 . 2008-10-13 13:17 <DIR> d-------- C:\Program Files\Skype
2008-10-13 13:17 . 2008-10-13 13:17 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-10-12 19:13 . 2008-10-12 19:13 <DIR> d-------- C:\Program Files\Virtrium
2008-10-12 16:43 . 2008-10-12 16:43 <DIR> d-------- C:\Users\joe\AppData\Roaming\teamspeak2
2008-10-12 16:43 . 2008-10-12 16:43 <DIR> d-------- C:\Teamspeak
2008-10-12 16:43 . 2008-10-12 16:43 34,064 --a------ C:\Windows\System32\lhacm.acm
2008-10-12 15:30 . 2008-10-12 15:30 <DIR> d-------- C:\MMORPG
2008-10-12 08:48 . 2008-10-12 08:52 <DIR> d-------- C:\Program Files\Sony
2008-10-12 06:55 . 2008-10-12 06:56 203,638,892 --a------ C:\Windows\MEMORY.DMP
2008-10-08 13:50 . 2008-10-08 15:11 <DIR> d-------- C:\Users\joe\AppData\Roaming\SecondLife
2008-10-08 13:33 . 2008-10-08 15:12 <DIR> d-------- C:\Program Files\SecondLife
2008-10-05 11:46 . 2008-10-05 11:46 <DIR> d-------- C:\Users\joe\AppData\Roaming\Move Networks
2008-09-30 21:48 . 2008-09-30 21:48 <DIR> d-------- C:\Users\All Users\MiKTeX
2008-09-30 21:48 . 2008-09-30 21:48 <DIR> d-------- C:\ProgramData\MiKTeX
2008-09-30 21:43 . 2008-09-30 21:47 <DIR> d-------- C:\Program Files\MiKTeX 2.7
2008-09-30 03:29 . 2008-09-30 03:31 <DIR> d-------- C:\Users\joe\AppData\Roaming\Notepad++
2008-09-30 03:29 . 2008-09-30 03:30 <DIR> d-------- C:\Program Files\Notepad++
2008-09-30 00:34 . 2008-09-30 00:34 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-09-30 00:34 . 2008-09-30 00:34 <DIR> d-------- C:\ProgramData\FLEXnet
2008-09-30 00:06 . 2008-09-30 00:06 <DIR> d-------- C:\Program Files\Bonjour
2008-09-29 23:59 . 2008-09-29 23:59 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-09-29 22:12 . 2008-09-29 22:12 <DIR> d-------- C:\Program Files\Macromedia
2008-09-29 22:12 . 2008-09-29 22:12 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-09-29 05:45 . 2008-09-29 11:02 <DIR> d-------- C:\Windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-27 03:39 --------- d-----w C:\Program Files\Steam
2008-10-26 06:00 --------- d-----w C:\Program Files\LogMeIn
2008-10-25 23:39 --------- d-----w C:\Users\joe\AppData\Roaming\uTorrent
2008-10-25 20:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-25 20:31 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-10-25 18:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-25 18:23 --------- d-----w C:\Program Files\Common Files\Steam
2008-10-20 05:30 --------- d-----w C:\Program Files\AutoHotkey
2008-10-17 20:02 87,352 ----a-w C:\Windows\System32\LMIinit.dll
2008-10-17 20:02 83,288 ----a-w C:\Windows\System32\LMIRfsClientNP.dll
2008-10-17 20:02 28,984 ----a-w C:\Windows\System32\LMIport.dll
2008-10-17 20:02 23,736 ----a-w C:\Windows\System32\lmimirr.dll
2008-10-17 20:02 10,040 ----a-w C:\Windows\System32\lmimirr2.dll
2008-10-16 02:27 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-10-11 20:29 47,640 ----a-w C:\Windows\system32\drivers\LMIRfsDriver.sys
2008-10-04 21:17 --------- d-----w C:\ProgramData\Roxio
2008-09-29 11:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-24 06:46 --------- d-----w C:\Program Files\glassfish-v2ur2
2008-09-24 06:46 --------- d-----w C:\Program Files\Apache Software Foundation
2008-09-24 06:45 --------- d-----w C:\Program Files\NetBeans 6.1
2008-09-21 09:07 --------- d-----w C:\Users\joe\AppData\Roaming\Artisteer
2008-09-21 09:06 --------- d-----w C:\Program Files\Artisteer
2008-09-20 05:23 --------- d-----w C:\Program Files\PHP
2008-09-18 23:30 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-18 05:34 --------- d-----w C:\Program Files\MySQL
2008-09-17 02:42 97,928 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-09-17 02:42 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
2008-09-17 02:42 --------- d-----w C:\ProgramData\avg8
2008-09-17 02:42 --------- d-----w C:\Program Files\AVG
2008-09-17 01:28 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-09-17 00:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-15 05:39 --------- d-----w C:\Program Files\Sun
2008-09-15 05:39 --------- d-----w C:\Program Files\Java
2008-09-10 04:26 --------- d-----w C:\Program Files\DivX
2008-09-07 05:44 --------- d-----w C:\Users\joe\AppData\Roaming\SPORE Creature Creator
2008-09-07 05:42 --------- d-----w C:\Program Files\Electronic Arts
