Solved Search Engine Redirect, Browser Crash, Regedit disabled

[Resolved] Search Engine Redirect, Browser Crash, Regedit disabled

Hello. I am new to the site so please forgive any missteps.
I saw Juliet helping two other people on this similar topic. Tried following the fixes, but some were specific to those others' computers.
My problem is: search engine redirects me to a variety of sites, browser crashes intermittently (but ALWAYS when I try to navigate to bleepingcomputer site), regedit does not work at all, and computer appears to be running slowly.
ALSO: cannot run either ComboFix OR dds at all.

Because I cannot run dds as the forum rules state, I had no choice but to run HiJackThis. Log below. THANKS IN ADVANCE.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:21 PM, on 3/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware\lsupdatemanager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Lavasoft RegHance\RegHance.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [RCHotKey] C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe "
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe "
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe "
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe "
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [KeepVault Tray] "C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\PxrKVTray.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe "
O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe "
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: co.pg.md.us
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238357178875
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6177) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Proxure KeepVault Local Backup Service - Proxure, Inc. - C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe
O23 - Service: Proxure KeepVault Remote Backup Service - Proxure, Inc. - C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12171 bytes

 

Add RSIT Log

Logfile of random's system information tool 1.06 (written by random/random)
Run by Brian at 2009-03-29 23:28:12
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 6 GB (8%) free of 73 GB
Total RAM: 509 MB (22% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:16 PM, on 3/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Symantec AntiVirus\VPC32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Brian\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Brian.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [RCHotKey] C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe "
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe "
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe "
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe "
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [KeepVault Tray] "C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\PxrKVTray.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe "
O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe "
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: co.pg.md.us
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238357178875
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6177) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Proxure KeepVault Local Backup Service - Proxure, Inc. - C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe
O23 - Service: Proxure KeepVault Remote Backup Service - Proxure, Inc. - C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12080 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-03-06 1088296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll [2008-03-25 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A114D52B-870C-4F15-8021-B6D7F91A054B}]
iFinger plugin / Browser helper object - C:\PROGRA~1\iFinger\plugins\IE.ifp [2001-07-09 349184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\Program Files\GoogleAFE\GoogleAE.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18 231160]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "=C:\WINDOWS\system32\igfxtray.exe [2005-10-14 94208]
"igfxhkcmd "=C:\WINDOWS\system32\hkcmd.exe [2005-10-14 77824]
"igfxpers "=C:\WINDOWS\system32\igfxpers.exe [2005-10-14 114688]
"ISUSPM Startup "=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"ISUSScheduler "=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"DLA "=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]
"zBrowser Launcher "=C:\Program Files\Logitech\iTouch\iTouch.exe [2003-12-01 892928]
"Logitech Utility "=C:\WINDOWS\LOGI_MWX.EXE [2003-11-07 19968]
" "= []
"RCHotKey "=C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe [2008-03-12 32768]
"SSBkgdUpdate "=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]
"Opware15 "=C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe [2005-07-06 69632]
"OpScheduler "=C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe []
"PDF3 Registry Controller "=C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe [2005-04-12 106496]
"LXCGCATS "=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16 []
"CANON DR2080C SVC "=DR2KSVC.dll,EntryPointUserMessage []
"ccApp "=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2004-02-29 66680]
"vptray "=C:\PROGRA~1\SYMANT~1\VPTray.exe [2004-03-12 124128]
"PaperPort PTD "=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2005-02-27 36864]
"IndexSearch "=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2005-02-27 40960]
"QuickTime Task "=C:\Program Files\QuickTime\qttask.exe [2006-03-09 98304]
"Acrobat Assistant 7.0 "=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2008-04-23 483328]
"KeepVault Tray "=C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\PxrKVTray.exe [2007-11-14 98304]
"ZoneAlarm Client "=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-10-09 981904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NoIE4StubProcessing "=C:\WINDOWS\system32\reg.exe [2008-04-13 50176]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"RCUI "=C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe [2008-03-12 458752]
"RCHotKey "=C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe [2008-03-12 32768]
"OpAgent "=C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe [2005-07-06 143360]
"Skype "=C:\Program Files\Skype\Phone\Skype.exe [2009-03-06 24095528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2008-04-23 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
C:\Program Files\Lexmark 2300 Series\ezprint.exe [2005-08-01 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2005-07-12 299008]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe [2005-07-21 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe [2006-01-19 11776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2005-07-12 1117184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2004-07-15 4112384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2004-07-15 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-03-09 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-07-08 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
C:\PROGRA~1\COMMON~1\DataViz\DVZINC~1.EXE [2006-08-28 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
C:\PROGRA~1\Yahoo!\YAHOO!~1\ymetray.exe [2008-02-05 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Brian^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
C:\PROGRA~1\MICROS~4\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe
iFinger 2.0.lnk - C:\Program Files\iFinger\iFinger.exe
iFinger.lnk - C:\Program Files\iFinger\iFinger.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

