Active Microsoft download blocked Google links hijacked.

When I type cmd it says windows can not find the file. I also tried deleting the files in the folder for windows update and they don't want to delete and still says same thing when I erase with an erasing program.

 

Please navigate to the following folder (*** = random numbers)

C:\Windows\winsxs\x86_microsoft-windows-commandprompt_****_****_none_****

Inside you will find cmd.exe
Copy it and paste a copy into the C:\Windows\System32 folder

 

For some reason I can not copy a file or delete it if it needs admin approval. Like the NTBTLOG and the windowsupdate folder

 

Please double click the cmd.exe file located in that folder. Let me know if the command window opens. Leave it open for now if it does.

 

Ok i moved it from cmd prompt. Was able to run combofix now that I have cmd. here is the log file

ComboFix 08-12-09.03 - Admin 2008-12-11 1:30:08.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.250 [GMT -5:00]
Running from: c:\users\Admin\Desktop\ou812.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\skinboxer43.dll
c:\windows\system32\x64
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-11 01:05 . 2006-11-02 04:44 320,000 --a------ c:\windows\System32\cmd.exe
2008-12-10 01:44 . 2008-12-10 01:44 <DIR> d-------- c:\program files\JPSoft
2008-12-10 01:42 . 2008-12-10 01:42 <DIR> d-------- c:\users\Admin\AppData\Roaming\JP Software
2008-12-06 03:31 . 2008-12-06 03:32 <DIR> d-------- c:\windows\BDOSCAN8
2008-12-06 00:34 . 2008-12-06 00:34 <DIR> d-------- C:\rsit
2008-12-06 00:34 . 2008-12-06 00:34 510 --a------ c:\windows\WORDPAD.INI
2008-12-05 23:56 . 2008-12-05 23:56 <DIR> d-------- c:\users\Admin\AppData\Roaming\Malwarebytes
2008-12-05 23:56 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-05 23:55 . 2008-12-05 23:55 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-05 23:55 . 2008-12-05 23:55 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-05 23:55 . 2008-12-05 23:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 23:55 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-05 23:02 . 2008-12-05 23:02 <DIR> d-------- c:\windows\Sun
2008-12-05 12:33 . 2008-12-05 12:33 <DIR> d-------- c:\users\Admin\AppData\Roaming\TuneUp Software
2008-12-05 12:28 . 2008-12-05 12:28 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 20:59 . 2008-11-29 20:59 29,184 --a------ c:\windows\System32\drivers\ndisprot.sys
2008-11-29 17:58 . 2008-11-29 17:58 <DIR> d-------- c:\program files\AnvSoft Photo Flash Maker Professional
2008-11-28 21:07 . 2008-11-28 21:07 <DIR> d-------- c:\program files\AL-Software
2008-11-28 20:51 . 2008-11-28 20:57 <DIR> d-------- c:\program files\Blaze Media Pro
2008-11-28 20:48 . 2008-11-28 21:05 <DIR> d-------- c:\users\All Users\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}
2008-11-28 20:48 . 2008-11-28 21:05 <DIR> d-------- c:\programdata\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}
2008-11-26 16:58 . 2008-11-10 05:43 410,984 --a------ c:\windows\System32\deploytk.dll
2008-11-25 23:08 . 2008-12-05 23:27 <DIR> d-------- c:\users\Admin\AppData\Roaming\MxBoost
2008-11-25 23:07 . 2008-11-25 23:09 <DIR> d-------- c:\users\Admin\AppData\Roaming\Maxthon2
2008-11-24 20:43 . 2008-11-24 20:43 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-24 20:36 . 2008-11-24 20:58 <DIR> d-------- c:\users\All Users\NOS
2008-11-24 20:36 . 2008-11-24 20:58 <DIR> d-------- c:\programdata\NOS
2008-11-24 20:36 . 2008-11-24 20:58 <DIR> d-------- c:\program files\NOS
2008-11-22 18:28 . 2008-11-22 18:28 <DIR> d-------- c:\program files\DivX
2008-11-19 17:41 . 2008-11-19 17:41 <DIR> d-------- c:\users\All Users\AOL Downloads
2008-11-19 17:41 . 2008-11-19 17:41 <DIR> d-------- c:\programdata\AOL Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 22:52 --------- d-----w c:\users\Admin\AppData\Roaming\Vista Start Menu
2008-12-10 18:14 --------- d-----w c:\programdata\Google Updater
2008-12-06 03:46 --------- d-----w c:\program files\Java
2008-11-30 01:43 --------- d-----w c:\program files\Vista Start Menu
2008-11-26 17:17 51,792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2008-11-25 02:51 --------- d-----w c:\users\Admin\AppData\Roaming\uTorrent
2008-11-25 02:00 --------- d-----w c:\programdata\CanonIJPLM
2008-11-25 01:41 --------- d-----w c:\program files\Common Files\Adobe
2008-11-21 19:12 --------- d-----w c:\program files\AIM6
2008-11-19 22:44 --------- d-----w c:\programdata\Viewpoint
2008-11-10 22:25 --------- d-----w c:\program files\TVersity Codec Pack