2008-09-06 23:57 --------- d-----w C:\Program Files\Project64 1.6
2008-09-02 06:39 --------- d-----w C:\Users\joe\AppData\Roaming\vlc
2008-09-02 06:32 --------- d-----w C:\Program Files\VideoLAN
2008-07-31 16:16 947,472 ----a-w C:\Windows\System32\msjava.dll
2008-05-02 00:05 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe "= "C:\Windows\ehome\ehTray.exe" [2008-01-18 125952]
"Steam "= "c:\program files\steam\steam.exe" [2008-10-09 1410296]
"googletalk "= "C:\Users\joe\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"WMPNSCFG "= "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\Windows\system32\igfxtray.exe" [2007-09-25 141848]
"HotKeysCmds "= "C:\Windows\system32\hkcmd.exe" [2007-09-25 154136]
"Persistence "= "C:\Windows\system32\igfxpers.exe" [2007-09-25 129560]
"NvSvc "= "C:\Windows\system32\nvsvc.dll" [2007-11-06 86016]
"NvCplDaemon "= "C:\Windows\system32\NvCpl.dll" [2007-11-06 8530464]
"NvMediaCenter "= "C:\Windows\system32\NvMcTray.dll" [2007-11-06 81920]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"FileZilla Server Interface "= "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" [2008-07-30 942080]
"LogMeIn GUI "= "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVG8_TRAY "= "C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"RtHDVCpl "= "RtHDVCpl.exe" [2007-05-11 C:\Windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=C:\Windows\pss\Monitor Apache Servers.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Workspace Macro Pro Hotkeys.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Workspace Macro Pro Hotkeys.lnk
backup=C:\Windows\pss\Workspace Macro Pro Hotkeys.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^joe^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=C:\Users\joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=C:\Windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^joe^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MorphVOX.lnk]
path=C:\Users\joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MorphVOX.lnk
backup=C:\Windows\pss\MorphVOX.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-06-11 22:43 640376 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
--a------ 2008-06-12 02:25 37232 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
--a------ 2008-08-14 07:58 611712 C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
--a------ 2008-08-15 05:46 378224 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 06:11 490952 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2008-02-13 18:21 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-04-14 07:54 1838592 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
--a------ 2008-08-21 11:16 267296 C:\Program Files\Microsoft LifeChat\LifeChat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-09-29 17:57 21755688 C:\Program Files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{61E232E8-9AE3-4D21-A3E0-48A661FEFFE8}C:\\program files\\steam\\steamapps\\joeguitar2721@hotmail.com\\counter-strike source\\hl2.exe "= UDP:C:\program files\steam\steamapps\joeguitar2721@hotmail.com\counter-strike source\hl2.exe:hl2
"UDP Query User{198E4004-7335-47C9-85CD-0A4A41DD559E}C:\\program files\\steam\\steamapps\\joeguitar2721@hotmail.com\\counter-strike source\\hl2.exe "= TCP:C:\program files\steam\steamapps\joeguitar2721@hotmail.com\counter-strike source\hl2.exe:hl2
"TCP Query User{8EBC7967-83B3-4CCC-90EA-C2F2C36F4FAE}C:\\program files\\steam\\steamapps\\joeguitar2721@hotmail.com\\team fortress 2\\hl2.exe "= UDP:C:\program files\steam\steamapps\joeguitar2721@hotmail.com\team fortress 2\hl2.exe:hl2
"UDP Query User{C2F60F28-23FC-4AC8-94EF-C7C249DBE24A}C:\\program files\\steam\\steamapps\\joeguitar2721@hotmail.com\\team fortress 2\\hl2.exe "= TCP:C:\program files\steam\steamapps\joeguitar2721@hotmail.com\team fortress 2\hl2.exe:hl2
"TCP Query User{00718778-59F5-42EE-A29A-566D2FEDF3D1}C:\\program files\\ventsrv\\ventrilo_srv.exe "= UDP:C:\program files\ventsrv\ventrilo_srv.exe:ventrilo_srv
"UDP Query User{9C6D0832-BA14-4A26-BB29-7FC4BE7B2A93}C:\\program files\\ventsrv\\ventrilo_srv.exe "= TCP:C:\program files\ventsrv\ventrilo_srv.exe:ventrilo_srv
"{EEAE85FD-632C-4DBE-9EBD-11259FA1652A} "= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{9E18E07B-7120-49A8-9845-3992AF72FCB4} "= UDP:21:FTP Server