C:\Documents and Settings\Brian\Start Menu\Programs\Startup
palmOne Registration.lnk - C:\Program Files\palmOne\register.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-10-14 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2004-03-12 83176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe "= "C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe:*:Enabled:RingCentral "
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe "= "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*isabled:AOL "
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe "= "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*isabled:AOL "
"C:\Program Files\America Online 9.0\waol.exe "= "C:\Program Files\America Online 9.0\waol.exe:*isabled:AOL "
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe "= "C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox "
"C:\Program Files\ViaVoice\Bin\audmig.exe "= "C:\Program Files\ViaVoice\Bin\audmig.exe:*:Enabled:IBM ViaVoice Audio Device Migration "
"C:\Program Files\ViaVoice\Bin\engine.exe "= "C:\Program Files\ViaVoice\Bin\engine.exe:*:Enabled:IBM ViaVoice Speech Recognition Engine "
"C:\Program Files\ViaVoice\Bin\dme.exe "= "C:\Program Files\ViaVoice\Bin\dme.exe:*:Enabled:IBM ViaVoice Dictation Macro Editor "
"C:\Program Files\ViaVoice\Bin\smart.exe "= "C:\Program Files\ViaVoice\Bin\smart.exe:*:Enabled:IBM ViaVoice Audio Setup Wizard "
"C:\Program Files\ViaVoice\Bin\options.exe "= "C:\Program Files\ViaVoice\Bin\options.exe:*:Enabled:IBM ViaVoice Options "
"C:\Program Files\ViaVoice\Bin\miguser.exe "= "C:\Program Files\ViaVoice\Bin\miguser.exe:*:Enabled:IBM ViaVoice User Migration "
"C:\Program Files\ViaVoice\Bin\ewiz.exe "= "C:\Program Files\ViaVoice\Bin\ewiz.exe:*:Enabled:IBM ViaVoice Enrollment Wizard "
"C:\Program Files\ViaVoice\Bin\vocabexp.exe "= "C:\Program Files\ViaVoice\Bin\vocabexp.exe:*:Enabled:IBM ViaVoice Vocabulary Expander "
"C:\Program Files\ViaVoice\Bin\userwiz.exe "= "C:\Program Files\ViaVoice\Bin\userwiz.exe:*:Enabled:IBM ViaVoice User Wizard "
"C:\Program Files\ViaVoice\Bin\vati.exe "= "C:\Program Files\ViaVoice\Bin\vati.exe:*:Enabled:IBM ViaVoice Vocabulary and Topic Installer "
"C:\Program Files\ViaVoice\Bin\vtperdic.exe "= "C:\Program Files\ViaVoice\Bin\vtperdic.exe:*:Enabled:IBM ViaVoice Vocabulary Manager "
"C:\Program Files\ViaVoice\Bin\chkmsaa.exe "= "C:\Program Files\ViaVoice\Bin\chkmsaa.exe:*:Enabled:IBM ViaVoice MSAA Checker "
"C:\Program Files\ViaVoice\Bin\speechbar.exe "= "C:\Program Files\ViaVoice\Bin\speechbar.exe:*:Enabled:IBM ViaVoice Speechbar "
"C:\Program Files\ViaVoice\Bin\macroeditor.exe "= "C:\Program Files\ViaVoice\Bin\macroeditor.exe:*:Enabled:IBM ViaVoice Navigation Macro Editor "
"C:\Program Files\ViaVoice\Bin\msaadmn.exe "= "C:\Program Files\ViaVoice\Bin\msaadmn.exe:*:Enabled:IBM ViaVoice MSAA Daemon "
"C:\Program Files\ViaVoice\Bin\navcentral.exe "= "C:\Program Files\ViaVoice\Bin\navcentral.exe:*:Enabled:IBM ViaVoice Navigation Central "
"C:\Program Files\ViaVoice\Bin\recowizard.exe "= "C:\Program Files\ViaVoice\Bin\recowizard.exe:*:Enabled:IBM ViaVoice Recognition Wizard "
"C:\Program Files\ViaVoice\Bin\voicepad.exe "= "C:\Program Files\ViaVoice\Bin\voicepad.exe:*:Enabled:IBM ViaVoice SpeakPad "
"C:\Program Files\ViaVoice\Bin\vtdirect.exe "= "C:\Program Files\ViaVoice\Bin\vtdirect.exe:*:Enabled:IBM ViaVoice Direct Dictation "
"C:\Program Files\ViaVoice\Bin\whatcanisay.exe "= "C:\Program Files\ViaVoice\Bin\whatcanisay.exe:*:Enabled:IBM ViaVoice What Can I Say "
"C:\Program Files\LimeWire\LimeWire.exe "= "C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger "
"C:\Program Files\Skype\Phone\Skype.exe "= "C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe "= "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL "
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe "= "C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL "
"C:\Program Files\America Online 9.0\waol.exe "= "C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL "
"%windir%\Network Diagnostic\xpnetdiag.exe "= "%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d4f71b1-58eb-11dd-80ba-001320e1a69b}]
shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a020b3e2-aa2b-11db-88e9-001320e1a69b}]
shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d55a734c-20bc-11dc-a4e0-001320e1a69b}]
shell\AutoRun\command - E:\LaunchU3.exe


======List of files/folders created in the last 1 months======

2009-03-29 23:26:47 ----D---- C:\rsit
2009-03-29 22:19:41 ----D---- C:\Program Files\Trend Micro
2009-03-29 22:10:43 ----HD---- C:\WINDOWS\PIF
2009-03-29 21:28:45 ----D---- C:\Program Files\Lavasoft RegHance
2009-03-29 20:40:50 ----D---- C:\Program Files\Panda Security
2009-03-29 20:20:32 ----D---- C:\Program Files\KB824146Scan
2009-03-29 16:34:38 ----D---- C:\WINDOWS\WBEM
2009-03-29 16:33:39 ----HDC---- C:\WINDOWS\ie7
2009-03-29 16:33:19 ----HDC---- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
2009-03-29 16:32:25 ----HDC---- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
2009-03-29 16:17:21 ----D---- C:\Documents and Settings\Brian\Application Data\Mozilla
2009-03-29 16:16:52 ----D---- C:\Program Files\Mozilla Firefox
2009-03-29 16:06:29 ----D---- C:\WINDOWS\LastGood
2009-03-24 19:50:15 ----D---- C:\Documents and Settings\Brian\Application Data\Skype
2009-03-24 19:49:44 ----RD---- C:\Program Files\Skype
2009-03-24 19:49:36 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-03-23 17:38:04 ----D---- C:\WINDOWS\system32\VirtualExpander
2009-03-03 18:33:06 ----A---- C:\rollback.ini
2009-03-02 19:40:35 ----D---- C:\Documents and Settings\Brian\Application Data\MailFrontier
2009-03-02 19:22:28 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-03-02 19:22:28 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-03-02 19:22:07 ----A---- C:\WINDOWS\system32\zpeng25.dll