2008-11-10 22:25 --------- d-----w c:\program files\ffdshow
2008-11-10 22:23 --------- d-----w c:\program files\TVersity
2008-11-09 19:15 --------- d-----w c:\users\Admin\AppData\Roaming\PCF-VLC
2008-11-09 19:11 --------- d-----w c:\users\Admin\AppData\Roaming\Participatory Culture Foundation
2008-11-09 02:37 --------- d-----w c:\program files\Participatory Culture Foundation
2008-11-09 02:28 --------- d-----w c:\program files\mytvpal-revolution-player
2008-11-05 04:45 --------- d-----w c:\programdata\VMware
2008-11-04 22:08 --------- d-----w c:\program files\Ashampoo
2008-11-04 21:24 --------- d---a-w c:\programdata\TEMP
2008-11-03 03:49 --------- d-----w c:\programdata\TVU Networks
2008-11-03 03:25 --------- d-----w c:\program files\TVUPlayer
2008-11-02 23:07 --------- d-----w c:\program files\Windows Mail
2008-11-02 16:45 --------- d-----w c:\program files\Super Internet TV
2008-11-02 16:43 2,681,969 ----a-w c:\windows\Super Internet TV v7.3 Setup.exe
2008-11-01 22:34 --------- d-----w c:\users\Admin\AppData\Roaming\Canon
2008-10-31 18:55 --------- d-----w c:\users\Admin\AppData\Roaming\VMware
2008-10-31 15:51 --------- d-----w c:\program files\Paint.NET
2008-10-31 05:21 --------- d-----w c:\users\Admin\AppData\Roaming\Lala Music Mover
2008-10-31 05:19 --------- d-----w c:\program files\Lala.com
2008-10-28 03:28 --------- d-----w c:\program files\Windows Mobile Feb. 2008 DST Updates
2008-10-22 20:03 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-22 01:26 --------- d-----w c:\program files\Wizard Service Tool
2008-10-17 20:28 799,984 ----a-w c:\windows\System32\cddbcontrol.dll
2008-10-17 20:28 632,048 ----a-w c:\windows\System32\cddbmusicid.dll
2008-10-17 20:28 316,656 ----a-w c:\windows\System32\cddblink.dll
2008-10-15 04:03 --------- d-----w c:\program files\Google
2008-10-11 17:02 --------- d-----w c:\users\Admin\AppData\Roaming\MP3Rocket
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-08-09 22:50 174 --sha-w c:\program files\desktop.ini
2008-01-29 05:17 2,383,872 ----a-w c:\users\Admin\cursorxp_free.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"VistaStartMenu "= "c:\program files\Vista Start Menu\VistaStartMenu.exe" [2008-10-08 2145792]
"CursorXP "= "c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager "= "c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-27 618496]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"eDataSecurity Loader "= "c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-02 464168]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"Windows Mobile Device Center "= "c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RtHDVCpl "= "RtHDVCpl.exe" [2006-12-28 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=eNetHook.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 20:50 1603152 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 20:01 644696 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 12:02 79400 c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 02:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B6245B22-1A0D-4725-AF73-E7454EBA5B5F} "= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D3BF5123-53C7-4B8F-A0D7-5A81C8F33A90} "= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B0F0B3E0-8599-4025-A2EC-D3C97F35C288} "= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{935B65F2-7E0B-495F-84C2-0FC0DC9379ED} "= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{BA3635C3-9B6F-4844-921A-FADAA16D4B23}c:\\program files\\java\\jre1.6.0_01\\bin\\javaw.exe "= UDP:c:\program files\java\jre1.6.0_01\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{9D2F8BDC-EC84-425B-BE6D-D69FEFEF97ED}c:\\program files\\java\\jre1.6.0_01\\bin\\javaw.exe "= TCP:c:\program files\java\jre1.6.0_01\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{1323B2ED-40A0-474C-B18D-BF98F9388C5B}c:\\program files\\bitlord2\\bitlord.exe "= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{CB04E4A8-5DC4-497D-A165-1FBBC0DC6379}c:\\program files\\bitlord2\\bitlord.exe "= TCP:c:\program files\bitlord2\bitlord.exe:
"TCP Query User{4AEEE9A4-BCFC-4452-A014-0A127AF48801}c:\\program files\\streammygame\\streamer_server.exe "= UDP:c:\program files\streammygame\streamer_server.exe:Streamer Server
"UDP Query User{0C259AE2-8498-4761-9DD9-6F443BD70B61}c:\\program files\\streammygame\\streamer_server.exe "= TCP:c:\program files\streammygame\streamer_server.exe:Streamer Server