"{5875B62D-451B-4132-BB8D-CEF1E50139E0} "= TCP:21:FTP Server UDP
"{6A6D05B9-1E31-42DD-BC71-1A75C78450F7} "= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{9704CCF4-232F-4C0E-9516-17C471ECE956} "= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{5FB2C5ED-4987-490C-B40C-2E238255016B} "= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{3D2C7B1B-4984-457F-A517-1C1F44B5643C} "= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:Neverwinter Nights 2 Main
"{EC66627E-C909-4FCB-8106-5F967C72329D} "= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{7F4424F4-64B5-4469-8D47-301B16D460B5} "= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:Neverwinter Nights 2 AMD
"{D14602F1-33A6-4EBD-B3DC-47AFA235D317} "= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{DD9032AF-C132-4F84-9BD1-EBF32AC9F73D} "= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:Neverwinter Nights 2 Updater
"{384D4B0C-E8A2-40C6-9D6C-293164EF6FA2} "= UDP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{5A1D34A6-B2EC-4A62-AB28-66E3D8F0FA6D} "= TCP:C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:Neverwinter Nights 2 Server
"{F40681CF-2F50-464D-ADFE-92078F56BC73} "= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{52EE1812-9218-461D-839A-C6717216A567} "= C:\Program Files\Skype\Phone\Skype.exe:Skype
"{9B585F45-A0CD-4B15-A376-8F6DF54355DD} "= UDP:C:\Games\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{6E0E115E-5369-489C-B8C3-CE37A390FDBC} "= TCP:C:\Games\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{0D6F4D93-0772-40C5-AFA6-FAC00CB1F424} "= UDP:C:\Games\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{DF7D05CA-8D57-422D-B7F4-FC53B5A515A5} "= TCP:C:\Games\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{4DDE7F9B-1400-47E5-84F1-FCDA37729069} "= UDP:C:\Games\Far Cry 2\bin\FC2Editor.exe:Editor
"{A24D6C18-9964-4435-B995-D229733E4D45} "= TCP:C:\Games\Far Cry 2\bin\FC2Editor.exe:Editor
"{6C004AEE-5A18-4710-99CA-E80720AC7B7F} "= UDP:5353:Adobe CSI CS4
"{551EA7E6-7128-44BF-BD6A-D95F32592676} "= UDP:C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{8C3F1D1F-A63E-4965-AAD2-EC1F65B8C728} "= TCP:C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{200F97CC-3218-4EC6-A801-05A2D9362872} "= UDP:3703:Adobe Version Cue CS4 Server
"{C8624305-4EDA-4597-AE74-1E7F731B9060} "= UDP:3704:Adobe Version Cue CS4 Server
"{9E0223FA-75BD-4C3D-A6C6-85F1DE513665} "= UDP:51000:Adobe Version Cue CS4 Server
"{14F6FBFB-272B-46AD-920E-CD5BF85F5AAE} "= UDP:51001:Adobe Version Cue CS4 Server
"{E64A31ED-B7F9-4E6F-9145-0575AC648435} "= UDP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:Adobe Version Cue CS4 Server
"{222F4AD9-945B-4E61-8634-EAFE8C534429} "= TCP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:Adobe Version Cue CS4 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall "= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-09-16 97928]
R2 adfs;adfs;C:\Windows\system32\drivers\adfs.sys [2008-08-14 74720]
R2 Apache2.2;Apache2.2;C:\WAMP\Apache\Apache2.2\bin\httpd.exe [2008-06-13 24635]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-16 231704]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\system32\drivers\LMIRfsDriver.sys [2008-10-11 47640]
R3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\system32\DRIVERS\RTL85n86.sys [2006-11-02 311808]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\Windows\system32\drivers\ScreamingBAudio.sys [2006-09-26 21920]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
S2 Windows Tribute Service;Windows Tribute Service;C:\Windows\system32\kdgwm.exe [ ]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
S3 Ndisprot;ArcNet NDIS Protocol Driver;C:\Windows\system32\drivers\Ndisprot.sys [2008-10-25 29192]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-10-21 87288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e81f894-8d96-11dd-a1e0-001d0994c7b8}]
\shell\AutoRun\command - H:\Launch.exe /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc5d5e7-6ff3-11dd-9304-001d0994c7b8}]
\shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc5d67d-6ff3-11dd-9304-001d0994c7b8}]
\shell\AutoRun\command - G:\SETUP.EXE
\shell\configure\command - G:\SETUP.EXE
\shell\install\command - G:\SETUP.EXE