======List of files/folders modified in the last 1 months======

2009-03-29 23:28:15 ----D---- C:\WINDOWS\Internet Logs
2009-03-29 22:44:36 ----D---- C:\WINDOWS\system32
2009-03-29 22:19:41 ----RD---- C:\Program Files
2009-03-29 22:10:43 ----D---- C:\WINDOWS
2009-03-29 21:50:53 ----D---- C:\WINDOWS\Temp
2009-03-29 21:44:02 ----D---- C:\WINDOWS\system32\drivers
2009-03-29 21:32:50 ----A---- C:\WINDOWS\ORS.INI
2009-03-29 20:41:15 ----HD---- C:\WINDOWS\inf
2009-03-29 20:34:51 ----D---- C:\i386
2009-03-29 20:21:02 ----D---- C:\WINDOWS\Prefetch
2009-03-29 16:50:12 ----D---- C:\Documents and Settings\Brian\Application Data\Adobe
2009-03-29 16:34:44 ----D---- C:\WINDOWS\system32\config
2009-03-29 16:34:37 ----D---- C:\WINDOWS\system32\en-us
2009-03-29 16:34:31 ----D---- C:\WINDOWS\Media
2009-03-29 16:34:30 ----D---- C:\Program Files\Internet Explorer
2009-03-29 16:34:29 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-03-29 16:34:29 ----D---- C:\WINDOWS\Help
2009-03-29 16:33:27 ----A---- C:\WINDOWS\imsins.BAK
2009-03-29 16:31:31 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-29 16:06:31 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-29 16:06:30 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-29 14:19:00 ----D---- C:\Program Files\Symantec AntiVirus
2009-03-29 14:09:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-28 14:49:29 ----A---- C:\WINDOWS\system32\DSPlayer.dll
2009-03-27 11:18:59 ----D---- C:\Documents and Settings\Brian\Application Data\U3
2009-03-26 14:22:02 ----D---- C:\Program Files\palmOne
2009-03-24 19:49:55 ----SHD---- C:\WINDOWS\Installer
2009-03-24 19:49:54 ----D---- C:\Config.Msi
2009-03-23 18:57:41 ----D---- C:\Program Files\Lx_cats
2009-03-22 21:24:09 ----D---- C:\Documents and Settings\Brian\Application Data\LimeWire
2009-03-22 17:41:43 ----A---- C:\WINDOWS\SetScan.ini
2009-03-14 13:32:30 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-13 19:01:47 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-03-02 19:20:11 ----D---- C:\WINDOWS\WinSxS
2009-03-01 22:52:51 ----A---- C:\WINDOWS\BRWMARK.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2008-09-18 148496]
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2004-03-11 263616]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-10-09 353680]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2002-11-06 16512]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
R3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090329.003\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090329.003\navex15.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-07-15 2459712]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-10-14 1302812]
S3 NAL;Nal Service ; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys []
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2006-08-29 16694]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2004-03-11 16288]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-02-29 255096]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-02-29 242808]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2004-03-12 29928]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-20 322120]
R2 MSSQL$NR2005;MSSQL$NR2005; C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe [2002-12-17 7520337]
R2 NVSvc;NVIDIA Display Driver Service (Omega 1.6177) (P); C:\WINDOWS\system32\nvsvc32.exe [2004-07-15 114755]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2004-03-12 1221864]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-10-09 2405776]
R3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-03-16 69632]
S2 Proxure KeepVault Local Backup Service;Proxure KeepVault Local Backup Service; C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe [2007-11-14 163840]
S2 Proxure KeepVault Remote Backup Service;Proxure KeepVault Remote Backup Service; C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe [2007-11-14 176128]
S2 spupdsvc;Windows Service Pack Installer update service; C:\WINDOWS\system32\spupdsvc.exe [2007-08-10 26488]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-02-29 87160]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 lxcg_device;lxcg_device; C:\WINDOWS\system32\lxcgcoms.exe [2005-07-25 491520]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2004-03-11 193760]
S3 SQLAgent$NR2005;SQLAgent$NR2005; C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

 

Hi and welcome Brianb47

I believe you've been hit with the Conflicter worm.

Let's see if we can get a couple of things to run.

Please download [color= "#FF0000"] GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.





Download worksnow from HERE:

[color= "purple"]* IMPORTANT !!! Save worksnow to your Desktop[/color]

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on worksnow & follow the prompts.
  
  Note: worksnow will run without the Recovery Console installed.
  
• As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color= "blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]

​

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.[color= "red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

 

Hi Juliet--- thanks for helping. You are awesome.

I have the Goored Log below. I downloaded worksnow, disabled all protective programs as you stated, double-clicked on it, and the ComboFix window came up -- it showed it was working but then the window closed and nothing further. This is the same thing that happened when I downloaded ComboFix from another site and tried to run it. Basically does the same as DDS-- not much.