"{E4B25A2A-0164-47B2-B0EA-412021E16AE8} "= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6FE19D60-D611-4015-B3E1-8A56F72A4EF7} "= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{9C97536C-3FF7-4A1B-98BB-005EEE5D514E}c:\\program files\\bitlord2\\bitlord.exe "= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{2CC71393-4385-466D-9EBE-B3B09E2BE831}c:\\program files\\bitlord2\\bitlord.exe "= TCP:c:\program files\bitlord2\bitlord.exe:
"{4F977E94-13D0-4470-B133-E330304C0781} "= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{B1ECE1BE-DF67-478D-98D5-F13070B61438} "= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5155CA16-7FD7-4605-B6A9-13E2BB6F7A07} "= UDP:c:\program files\AIM6\aim6.exe:AIM
"{D7A0E564-CB0C-42B6-84D3-662BDD341962} "= TCP:c:\program files\AIM6\aim6.exe:AIM
"{0EFDCD0C-9F88-464E-B034-ABD0ACC8F6F4} "= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{9D8DEEB9-343C-468E-8DB0-EF9DD8543B00} "= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{91F2131F-4B77-4E88-9895-67E5ED5AF6C5} "= UDP:5900:vnc
"TCP Query User{153A6BBB-B9B6-49D5-A17F-B4194DB7258A}c:\\program files\\realvnc\\vnc4\\winvnc4.exe "= UDP:c:\program files\realvnc\vnc4\winvnc4.exe:VNC Server Free Edition for Win32
"UDP Query User{E80B427D-431C-4A45-9121-3F4F8A30A4C0}c:\\program files\\realvnc\\vnc4\\winvnc4.exe "= TCP:c:\program files\realvnc\vnc4\winvnc4.exe:VNC Server Free Edition for Win32
"{CCAE817B-EF7D-49B8-B189-F54ECEA68F76} "= UDP:6346:gnutella
"{10225C4C-1A10-476A-BDA6-944A903D3A80} "= UDP:c:\program files\MP3 Rocket\MP3RocketLauncher.exe:MP3RocketLauncher
"{73BC889C-F45E-4072-B9CC-F90E445A7724} "= TCP:c:\program files\MP3 Rocket\MP3RocketLauncher.exe:MP3RocketLauncher
"{532AD6EA-AAA4-4BC2-8044-1881A4C3D7F7} "= UDP:c:\program files\MP3 Rocket\MP3Rocket.exe:MP3Rocket
"{05A00019-B2DD-4510-87E5-FE47BF34942A} "= TCP:c:\program files\MP3 Rocket\MP3Rocket.exe:MP3Rocket
"TCP Query User{F191B709-41BE-445D-A662-647AE7616616}c:\\program files\\tvuplayer\\tvuplayer.exe "= UDP:c:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"UDP Query User{8AAB39C1-967E-4940-B5DD-AC9A6027FEE6}c:\\program files\\tvuplayer\\tvuplayer.exe "= TCP:c:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\Drivers\BtHidBus.sys [2008-01-21 21512]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-02 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-02 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-01-27 51792]
R2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-06-04 143467]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-05-27 24652]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-07-02 26248]
S3 AASW2_Service;Ashampoo AntiSpyWare 2 Service;c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2008-11-04 749400]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-07-23 16896]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-29 29184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f65fc5-1980-11dd-8682-0016d4610af5}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ff16ec2-69d1-11dd-9d6d-000d180122b4}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2008-11-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2008-10-25 09:12]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-BtTray - c:\program files\IVT Corporation\BlueSoleil\BtTray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://global.acer.com
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
FireFox -: Profile - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7r1b8bdm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://raleigh.craigslist.org/
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nplalaDl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\users\Admin\AppData\Local\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7r1b8bdm.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF -: plugin - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7r1b8bdm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 01:45:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1292)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\ShowErrMsg.dll
c:\program files\Vista Start Menu\VistaStartMenu.dll
c:\windows\system32\BsMobileSDK.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\program files\CursorXP\CurXP0.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\drivers\XAudio.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\IVT Corporation\BlueSoleil\BsHelpCS.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\windows\System32\igfxsrvc.exe
c:\users\Admin\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\igfxext.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-12-11 1:54:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-11 06:53:40