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-3F3 - C:\Windows\temp\3F3.tmp


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\joe\AppData\Roaming\Mozilla\Firefox\Profiles\kzw8icdb.Joe\
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-26 22:14:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-26 22:16:57
ComboFix-quarantined-files.txt 2008-10-27 04:16:21

Pre-Run: 93,450,342,400 bytes free
Post-Run: 93,484,691,456 bytes free

283

 

The RSIT ran extremely fast. Here is the result:
Logfile of random's system information tool 1.04 (written by random/random)
Run by joe at 2008-10-26 22:28:54
Microsoft® Windows Vistaâ„¢ Home Premium Service Pack 1
System drive C: has 89 GB (39%) free of 228 GB
Total RAM: 3069 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:02 PM, on 10/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\notepad.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\mmc.exe
C:\Users\joe\Downloads\RSIT.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\trend micro\joe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.80.45.103:2301
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe "
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [googletalk] C:\Users\joe\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\WAMP\Apache\Apache2.2\bin\httpd.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Windows Tribute Service - Unknown owner - C:\Windows\system32\kdgwm.exe (file missing)

--
End of file - 7026 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074C1DC5-9320-4A9A-947D-C042949C6216}]
ContributeBHO Class - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll [2008-09-10 136560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\Dell\BAE\BAE.dll [2006-11-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]
{517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - Contribute Toolbar - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll [2008-09-10 136560]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl "=C:\Windows\RtHDVCpl.exe [2007-05-11 4452352]
"IgfxTray "=C:\Windows\system32\igfxtray.exe [2007-09-25 141848]
"HotKeysCmds "=C:\Windows\system32\hkcmd.exe [2007-09-25 154136]
"Persistence "=C:\Windows\system32\igfxpers.exe [2007-09-25 129560]
"NvSvc "=C:\Windows\system32\nvsvc.dll [2007-11-06 86016]
"NvCplDaemon "=C:\Windows\system32\NvCpl.dll [2007-11-06 8530464]
"NvMediaCenter "=C:\Windows\system32\NvMcTray.dll [2007-11-06 81920]
"Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"FileZilla Server Interface "=C:\Program Files\FileZilla Server\FileZilla Server Interface.exe [2008-07-30 942080]
"LogMeIn GUI "=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-02-28 63048]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"AVG8_TRAY "=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-09-30 1234712]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe "=C:\Windows\ehome\ehTray.exe [2008-01-18 125952]
"Steam "=c:\program files\steam\steam.exe [2008-10-09 1410296]
"googletalk "=C:\Users\joe\AppData\Roaming\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"WMPNSCFG "=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [2008-06-11 640376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [2008-06-12 37232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [2008-08-14 611712]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE [2008-08-15 378224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2008-02-13 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-04-14 1838592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
C:\Program Files\Microsoft LifeChat\LifeChat.exe [2008-08-21 267296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe [2008-09-29 21755688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
C:\WAMP\Apache\Apache2.2\bin\APACHE~1.EXE [2008-06-13 41041]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Workspace Macro Pro Hotkeys.lnk]
C:\PROGRA~1\WORKSP~1.5\WMPHOT~1.EXE [2007-03-04 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^joe^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
C:\PROGRA~1\MAGICD~1\MAGICD~1.EXE [2008-07-28 575488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^joe^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MorphVOX.lnk]
C:\Program Files\Screaming Bee\MorphVOX Pro\MorphVOX.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS "= "C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2007-09-25 204800]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1
"EnableUIADesktopToggle "=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives "=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=
"NoDrives "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e81f894-8d96-11dd-a1e0-001d0994c7b8}]
shell\AutoRun\command - H:\Launch.exe /run

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc5d5e7-6ff3-11dd-9304-001d0994c7b8}]
shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc5d67d-6ff3-11dd-9304-001d0994c7b8}]
shell\AutoRun\command - G:\SETUP.EXE
shell\configure\command - G:\SETUP.EXE
shell\install\command - G:\SETUP.EXE


======File associations======

.js - open - "C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe ", "%1 "