GooredFix v1.92 by jpshortstuff
Log created at 15:52 on 30/03/2009 running Option #1 (Brian)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins "= "C:\Program Files\Mozilla Firefox\plugins "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components "= "C:\Program Files\Mozilla Firefox\components "

 

Let's try this


C:\qoobox\quarantined_files.txt <-- is this file present? If so -- please post its contents.

How about c:\Combofix\combofix.txt <-- is it here?


Please download RegQuery by Noviciate to your desktop

• Copy the following registry keypath by highlighting the text and pressing CTRL and C at the same time
  • [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
• Double click RegQuery.exe to run the program
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents in your next reply
• You may now close the RegQuery program

In your next reply post:
RegQuery log

 

Thanks for the post. Both Combofix and qoobox as you queried below are NOT present.

But I did notice a suspicious folder in C:/ entitled 32788R22FWJFW with a bunch of files in it supposedly from year 2000. Member Nikolette posted about this in her similar problem. There was a warning that these were all evidence of some kind of infection. Notably, there was a combofix file in there. I deleted the whole thing--- didn't want to even touch it. But when I ran worksnow again, the folder and the files returned. There is one called "Combo-Fix" and another "ComboFix-Download" but they are both unknown application type files. Nothing like what you mentioned.

RegQuery Log below:



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midimapper "= "midimap.dll "
"msacm.imaadpcm "= "imaadp32.acm "
"msacm.msadpcm "= "msadp32.acm "
"msacm.msg711 "= "msg711.acm "
"msacm.msgsm610 "= "msgsm32.acm "
"msacm.trspch "= "tssoft32.acm "
"vidc.cvid "= "iccvid.dll "
"vidc.I420 "= "msh263.drv "
"vidc.iv31 "= "ir32_32.dll "
"vidc.iv32 "= "ir32_32.dll "
"vidc.iv41 "= "ir41_32.ax "
"vidc.iyuv "= "iyuv_32.dll "
"vidc.mrle "= "msrle32.dll "
"vidc.msvc "= "msvidc32.dll "
"vidc.uyvy "= "msyuv.dll "
"vidc.yuy2 "= "msyuv.dll "
"vidc.yvu9 "= "tsbyuv.dll "
"vidc.yvyu "= "msyuv.dll "
"wavemapper "= "msacm32.drv "
"msacm.msg723 "= "msg723.acm "
"vidc.M263 "= "msh263.drv "
"vidc.M261 "= "msh261.drv "
"msacm.msaudio1 "= "msaud32.acm "
"msacm.sl_anet "= "sl_anet.acm "
"msacm.iac2 "= "C:\\WINDOWS\\system32\\iac25_32.ax "
"vidc.iv50 "= "ir50_32.dll "
"msacm.l3acm "= "C:\\WINDOWS\\system32\\l3codeca.acm "
"wave "= "wdmaud.drv "
"midi "= "wdmaud.drv "
"mixer "= "wdmaud.drv "
"vidc.XVID "= "xvidvfw.dll "
"VIDC.MPG4 "= "mpg4c32.dll "
"VIDC.MP42 "= "mpg4c32.dll "
"aux "= "C:\\DOCUME~1\\Brian\\LOCALS~1\\Temp\\..\\pgckdej.rfo "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\Terminal Server\RDP]
"wave "= "rdpsnd.dll "
"mixer "= "rdpsnd.dll "
"MaxBandwidth "=dword:000056b9
"wavemapper "= "msacm32.drv "
"EnableMP3Codec "=dword:00000001
"midimapper "= "midimap.dll "

 

Let's try this


You will need to use HijackThis delete on reboot option to delete the below file, since manually deleting will recreate the file immediately again.

So, * Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:
C:\WINDOWS\pgckdej.rfo

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

verify the C:\WINDOWS\pgckdej.rfo is gone after reboot.



Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the text in blue below in it-(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux "= "wdmaud.drv "

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards



Now please try to run ComboFix again.

 

This worm is very interesting and I like how you zeroed right in on what was stopping ComboFix. Successfully deleted pgckdej.rfo as per your instructions. However, when I tried to use the fix.reg it did the same thing that would happen when I would try to start Regedit-- basically nothing-- other than to restart Windows Explorer. So I used RegHance instead and manually made the registry change that you suggested. That did the trick.

Was able to run ComboFix. Log below. Also HJT log afterwards. Maybe making some progress on this? I think I owe you one---