Pre-Run: 17,915,252,736 bytes free
Post-Run: 17,784,578,048 bytes free

296

 

Great!

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\system32\drivers\Ndisprot.sys
Driver::
Ndisprot
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ff16ec2-69d1-11dd-9d6d-000d180122b4}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

try searching for CMD.exe or COMMAND.com

also, try toc reate another user and log on that user... cause many malware delete some registry keys that are almost impossible to undo ( unless you have a full reg backup )

 

Here is the log file for script scan

ComboFix 08-12-11.04 - Admin 2008-12-12 20:24:07.3 - NTFSx86
Running from: c:\users\Admin\Desktop\ou812.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\Ndisprot.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISPROT
-------\Service_Ndisprot


((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-12 20:22 . 2008-12-12 20:22 <DIR> d-------- C:\32788R22FWJFW
2008-12-12 20:22 . 2008-12-12 20:22 6,736 --a------ c:\windows\System32\drivers\PROCEXP90.SYS
2008-12-11 01:05 . 2006-11-02 04:44 320,000 --a------ c:\windows\System32\cmd.exe
2008-12-10 01:44 . 2008-12-10 01:44 <DIR> d-------- c:\program files\JPSoft
2008-12-10 01:42 . 2008-12-10 01:42 <DIR> d-------- c:\users\Admin\AppData\Roaming\JP Software
2008-12-06 03:31 . 2008-12-06 03:32 <DIR> d-------- c:\windows\BDOSCAN8
2008-12-06 00:34 . 2008-12-06 00:34 <DIR> d-------- C:\rsit
2008-12-06 00:34 . 2008-12-06 00:34 510 --a------ c:\windows\WORDPAD.INI
2008-12-05 23:56 . 2008-12-05 23:56 <DIR> d-------- c:\users\Admin\AppData\Roaming\Malwarebytes
2008-12-05 23:56 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-05 23:55 . 2008-12-05 23:55 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-05 23:55 . 2008-12-05 23:55 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-05 23:55 . 2008-12-05 23:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-05 23:55 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-05 23:02 . 2008-12-05 23:02 <DIR> d-------- c:\windows\Sun
2008-12-05 12:33 . 2008-12-05 12:33 <DIR> d-------- c:\users\Admin\AppData\Roaming\TuneUp Software
2008-12-05 12:28 . 2008-12-05 12:28 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-29 17:58 . 2008-11-29 17:58 <DIR> d-------- c:\program files\AnvSoft Photo Flash Maker Professional
2008-11-28 21:07 . 2008-11-28 21:07 <DIR> d-------- c:\program files\AL-Software
2008-11-28 20:51 . 2008-11-28 20:57 <DIR> d-------- c:\program files\Blaze Media Pro
2008-11-28 20:48 . 2008-11-28 21:05 <DIR> d-------- c:\users\All Users\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}
2008-11-28 20:48 . 2008-11-28 21:05 <DIR> d-------- c:\programdata\{1A5B87F2-2D79-46CF-B9B6-209E9C84F7A4}
2008-11-26 16:58 . 2008-11-10 05:43 410,984 --a------ c:\windows\System32\deploytk.dll
2008-11-25 23:08 . 2008-12-05 23:27 <DIR> d-------- c:\users\Admin\AppData\Roaming\MxBoost
2008-11-25 23:07 . 2008-11-25 23:09 <DIR> d-------- c:\users\Admin\AppData\Roaming\Maxthon2
2008-11-24 20:43 . 2008-11-24 20:43 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-24 20:36 . 2008-11-24 20:58 <DIR> d-------- c:\users\All Users\NOS
2008-11-24 20:36 . 2008-11-24 20:58 <DIR> d-------- c:\programdata\NOS
2008-11-24 20:36 . 2008-11-24 20:58 <DIR> d-------- c:\program files\NOS
2008-11-22 18:28 . 2008-11-22 18:28 <DIR> d-------- c:\program files\DivX
2008-11-19 17:41 . 2008-11-19 17:41 <DIR> d-------- c:\users\All Users\AOL Downloads
2008-11-19 17:41 . 2008-11-19 17:41 <DIR> d-------- c:\programdata\AOL Downloads