======List of files/folders created in the last 3 months======

2008-10-26 22:28:54 ----D---- C:\rsit
2008-10-26 22:28:54 ----D---- C:\Program Files\trend micro
2008-10-26 22:16:59 ----D---- C:\Windows\temp
2008-10-26 22:16:58 ----A---- C:\ComboFix.txt
2008-10-26 22:12:33 ----D---- C:\ComboFix
2008-10-26 21:31:25 ----A---- C:\Windows\zip.exe
2008-10-26 21:31:25 ----A---- C:\Windows\VFIND.exe
2008-10-26 21:31:25 ----A---- C:\Windows\SWXCACLS.exe
2008-10-26 21:31:25 ----A---- C:\Windows\SWSC.exe
2008-10-26 21:31:25 ----A---- C:\Windows\SWREG.exe
2008-10-26 21:31:25 ----A---- C:\Windows\sed.exe
2008-10-26 21:31:25 ----A---- C:\Windows\NIRCMD.exe
2008-10-26 21:31:25 ----A---- C:\Windows\grep.exe
2008-10-26 21:31:25 ----A---- C:\Windows\fdsv.exe
2008-10-26 21:27:44 ----D---- C:\Windows\ERDNT
2008-10-26 21:27:44 ----AD---- C:\Qoobox
2008-10-26 00:14:18 ----A---- C:\Windows\ntbtlog.txt
2008-10-26 00:06:04 ----D---- C:\Windows\pss
2008-10-25 23:48:27 ----A---- C:\Windows\wininit.ini
2008-10-25 17:38:03 ----A---- C:\Windows\system32\netapi32.dll
2008-10-25 14:36:34 ----D---- C:\ProgramData\ALM
2008-10-25 14:18:42 ----RA---- C:\Windows\system32\AdobePDFUI.dll
2008-10-25 14:15:37 ----SHD---- C:\Config.Msi
2008-10-25 14:11:01 ----D---- C:\Program Files\Adobe Media Player
2008-10-25 14:09:53 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-10-25 12:54:49 ----A---- C:\Windows\system32\CmdLineExt.dll
2008-10-25 12:54:07 ----A---- C:\Windows\system32\XAudio2_1.dll
2008-10-25 12:54:07 ----A---- C:\Windows\system32\XAPOFX1_0.dll
2008-10-25 12:54:05 ----A---- C:\Windows\system32\xactengine3_1.dll
2008-10-25 12:54:05 ----A---- C:\Windows\system32\X3DAudio1_4.dll
2008-10-25 12:54:05 ----A---- C:\Windows\system32\d3dx10_38.dll
2008-10-25 12:54:05 ----A---- C:\Windows\system32\D3DCompiler_38.dll
2008-10-25 12:54:04 ----A---- C:\Windows\system32\D3DX9_38.dll
2008-10-25 12:45:22 ----D---- C:\Games
2008-10-24 23:22:25 ----D---- C:\Program Files\QuickPar
2008-10-24 22:46:14 ----D---- C:\Program Files\AltBinz
2008-10-24 02:19:49 ----D---- C:\Program Files\Microsoft LifeChat
2008-10-22 15:43:17 ----D---- C:\Program Files\Maxis
2008-10-22 15:42:48 ----A---- C:\Windows\uninst.exe
2008-10-21 23:56:44 ----A---- C:\Windows\ScUnin.exe
2008-10-21 23:56:33 ----D---- C:\Starcraft
2008-10-19 23:50:24 ----D---- C:\Program Files\JitBit
2008-10-19 23:44:08 ----D---- C:\Program Files\Workspace Macro Pro 6.5
2008-10-19 23:30:22 ----D---- C:\asdf
2008-10-19 23:23:53 ----D---- C:\Program Files\AutoMacroRecorder
2008-10-19 22:16:38 ----D---- C:\Users\joe\AppData\Roaming\EVEMon
2008-10-19 22:16:35 ----D---- C:\Program Files\EVEMon
2008-10-19 16:26:52 ----D---- C:\ProgramData\CCP
2008-10-19 16:24:26 ----D---- C:\Program Files\CCP
2008-10-16 19:38:30 ----D---- C:\Program Files\StarWarsGalaxies
2008-10-15 20:27:29 ----D---- C:\ProgramData\Blizzard
2008-10-13 16:24:36 ----D---- C:\Users\joe\AppData\Roaming\Screaming Bee
2008-10-13 16:24:17 ----D---- C:\ProgramData\Screaming Bee
2008-10-13 16:20:49 ----D---- C:\Program Files\Screaming Bee
2008-10-13 16:20:49 ----D---- C:\Program Files\Common Files\Screaming Bee
2008-10-13 13:28:29 ----D---- C:\Program Files\Xponaut
2008-10-13 13:19:04 ----D---- C:\Users\joe\AppData\Roaming\skypePM
2008-10-13 13:18:34 ----D---- C:\Users\joe\AppData\Roaming\Skype
2008-10-13 13:17:25 ----D---- C:\Program Files\Skype
2008-10-13 13:17:24 ----D---- C:\Program Files\Common Files\Skype
2008-10-13 13:17:19 ----D---- C:\ProgramData\Skype
2008-10-12 19:13:49 ----D---- C:\Program Files\Virtrium
2008-10-12 16:43:44 ----D---- C:\Users\joe\AppData\Roaming\teamspeak2
2008-10-12 16:43:27 ----D---- C:\Teamspeak
2008-10-12 15:30:57 ----D---- C:\MMORPG
2008-10-12 08:48:18 ----D---- C:\Program Files\Sony
2008-10-12 06:56:26 ----D---- C:\Windows\Minidump
2008-10-08 13:50:00 ----D---- C:\Users\joe\AppData\Roaming\SecondLife
2008-10-08 13:33:36 ----D---- C:\Program Files\SecondLife
2008-10-05 11:46:14 ----D---- C:\Users\joe\AppData\Roaming\Move Networks
2008-09-30 21:48:43 ----D---- C:\ProgramData\MiKTeX