ComboFix 09-03-29.04 - Brian 2009-03-30 20:34:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.509.96 [GMT -4:00]
Running from: c:\combo-fix\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Outdated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
FW: *disabled*
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\_000005_.tmp.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-30 20:30 . 2009-03-30 20:30 <DIR> d-------- C:\Combo-Fix
2009-03-30 20:28 . 2009-03-30 20:29 <DIR> d-------- C:\worksnow
2009-03-30 02:21 . 2009-03-30 02:21 <DIR> d-------- c:\documents and settings\Brian\DoctorWeb
2009-03-30 01:48 . 2009-03-30 01:48 <DIR> d-------- c:\documents and settings\B2\Application Data\HotSync
2009-03-30 01:47 . 2009-03-30 01:47 <DIR> d-------- c:\documents and settings\B2\Application Data\FaxCtr
2009-03-30 01:32 . 2006-03-09 08:59 <DIR> d--h----- c:\documents and settings\B2\Application Data\Gtek
2009-03-30 01:32 . 2009-03-30 01:32 <DIR> d-------- c:\documents and settings\B2
2009-03-30 01:11 . 2009-03-30 01:11 <DIR> d-------- c:\program files\Alwil Software
2009-03-29 23:26 . 2009-03-29 23:27 <DIR> d-------- C:\rsit
2009-03-29 22:19 . 2009-03-29 22:19 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 22:10 . 2009-03-29 22:10 <DIR> d--h----- c:\windows\PIF
2009-03-29 21:28 . 2009-03-29 21:28 <DIR> d-------- c:\program files\Lavasoft RegHance
2009-03-29 20:41 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-29 20:40 . 2009-03-29 20:40 <DIR> d-------- c:\program files\Panda Security
2009-03-29 20:20 . 2009-03-29 20:20 <DIR> d-------- c:\program files\KB824146Scan
2009-03-24 19:50 . 2009-03-26 12:46 <DIR> d-------- c:\documents and settings\Brian\Application Data\Skype
2009-03-24 19:49 . 2009-03-24 19:49 <DIR> dr------- c:\program files\Skype
2009-03-24 19:49 . 2009-03-24 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-03-23 17:38 . 2009-03-23 17:38 <DIR> d-------- c:\windows\system32\VirtualExpander
2009-03-03 18:33 . 2009-03-15 08:59 805 --a------ C:\rollback.ini
2009-03-02 19:40 . 2009-03-02 19:40 <DIR> d-------- c:\documents and settings\Brian\Application Data\MailFrontier
2009-03-02 19:22 . 2008-10-09 15:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-02-15 21:44 . 2009-03-29 21:32 236 --a------ c:\windows\ORS.INI
2009-02-15 21:43 . 2009-02-15 21:43 <DIR> d-------- C:\ORS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 00:30 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-31 00:10 2,087,361 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-03-31 00:07 943,628 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-31 00:07 72,421,920 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-30 05:13 2,413,056 ----a-w c:\windows\Internet Logs\xDB2A.tmp
2009-03-28 18:49 221,184 ----a-w c:\windows\system32\DSPlayer.dll
2009-03-27 15:18 --------- d-----w c:\documents and settings\Brian\Application Data\U3
2009-03-26 18:22 --------- d-----w c:\program files\palmOne
2009-03-23 22:57 --------- d-----w c:\program files\Lx_cats
2009-03-23 01:24 --------- d-----w c:\documents and settings\Brian\Application Data\LimeWire
2009-03-14 01:06 4,012,032 ----a-w c:\windows\Internet Logs\xDB29.tmp
2009-02-21 04:16 38,640 ----a-w c:\documents and settings\Brian\Application Data\GDIPFONTCACHEV1.DAT
2009-01-31 23:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-28 21:07 409,088 ----a-w c:\windows\Internet Logs\xDB28.tmp
2008-12-20 01:22 992,256 ----a-w c:\windows\Internet Logs\xDB27.tmp
2008-12-18 01:17 54,595 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_12_17_20_12_48_small.dmp.zip
2008-12-18 01:17 17,505,514 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_12_17_20_13_25_full.dmp.zip
2006-03-09 12:37 35 ----a-w c:\documents and settings\dell\sysinfo.dat
2006-03-09 12:36 28,672 ----a-w c:\documents and settings\dell\UWAKEON.exe
2006-03-09 12:36 28,672 ----a-w c:\documents and settings\dell\UWAKEOFF.exe
2004-05-27 13:23 28,672 ----a-w c:\documents and settings\dell\ATAPI.EXE
2004-05-27 13:23 132 ----a-w c:\documents and settings\dell\USBS3KB.REG
2002-07-08 21:37 490 ----a-w c:\documents and settings\dell\WALLPAPR.REG
1999-08-26 00:17 79,024 ----a-w c:\documents and settings\dell\EXPRESS.EXE
1999-07-15 03:44 13,043 ----a-w c:\documents and settings\dell\DOSXPRES.EXE
1996-07-31 21:51 38,912 ----a-w c:\documents and settings\dell\P_ESCG.DAT
1995-07-11 19:50 398,416 ----a-w c:\documents and settings\dell\VBRUN300.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2009-03-06 24095528]
"RCUI "= "c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2008-03-12 458752]
"OpAgent "= "c:\program files\ScanSoft\OmniPage15.0\OpAgent.exe" [2005-07-06 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"LXCGCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"RCHotKey "= "c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2008-03-12 32768]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-03-09 98304]
"PDF3 Registry Controller "= "c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe" [2005-04-12 106496]
"PaperPort PTD "= "c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-02-27 36864]
"Opware15 "= "c:\program files\ScanSoft\OmniPage15.0\Opware15.exe" [2005-07-06 69632]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"MSKDetectorExe "= "c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"MimBoot "= "c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]
"lxcgmon.exe "= "c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"KeepVault Tray "= "c:\program files\Migo Software\Migo Digital Backup 3 Premium\PxrKVTray.exe" [2007-11-14 98304]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IndexSearch "= "c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-02-27 40960]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"FaxCenterServer "= "c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"EzPrint "= "c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"nwiz "= "nwiz.exe" [2004-07-15 c:\windows\system32\nwiz.exe]
"Logitech Utility "= "LOGI_MWX.EXE" [2003-11-07 c:\windows\LOGI_MWX.EXE]
"CANON DR2080C SVC "= "DR2KSVC.dll" [2005-02-15 c:\windows\system32\DR2KSVC.DLL]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-06-13 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-03-23 25214]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-08-28 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
iFinger 2.0.lnk - c:\program files\iFinger\iFinger.exe [2008-11-30 1596928]
iFinger.lnk - c:\program files\iFinger\iFinger.exe [2008-11-30 1596928]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe "=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\audmig.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\engine.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\dme.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\smart.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\options.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\miguser.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\ewiz.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\vocabexp.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\userwiz.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\vati.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\vtperdic.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\chkmsaa.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\speechbar.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\macroeditor.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\msaadmn.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\navcentral.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\recowizard.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\voicepad.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\vtdirect.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\whatcanisay.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-29 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-30 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-30 20560]
R2 MSSQL$NR2005;MSSQL$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 --> c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 [?]
R2 Proxure KeepVault Local Backup Service;Proxure KeepVault Local Backup Service;c:\program files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe [2007-11-14 163840]
R2 Proxure KeepVault Remote Backup Service;Proxure KeepVault Remote Backup Service;c:\program files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe [2007-11-14 176128]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S3 SQLAgent$NR2005;SQLAgent$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 --> c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d4f71b1-58eb-11dd-80ba-001320e1a69b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a020b3e2-aa2b-11db-88e9-001320e1a69b}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d55a734c-20bc-11dc-a4e0-001320e1a69b}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
HKLM-Run-OpScheduler - c:\program files\ScanSoft\OmniPage15.0\OpScheduler.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} - hxxp://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\33vz4a97.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 20:37:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-30 20:39:21
ComboFix-quarantined-files.txt 2009-03-31 00:39:17