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 20:16 --------- d-----w c:\programdata\Google Updater
2008-12-10 22:52 --------- d-----w c:\users\Admin\AppData\Roaming\Vista Start Menu
2008-12-06 03:46 --------- d-----w c:\program files\Java
2008-11-30 01:43 --------- d-----w c:\program files\Vista Start Menu
2008-11-26 17:17 51,792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2008-11-25 02:51 --------- d-----w c:\users\Admin\AppData\Roaming\uTorrent
2008-11-25 02:00 --------- d-----w c:\programdata\CanonIJPLM
2008-11-25 01:41 --------- d-----w c:\program files\Common Files\Adobe
2008-11-21 19:12 --------- d-----w c:\program files\AIM6
2008-11-19 22:44 --------- d-----w c:\programdata\Viewpoint
2008-11-10 22:25 --------- d-----w c:\program files\TVersity Codec Pack
2008-11-10 22:25 --------- d-----w c:\program files\ffdshow
2008-11-10 22:23 --------- d-----w c:\program files\TVersity
2008-11-09 19:15 --------- d-----w c:\users\Admin\AppData\Roaming\PCF-VLC
2008-11-09 19:11 --------- d-----w c:\users\Admin\AppData\Roaming\Participatory Culture Foundation
2008-11-09 02:37 --------- d-----w c:\program files\Participatory Culture Foundation
2008-11-09 02:28 --------- d-----w c:\program files\mytvpal-revolution-player
2008-11-05 04:45 --------- d-----w c:\programdata\VMware
2008-11-04 22:08 --------- d-----w c:\program files\Ashampoo
2008-11-04 21:24 --------- d---a-w c:\programdata\TEMP
2008-11-03 03:49 --------- d-----w c:\programdata\TVU Networks
2008-11-03 03:25 --------- d-----w c:\program files\TVUPlayer
2008-11-02 23:07 --------- d-----w c:\program files\Windows Mail
2008-11-02 16:45 --------- d-----w c:\program files\Super Internet TV
2008-11-02 16:43 2,681,969 ----a-w c:\windows\Super Internet TV v7.3 Setup.exe
2008-11-01 22:34 --------- d-----w c:\users\Admin\AppData\Roaming\Canon
2008-10-31 18:55 --------- d-----w c:\users\Admin\AppData\Roaming\VMware
2008-10-31 15:51 --------- d-----w c:\program files\Paint.NET
2008-10-31 05:21 --------- d-----w c:\users\Admin\AppData\Roaming\Lala Music Mover
2008-10-31 05:19 --------- d-----w c:\program files\Lala.com
2008-10-28 03:28 --------- d-----w c:\program files\Windows Mobile Feb. 2008 DST Updates
2008-10-22 20:03 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-22 01:26 --------- d-----w c:\program files\Wizard Service Tool
2008-10-17 20:28 799,984 ----a-w c:\windows\System32\cddbcontrol.dll
2008-10-17 20:28 632,048 ----a-w c:\windows\System32\cddbmusicid.dll
2008-10-17 20:28 316,656 ----a-w c:\windows\System32\cddblink.dll
2008-10-15 04:03 --------- d-----w c:\program files\Google
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-08-09 22:50 174 --sha-w c:\program files\desktop.ini
2008-01-29 05:17 2,383,872 ----a-w c:\users\Admin\cursorxp_free.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-11_ 1.51.47.36 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-11 06:43:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-12 05:54:30 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-11 06:43:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-12 05:54:30 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-11 06:46:03 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-12 05:57:22 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-12-11 06:46:44 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-13 01:34:45 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-12-11 06:45:51 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-12 05:54:43 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-11 06:45:51 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-12 05:54:43 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-11 06:45:51 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-12 05:54:43 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-11 06:29:39 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-12-13 01:23:51 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-12-10 22:46:25 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-12 06:01:25 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-10 22:46:25 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-12 06:01:25 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2008-12-11 06:46:06 8,422 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-785006102-2465436495-2154529176-1000_UserData.bin
+ 2008-12-12 05:56:37 8,550 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-785006102-2465436495-2154529176-1000_UserData.bin
- 2008-12-11 06:46:03 72,070 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-12 05:56:37 72,132 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-11 06:42:05 3,732 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-12-12 05:52:57 3,732 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"VistaStartMenu "= "c:\program files\Vista Start Menu\VistaStartMenu.exe" [2008-10-08 2145792]
"CursorXP "= "c:\program files\CursorXP\CursorXP.exe" [2005-01-19 128000]