2008-09-30 21:43:16 ----D---- C:\Program Files\MiKTeX 2.7
2008-09-30 03:29:57 ----D---- C:\Users\joe\AppData\Roaming\Notepad++
2008-09-30 03:29:57 ----D---- C:\Program Files\Notepad++
2008-09-30 00:34:37 ----D---- C:\ProgramData\FLEXnet
2008-09-30 00:06:52 ----D---- C:\Program Files\Bonjour
2008-09-29 23:59:30 ----D---- C:\Program Files\Common Files\Macrovision Shared
2008-09-29 22:12:13 ----D---- C:\Program Files\Macromedia
2008-09-29 22:12:13 ----D---- C:\Program Files\Common Files\Macromedia
2008-09-29 05:45:22 ----D---- C:\Windows\Downloaded Installations
2008-09-25 05:06:34 ----D---- C:\NewsParser
2008-09-24 22:43:50 ----A---- C:\html.txt
2008-09-24 00:45:21 ----D---- C:\Program Files\glassfish-v2ur2
2008-09-24 00:43:56 ----D---- C:\Program Files\NetBeans 6.1
2008-09-22 00:37:13 ----HD---- C:\$AVG8.VAULT$
2008-09-21 03:07:35 ----D---- C:\Users\joe\AppData\Roaming\Artisteer
2008-09-21 03:06:59 ----D---- C:\Program Files\Artisteer
2008-09-19 23:27:42 ----D---- C:\WAMP
2008-09-18 11:53:44 ----D---- C:\Project
2008-09-17 23:37:42 ----D---- C:\Program Files\PHP
2008-09-17 23:34:41 ----D---- C:\Program Files\MySQL
2008-09-16 20:42:31 ----A---- C:\Windows\system32\avgrsstx.dll
2008-09-16 20:42:23 ----D---- C:\ProgramData\avg8
2008-09-16 20:42:23 ----D---- C:\Program Files\AVG
2008-09-16 18:22:36 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-09-16 18:22:36 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-09-14 23:39:20 ----D---- C:\Program Files\Sun
2008-09-14 23:39:15 ----A---- C:\Windows\system32\javaws.exe
2008-09-14 23:39:15 ----A---- C:\Windows\system32\javaw.exe
2008-09-14 23:39:15 ----A---- C:\Windows\system32\java.exe
2008-09-11 20:38:51 ----A---- C:\Windows\vbaddin.ini
2008-09-11 20:37:47 ----A---- C:\Windows\ODBC.INI
2008-09-06 23:44:21 ----D---- C:\Users\joe\AppData\Roaming\SPORE Creature Creator
2008-09-06 23:42:58 ----D---- C:\Program Files\Electronic Arts
2008-09-06 17:51:21 ----D---- C:\Program Files\Project64 1.6
2008-09-02 00:39:10 ----D---- C:\Users\joe\AppData\Roaming\vlc
2008-09-02 00:32:35 ----D---- C:\Program Files\VideoLAN
2008-08-22 16:17:00 ----D---- C:\NeverwinterNights
2008-08-22 14:00:54 ----D---- C:\Program Files\MagicDisc
2008-08-22 14:00:00 ----D---- C:\Program Files\MagicISO
2008-08-21 21:41:14 ----D---- C:\Program Files\DAEMON Tools Lite
2008-08-21 20:35:52 ----D---- C:\Users\joe\AppData\Roaming\DAEMON Tools
2008-08-21 20:32:28 ----D---- C:\Users\joe\AppData\Roaming\Roxio
2008-08-21 20:32:28 ----D---- C:\ProgramData\Roxio
2008-08-20 18:55:07 ----D---- C:\Program Files\uTorrent
2008-08-20 18:54:59 ----D---- C:\Users\joe\AppData\Roaming\uTorrent
2008-08-17 13:52:24 ----D---- C:\Program Files\Apache Software Foundation
2008-08-12 16:10:49 ----D---- C:\Program Files\Microsoft Silverlight
2008-08-10 14:01:00 ----D---- C:\ProgramData\LogMeIn
2008-08-10 14:00:55 ----A---- C:\Windows\system32\LMIRfsClientNP.dll.000.bak
2008-08-10 14:00:55 ----A---- C:\Windows\system32\LMIRfsClientNP.dll
2008-08-10 14:00:55 ----A---- C:\Windows\system32\LMIport.dll
2008-08-10 14:00:51 ----A---- C:\Windows\system32\LMIinit.dll
2008-08-10 14:00:34 ----D---- C:\Program Files\LogMeIn
2008-08-09 21:37:17 ----D---- C:\FTP
2008-08-09 21:25:35 ----D---- C:\Users\joe\AppData\Roaming\FileZilla
2008-08-09 21:25:28 ----D---- C:\Program Files\FileZilla FTP Client
2008-08-09 21:01:48 ----D---- C:\Program Files\FileZilla Server
2008-08-06 15:56:50 ----D---- C:\Program Files\Microsoft Works
2008-08-06 15:56:30 ----D---- C:\Program Files\Microsoft Visual Studio
2008-08-06 15:56:30 ----D---- C:\Program Files\Common Files\DESIGNER
2008-08-06 15:56:11 ----D---- C:\Windows\PCHEALTH
2008-08-06 15:56:11 ----D---- C:\Program Files\Microsoft.NET
2008-08-06 15:54:46 ----D---- C:\Program Files\Microsoft Visual Studio 8
2008-08-06 15:54:01 ----D---- C:\ProgramData\Microsoft Help
2008-08-06 15:54:01 ----D---- C:\Program Files\Microsoft Office
2008-08-06 15:53:37 ----RHD---- C:\MSOCache
2008-08-02 11:49:50 ----D---- C:\Users\joe\AppData\Roaming\DivX
2008-07-31 10:16:54 ----A---- C:\Windows\system32\msjava.dll