Pre-Run: 7,648,444,416 bytes free
Post-Run: 8,952,983,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
217



------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:19 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe
C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RCHotKey] C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe "
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe "
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe "
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [KeepVault Tray] "C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\PxrKVTray.exe "
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe "
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe "
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe "
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238357178875
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6177) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Proxure KeepVault Local Backup Service - Proxure, Inc. - C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe
O23 - Service: Proxure KeepVault Remote Backup Service - Proxure, Inc. - C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11601 bytes

 

The virus just about had your computer locked down.

We need to talk about how many antivirus and firewalls you have downloaded.

AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Outdated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
FW: *disabled*
FW: ZoneAlarm Security Suite Firewall *disabled*


Need you to get this widdled down to
1-Antivirus
1-Firewall

Running more then one of each will not give you added security, most cases it reduces.



Take care of the above first then continue.



Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  
  
• Click the Browse button and search for the following file: c:\windows\ORS.INI
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "





Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.




Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
File requested scanned
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.

 

Hi there. Thanks again. Yes there were some additional programs operating, just temporarily, while I was trying to resolve these issues. McAfee should be Symantec's Version 9 Corporate Edition. Avast has been removed, leaving McAfee/Symantec (but I didn't realize their names were ever interchangeable) as the only AntiVirus. I also use ZoneAlarm Firewall, which has an AntiVirus that I have disabled so it would not interfere with anything else. So after taking Avast off, I should have the 1 and 1 you referred to.


The VirusTotal results below. Other results in future posts. Thanks again-- you are tops!

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.31 -
AhnLab-V3 5.0.0.2 2009.03.31 -
AntiVir 7.9.0.129 2009.03.31 -
Antiy-AVL 2.0.3.1 2009.03.31 -
Authentium 5.1.2.4 2009.03.30 -
Avast 4.8.1335.0 2009.03.31 -
AVG 8.5.0.285 2009.03.31 -
BitDefender 7.2 2009.03.31 -
CAT-QuickHeal 10.00 2009.03.31 -
ClamAV 0.94.1 2009.03.31 -
Comodo 1092 2009.03.31 -
DrWeb 4.44.0.09170 2009.03.31 -
eSafe 7.0.17.0 2009.03.31 -
eTrust-Vet 31.6.6427 2009.03.31 -
F-Prot 4.4.4.56 2009.03.30 -
F-Secure 8.0.14470.0 2009.03.31 -
Fortinet 3.117.0.0 2009.03.31 -
GData 19 2009.03.31 -
Ikarus T3.1.1.49.0 2009.03.31 -
K7AntiVirus 7.10.687 2009.03.31 -
Kaspersky 7.0.0.125 2009.03.31 -
McAfee 5570 2009.03.31 -
McAfee+Artemis 5570 2009.03.31 -
McAfee-GW-Edition 6.7.6 2009.03.31 -
Microsoft 1.4502 2009.03.31 -
NOD32 3978 2009.03.31 -
Norman 6.00.06 2009.03.31 -
nProtect 2009.1.8.0 2009.03.31 -
Panda 10.0.0.14 2009.03.31 -
PCTools 4.4.2.0 2009.03.31 -
Prevx1 V2 2009.03.31 -
Rising 21.23.12.00 2009.03.31 -
Sophos 4.40.0 2009.03.31 -
Sunbelt 3.2.1858.2 2009.03.31 -
Symantec 1.4.4.12 2009.03.31 -
TheHacker 6.3.3.9.296 2009.03.30 -
TrendMicro 8.700.0.1004 2009.03.31 -
VBA32 3.12.10.1 2009.03.31 -
ViRobot 2009.3.31.1669 2009.03.31 -
VirusBuster 4.6.5.0 2009.03.31 -
Additional information
File size: 236 bytes
MD5...: 1bea88365ef3f7bfb3182ada5297ae96
SHA1..: fafc7e8ec88570bf204a86d6d7eb10002740e1eb
SHA256: af77a78d86ea0c03357daa6c7c8fabc91495ecf4d1ff9cd960756c96c8b8e411
SHA512: 4185003abcc09d339e7d609f016aff3b0f6caf2e37525e12979b2a7e68f5756d
2cc6ff9441b19756f9f8ef5d0230130c465f5f9101f671cf71da34d3acbb5916
ssdeep: 6:lbJNgQUDf2Lyl5LEq7EMNtEfn3+6L+aDFLwYhCv:lNNCr2LybjNtEfn3JL+yFL
Lhs
PEiD..: -
TrID..: File type identification
Generic INI configuration (100.0%)
PEInfo: -
RDS...: NSRL Reference Data Set
-

 

OK, looking good.