"Aim6 "= "c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LManager "= "c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-27 618496]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"eDataSecurity Loader "= "c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-02 464168]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"Windows Mobile Device Center "= "c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RtHDVCpl "= "RtHDVCpl.exe" [2006-12-28 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=eNetHook.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 20:50 1603152 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 20:01 644696 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 14:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a------ 2007-02-04 12:02 79400 c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 02:05 217088 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B6245B22-1A0D-4725-AF73-E7454EBA5B5F} "= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D3BF5123-53C7-4B8F-A0D7-5A81C8F33A90} "= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{B0F0B3E0-8599-4025-A2EC-D3C97F35C288} "= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{935B65F2-7E0B-495F-84C2-0FC0DC9379ED} "= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{BA3635C3-9B6F-4844-921A-FADAA16D4B23}c:\\program files\\java\\jre1.6.0_01\\bin\\javaw.exe "= UDP:c:\program files\java\jre1.6.0_01\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{9D2F8BDC-EC84-425B-BE6D-D69FEFEF97ED}c:\\program files\\java\\jre1.6.0_01\\bin\\javaw.exe "= TCP:c:\program files\java\jre1.6.0_01\bin\javaw.exe:Java(TM) Platform SE binary
"TCP Query User{1323B2ED-40A0-474C-B18D-BF98F9388C5B}c:\\program files\\bitlord2\\bitlord.exe "= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{CB04E4A8-5DC4-497D-A165-1FBBC0DC6379}c:\\program files\\bitlord2\\bitlord.exe "= TCP:c:\program files\bitlord2\bitlord.exe:
"TCP Query User{4AEEE9A4-BCFC-4452-A014-0A127AF48801}c:\\program files\\streammygame\\streamer_server.exe "= UDP:c:\program files\streammygame\streamer_server.exe:Streamer Server
"UDP Query User{0C259AE2-8498-4761-9DD9-6F443BD70B61}c:\\program files\\streammygame\\streamer_server.exe "= TCP:c:\program files\streammygame\streamer_server.exe:Streamer Server
"{E4B25A2A-0164-47B2-B0EA-412021E16AE8} "= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6FE19D60-D611-4015-B3E1-8A56F72A4EF7} "= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{9C97536C-3FF7-4A1B-98BB-005EEE5D514E}c:\\program files\\bitlord2\\bitlord.exe "= UDP:c:\program files\bitlord2\bitlord.exe:
"UDP Query User{2CC71393-4385-466D-9EBE-B3B09E2BE831}c:\\program files\\bitlord2\\bitlord.exe "= TCP:c:\program files\bitlord2\bitlord.exe:
"{4F977E94-13D0-4470-B133-E330304C0781} "= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{B1ECE1BE-DF67-478D-98D5-F13070B61438} "= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5155CA16-7FD7-4605-B6A9-13E2BB6F7A07} "= UDP:c:\program files\AIM6\aim6.exe:AIM
"{D7A0E564-CB0C-42B6-84D3-662BDD341962} "= TCP:c:\program files\AIM6\aim6.exe:AIM
"{0EFDCD0C-9F88-464E-B034-ABD0ACC8F6F4} "= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{9D8DEEB9-343C-468E-8DB0-EF9DD8543B00} "= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{91F2131F-4B77-4E88-9895-67E5ED5AF6C5} "= UDP:5900:vnc
"TCP Query User{153A6BBB-B9B6-49D5-A17F-B4194DB7258A}c:\\program files\\realvnc\\vnc4\\winvnc4.exe "= UDP:c:\program files\realvnc\vnc4\winvnc4.exe:VNC Server Free Edition for Win32
"UDP Query User{E80B427D-431C-4A45-9121-3F4F8A30A4C0}c:\\program files\\realvnc\\vnc4\\winvnc4.exe "= TCP:c:\program files\realvnc\vnc4\winvnc4.exe:VNC Server Free Edition for Win32
"{CCAE817B-EF7D-49B8-B189-F54ECEA68F76} "= UDP:6346:gnutella
"{10225C4C-1A10-476A-BDA6-944A903D3A80} "= UDP:c:\program files\MP3 Rocket\MP3RocketLauncher.exe:MP3RocketLauncher
"{73BC889C-F45E-4072-B9CC-F90E445A7724} "= TCP:c:\program files\MP3 Rocket\MP3RocketLauncher.exe:MP3RocketLauncher
"{532AD6EA-AAA4-4BC2-8044-1881A4C3D7F7} "= UDP:c:\program files\MP3 Rocket\MP3Rocket.exe:MP3Rocket
"{05A00019-B2DD-4510-87E5-FE47BF34942A} "= TCP:c:\program files\MP3 Rocket\MP3Rocket.exe:MP3Rocket
"TCP Query User{F191B709-41BE-445D-A662-647AE7616616}c:\\program files\\tvuplayer\\tvuplayer.exe "= UDP:c:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component
"UDP Query User{8AAB39C1-967E-4940-B5DD-AC9A6027FEE6}c:\\program files\\tvuplayer\\tvuplayer.exe "= TCP:c:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\Drivers\BtHidBus.sys [2008-01-21 21512]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-02 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-02 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-01-27 51792]
R2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2008-06-04 143467]
R2 Viewpoint Manager Service;Viewpoint Manager Service; "c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-05-27 24652]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-07-02 26248]
S3 AASW2_Service;Ashampoo AntiSpyWare 2 Service;c:\program files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe [2008-11-04 749400]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-07-23 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60f65fc5-1980-11dd-8682-0016d4610af5}]
\shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2008-11-19 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2008-10-25 09:12]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 20:34:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3960)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\ShowErrMsg.dll
c:\program files\Vista Start Menu\VistaStartMenu.dll
c:\windows\system32\BsMobileSDK.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\program files\CursorXP\CurXP0.dll
.
Completion time: 2008-12-12 20:42:40
ComboFix-quarantined-files.txt 2008-12-13 01:42:22
ComboFix2.txt 2008-12-11 06:54:10