======List of files/folders modified in the last 3 months======

2008-10-26 22:28:54 ----RD---- C:\Program Files
2008-10-26 22:17:01 ----D---- C:\Windows\System32
2008-10-26 22:16:59 ----D---- C:\Windows
2008-10-26 22:14:58 ----A---- C:\Windows\system.ini
2008-10-26 22:13:55 ----D---- C:\Windows\system32\drivers
2008-10-26 22:13:55 ----D---- C:\Windows\AppPatch
2008-10-26 22:13:55 ----D---- C:\Program Files\Common Files
2008-10-26 22:12:58 ----D---- C:\Windows\Prefetch
2008-10-26 22:12:32 ----D---- C:\Windows\system32\en-US
2008-10-26 21:39:55 ----D---- C:\Program Files\Steam
2008-10-26 21:37:49 ----D---- C:\Windows\inf
2008-10-26 21:37:49 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-10-26 21:32:46 ----SHD---- C:\System Volume Information
2008-10-25 17:45:55 ----D---- C:\Users\joe\AppData\Roaming\Adobe
2008-10-25 17:38:42 ----D---- C:\Windows\SoftwareDistribution
2008-10-25 17:38:36 ----D---- C:\Windows\winsxs
2008-10-25 17:38:32 ----D---- C:\Windows\system32\catroot
2008-10-25 17:35:09 ----D---- C:\Windows\Logs
2008-10-25 17:20:29 ----D---- C:\World of Warcraft
2008-10-25 14:43:27 ----SHD---- C:\Windows\Installer
2008-10-25 14:42:22 ----D---- C:\Program Files\Common Files\Adobe
2008-10-25 14:40:50 ----D---- C:\Program Files\Adobe
2008-10-25 14:36:34 ----HD---- C:\ProgramData
2008-10-25 14:31:07 ----D---- C:\Program Files\Common Files\PX Storage Engine
2008-10-25 14:19:41 ----D---- C:\ProgramData\Adobe
2008-10-25 14:16:26 ----RSD---- C:\Windows\Fonts
2008-10-25 12:52:04 ----RSD---- C:\Windows\assembly
2008-10-25 12:45:55 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-25 12:23:58 ----D---- C:\Program Files\Common Files\Steam
2008-10-24 02:19:50 ----D---- C:\Windows\system32\Tasks
2008-10-19 23:30:26 ----SD---- C:\Users\joe\AppData\Roaming\Microsoft
2008-10-19 23:30:26 ----SD---- C:\ProgramData\Microsoft
2008-10-19 23:30:13 ----D---- C:\Program Files\AutoHotkey
2008-10-17 14:02:05 ----A---- C:\Windows\system32\lmimirr2.dll
2008-10-17 14:02:04 ----A---- C:\Windows\system32\lmimirr.dll
2008-10-15 20:27:34 ----D---- C:\Program Files\Common Files\Blizzard Entertainment
2008-10-15 17:27:04 ----D---- C:\Program Files\Mozilla Firefox
2008-10-13 13:38:50 ----D---- C:\Program Files\Common Files\microsoft shared
2008-10-13 13:28:57 ----D---- C:\Windows\system32\catroot2
2008-09-29 05:54:21 ----D---- C:\Program Files\Common Files\InstallShield
2008-09-19 16:35:31 ----D---- C:\Users\joe\AppData\Roaming\Google
2008-09-18 17:29:13 ----D---- C:\Windows\ShellNew
2008-09-14 23:39:15 ----D---- C:\Program Files\Java
2008-09-09 22:26:57 ----D---- C:\Program Files\DivX
2008-09-01 00:52:02 ----D---- C:\Windows\system32\WDI
2008-08-22 16:17:54 ----D---- C:\Windows\system32\LogFiles
2008-08-07 21:43:46 ----D---- C:\Users\joe\AppData\Roaming\Mozilla
2008-08-06 15:56:39 ----D---- C:\Program Files\MSBuild
2008-08-06 15:54:32 ----A---- C:\Windows\win.ini
2008-08-06 15:54:31 ----D---- C:\Program Files\Common Files\System
2008-08-01 23:12:26 ----D---- C:\wmdownloads