Don't be alarmed if Kaspersky says it's found an infection, expecting that.

Post the K-Log when you can.

 

Kaspersky Report below.

Did all other things except the HJT log, which will be posted immediately after.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 31, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 31, 2009 22:49:38
Records in database: 1990802
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 73472
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:57:22


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D240002.VBN Infected: Trojan-Downloader.Win32.Agent.bkkj 1

The selected area was scanned.

 

HJT Log below.

This should do it!

ComboFix 09-03-29.04 - Brian 2009-03-30 20:34:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.509.96 [GMT -4:00]
Running from: c:\combo-fix\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Outdated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)
FW: *disabled*
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\_000005_.tmp.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-30 20:30 . 2009-03-30 20:30 <DIR> d-------- C:\Combo-Fix
2009-03-30 20:28 . 2009-03-30 20:29 <DIR> d-------- C:\worksnow
2009-03-30 02:21 . 2009-03-30 02:21 <DIR> d-------- c:\documents and settings\Brian\DoctorWeb
2009-03-30 01:48 . 2009-03-30 01:48 <DIR> d-------- c:\documents and settings\B2\Application Data\HotSync
2009-03-30 01:47 . 2009-03-30 01:47 <DIR> d-------- c:\documents and settings\B2\Application Data\FaxCtr
2009-03-30 01:32 . 2006-03-09 08:59 <DIR> d--h----- c:\documents and settings\B2\Application Data\Gtek
2009-03-30 01:32 . 2009-03-30 01:32 <DIR> d-------- c:\documents and settings\B2
2009-03-30 01:11 . 2009-03-30 01:11 <DIR> d-------- c:\program files\Alwil Software
2009-03-29 23:26 . 2009-03-29 23:27 <DIR> d-------- C:\rsit
2009-03-29 22:19 . 2009-03-29 22:19 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 22:10 . 2009-03-29 22:10 <DIR> d--h----- c:\windows\PIF
2009-03-29 21:28 . 2009-03-29 21:28 <DIR> d-------- c:\program files\Lavasoft RegHance
2009-03-29 20:41 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-29 20:40 . 2009-03-29 20:40 <DIR> d-------- c:\program files\Panda Security
2009-03-29 20:20 . 2009-03-29 20:20 <DIR> d-------- c:\program files\KB824146Scan
2009-03-24 19:50 . 2009-03-26 12:46 <DIR> d-------- c:\documents and settings\Brian\Application Data\Skype
2009-03-24 19:49 . 2009-03-24 19:49 <DIR> dr------- c:\program files\Skype
2009-03-24 19:49 . 2009-03-24 19:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype
2009-03-23 17:38 . 2009-03-23 17:38 <DIR> d-------- c:\windows\system32\VirtualExpander
2009-03-03 18:33 . 2009-03-15 08:59 805 --a------ C:\rollback.ini
2009-03-02 19:40 . 2009-03-02 19:40 <DIR> d-------- c:\documents and settings\Brian\Application Data\MailFrontier
2009-03-02 19:22 . 2008-10-09 15:25 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-02-15 21:44 . 2009-03-29 21:32 236 --a------ c:\windows\ORS.INI
2009-02-15 21:43 . 2009-02-15 21:43 <DIR> d-------- C:\ORS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 00:30 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-31 00:10 2,087,361 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-03-31 00:07 943,628 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-31 00:07 72,421,920 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-30 05:13 2,413,056 ----a-w c:\windows\Internet Logs\xDB2A.tmp
2009-03-28 18:49 221,184 ----a-w c:\windows\system32\DSPlayer.dll
2009-03-27 15:18 --------- d-----w c:\documents and settings\Brian\Application Data\U3
2009-03-26 18:22 --------- d-----w c:\program files\palmOne
2009-03-23 22:57 --------- d-----w c:\program files\Lx_cats
2009-03-23 01:24 --------- d-----w c:\documents and settings\Brian\Application Data\LimeWire
2009-03-14 01:06 4,012,032 ----a-w c:\windows\Internet Logs\xDB29.tmp
2009-02-21 04:16 38,640 ----a-w c:\documents and settings\Brian\Application Data\GDIPFONTCACHEV1.DAT
2009-01-31 23:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-28 21:07 409,088 ----a-w c:\windows\Internet Logs\xDB28.tmp
2008-12-20 01:22 992,256 ----a-w c:\windows\Internet Logs\xDB27.tmp
2008-12-18 01:17 54,595 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_12_17_20_12_48_small.dmp.zip
2008-12-18 01:17 17,505,514 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_12_17_20_13_25_full.dmp.zip
2006-03-09 12:37 35 ----a-w c:\documents and settings\dell\sysinfo.dat
2006-03-09 12:36 28,672 ----a-w c:\documents and settings\dell\UWAKEON.exe
2006-03-09 12:36 28,672 ----a-w c:\documents and settings\dell\UWAKEOFF.exe
2004-05-27 13:23 28,672 ----a-w c:\documents and settings\dell\ATAPI.EXE
2004-05-27 13:23 132 ----a-w c:\documents and settings\dell\USBS3KB.REG
2002-07-08 21:37 490 ----a-w c:\documents and settings\dell\WALLPAPR.REG
1999-08-26 00:17 79,024 ----a-w c:\documents and settings\dell\EXPRESS.EXE
1999-07-15 03:44 13,043 ----a-w c:\documents and settings\dell\DOSXPRES.EXE
1996-07-31 21:51 38,912 ----a-w c:\documents and settings\dell\P_ESCG.DAT
1995-07-11 19:50 398,416 ----a-w c:\documents and settings\dell\VBRUN300.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2009-03-06 24095528]
"RCUI "= "c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2008-03-12 458752]
"OpAgent "= "c:\program files\ScanSoft\OmniPage15.0\OpAgent.exe" [2005-07-06 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast! "= "c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"LXCGCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"zBrowser Launcher "= "c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
"vptray "= "c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"RCHotKey "= "c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2008-03-12 32768]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2006-03-09 98304]
"PDF3 Registry Controller "= "c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe" [2005-04-12 106496]
"PaperPort PTD "= "c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-02-27 36864]
"Opware15 "= "c:\program files\ScanSoft\OmniPage15.0\Opware15.exe" [2005-07-06 69632]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"MSKDetectorExe "= "c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"MimBoot "= "c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]
"lxcgmon.exe "= "c:\program files\Lexmark 2300 Series\lxcgmon.exe" [2005-07-21 200704]
"KeepVault Tray "= "c:\program files\Migo Software\Migo Digital Backup 3 Premium\PxrKVTray.exe" [2007-11-14 98304]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"IndexSearch "= "c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-02-27 40960]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"FaxCenterServer "= "c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"EzPrint "= "c:\program files\Lexmark 2300 Series\ezprint.exe" [2005-08-01 94208]
"DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"nwiz "= "nwiz.exe" [2004-07-15 c:\windows\system32\nwiz.exe]
"Logitech Utility "= "LOGI_MWX.EXE" [2003-11-07 c:\windows\LOGI_MWX.EXE]
"CANON DR2080C SVC "= "DR2KSVC.dll" [2005-02-15 c:\windows\system32\DR2KSVC.DLL]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-06-13 2355200]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-03-23 25214]
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-08-28 28672]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
iFinger 2.0.lnk - c:\program files\iFinger\iFinger.exe [2008-11-30 1596928]
iFinger.lnk - c:\program files\iFinger\iFinger.exe [2008-11-30 1596928]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-02-05 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe "=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\audmig.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\engine.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\dme.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\smart.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\options.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\miguser.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\ewiz.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\vocabexp.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\userwiz.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\vati.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\vtperdic.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\chkmsaa.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\speechbar.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\macroeditor.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\msaadmn.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\navcentral.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\recowizard.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\voicepad.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\vtdirect.exe "=
"c:\\Program Files\\ViaVoice\\Bin\\whatcanisay.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-29 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-30 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-30 20560]
R2 MSSQL$NR2005;MSSQL$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 --> c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe -sNR2005 [?]
R2 Proxure KeepVault Local Backup Service;Proxure KeepVault Local Backup Service;c:\program files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe [2007-11-14 163840]
R2 Proxure KeepVault Remote Backup Service;Proxure KeepVault Remote Backup Service;c:\program files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe [2007-11-14 176128]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S3 SQLAgent$NR2005;SQLAgent$NR2005;c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 --> c:\program files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlagent.EXE -i NR2005 [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d4f71b1-58eb-11dd-80ba-001320e1a69b}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a020b3e2-aa2b-11db-88e9-001320e1a69b}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d55a734c-20bc-11dc-a4e0-001320e1a69b}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
HKLM-Run-OpScheduler - c:\program files\ScanSoft\OmniPage15.0\OpScheduler.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} - hxxp://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\33vz4a97.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 20:37:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-30 20:39:21
ComboFix-quarantined-files.txt 2009-03-31 00:39:17