Pre-Run: 18,074,906,624 bytes free
Post-Run: 18,046,263,296 bytes free

255

 

Looks good. Everything seem to be working properly again?

Lets get an online scan now. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log here.

 

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 13, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 13, 2008 04:11:25
Records in database: 1456965
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 162876
Threat name 10
Infected objects 19
Suspicious objects 0
Duration of the scan 03:35:25

File name Threat name Threats count
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Network\ipscan\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
C:\UBCD4Win\plugin\Network\ultravnc\files\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\UBCD4Win\plugin\Network\ultravnc\files\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\UBCD4Win\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\UBCD4Win\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Network\VNCServer\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\UBCD4Win\plugin\System-Info\Information\keyfinderpe\keyfinder.exe Infected: not-a-virusSWTool.Win32.RAS.g 1
C:\UBCD4Win\plugin\System-Info\Information\keyfinderpe\keyfinder.exe Infected: not-a-virusSWTool.Win32.RAS.a 1
C:\Users\Admin\AppData\Local\Microsoft\Outlook\Outlook.pst Infected: Trojan.Win32.Agent.afhp 1
C:\Users\Admin\AppData\Local\Microsoft\Outlook\Outlook.pst Infected: Trojan.Win32.Agent.ajcd 1
C:\Users\Admin\AppData\Local\Microsoft\Outlook\Outlook.pst Infected: Trojan.Win32.Pakes.lgd 1
C:\Users\Admin\Downloads\PopularScreensaversSetup2.3.50.21.ZRfox000.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.cw 1
C:\Users\Admin\Downloads\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
The selected area was scanned.

 

The only thing of concern is an infected Outlook email.

C:\Users\Admin\AppData\Local\Microsoft\Outlook\Outlook.pst

Unfortunately, the scan doesn't tell us which one. You'll need to try to determine that yourself. If there's anything in the Deleted items folder, emptying it is a good place to start.

The screensaver setup has MyWebSearch embedded, and will undoubtedly install it if you run the setup. More of a nuisance adware based app than a threat.

How's the computer behaving?