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2008-09-16 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2008-09-16 26824]
R2 adfs;adfs; C:\Windows\system32\drivers\adfs.sys [2008-08-14 74720]
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\Windows\system32\drivers\LMIRfsDriver.sys [2008-10-11 47640]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2007-04-29 228224]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-05-11 1773536]
R3 lmimirr;lmimirr; C:\Windows\system32\DRIVERS\lmimirr.sys [2008-02-28 10144]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\Windows\system32\DRIVERS\mcdbus.sys [2008-07-28 116736]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-11-06 8230496]
R3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver; C:\Windows\system32\DRIVERS\RTL85n86.sys [2006-11-02 311808]
R3 SCREAMINGBDRIVER;Screaming Bee Audio; C:\Windows\system32\drivers\ScreamingBAudio.sys [2006-09-26 21920]
S2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
S3 aolw2eyj;aolw2eyj; C:\Windows\system32\drivers\aolw2eyj.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-09-25 1899008]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 Ndisprot;ArcNet NDIS Protocol Driver; \??\C:\Windows\system32\drivers\Ndisprot.sys [2008-10-25 29192]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-18 73088]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S3 Xponaut_WBD;Xponaut WaveBridge Device (WDM); C:\Windows\system32\drivers\xpntwbd.sys [2007-01-19 13184]
S4 iaStor;Intel AHCI Controller; C:\Windows\system32\drivers\iastor.sys [2007-04-26 304920]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\Windows\system32\drivers\LMIRfsClientNP.sys []
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-04-14 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apache2.2;Apache2.2; C:\WAMP\Apache\Apache2.2\bin\httpd.exe [2008-06-13 24635]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-16 231704]
R2 FileZilla Server;FileZilla Server FTP server; C:\Program Files\FileZilla Server\FileZilla Server.exe [2008-07-30 587776]
S2 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-17 116032]
S2 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-02-28 63040]
S2 Windows Tribute Service;Windows Tribute Service; C:\Windows\system32\kdgwm.exe -srv []
S3 Adobe Version Cue CS4;Adobe Version Cue CS4; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-25 655624]
S3 GoogleDesktopManager;GoogleDesktopManager; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-04-14 1838592]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2008-10-21 87288]
S4 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
S4 MySQL;MySQL; C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=C:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL []
S4 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-12-02 74384]

-----------------EOF-----------------

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Extra::
File::
C:\Windows\System32\drivers\ndisprot.sys
Driver::
Windows Tribute Service
Ndisprot
aolw2eyj
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7dc5d5e7-6ff3-11dd-9304-001d0994c7b8}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

OK, I did as you asked. I created a new text file, copied the text from your code into the text file, then I dragged and dropped the text file into ComboFix.exe

I tried this quite a few times, it wouldn't finish.

After it was done with what looked like backing up my system registry, nothing else would visibly happen. I would just be looking at my desktop. Then after about 5 minutes, explorer closed so all I saw was my background. After about 5 minutes, I got a blue screen (bsod) and my machine rebooted itself. When booting up, windows ran a system repair. It asked me if I wanted to use a restore point, I answered no, and it booted up fine. I still have my Windows Tribute Service on the machine, although it is not started (I don't know if that makes a difference). The first time I ran ComboFix (before you gave me the text file) it did the same thing, although I restarted manually before the bsod. I then shut down all processes and it was successful. This time I shut down all processes except csrss.exe, explorer.exe, winlogon.exe, and dwm.exe.

Thanks in advance for your help on this complicated issue.

 

Please create another CFScript as shown above, then start the machine in safe mode and logon to your account. Rename ComboFix to something else, such as fixme.exe, then drag-n-drop the script onto the ComboFix icon.
Allow ComboFix to run as described above and restart the machine if it needs to. Post the log that opens when ComboFix has completed.