Pre-Run: 7,648,444,416 bytes free
Post-Run: 8,952,983,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
217

 

I'll post this while waiting for your last HJT log.


Things look good on my end, how about yours?


C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine<--delete the contents inside this folder



Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below







C:\worksnow<--delete this folder if found.

 

Hi Juliet. Excellent work!

This is the last HJT Log. RegEdit now works. No more browser redirects or crashes. Pretty much everything is good. But my only question was--- at what point did we kill this thing? I know we changed a registry value. ComboFix also did it's thing but I wasn't sure if that's what really took care of it.
This was a persistent one! I really have to thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:17 PM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe
C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RCHotKey] C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe "
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe "
O4 - HKLM\..\Run: [Opware15] "C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe "
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [KeepVault Tray] "C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\PxrKVTray.exe "
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe "
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe "
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [CANON DR2080C SVC] rundll32.exe DR2KSVC.dll,EntryPointUserMessage
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe "
O4 - HKCU\..\Run: [OpAgent] "C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe" /agent
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238357178875
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (Omega 1.6177) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Proxure KeepVault Local Backup Service - Proxure, Inc. - C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\KVLService.exe
O23 - Service: Proxure KeepVault Remote Backup Service - Proxure, Inc. - C:\Program Files\Migo Software\Migo Digital Backup 3 Premium\Engine\Remote\KVRService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11251 bytes

 

Looking good......

I think we pretty much nabbed it with the regfix to correct the bogus script that attached to your search enigine.

Excellent writeup about it at this link
http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html



Let's close a security vulnerability.


Update Adobe Acrobat Reader
Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

• Please go to this link Adobe Acrobat Reader Download Link
• Cllick Download
• On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  
• Click the Continue button
• Click Run, and click Run again
• Next click the Install Now button and follow the on screen prompts

You can delete/uninstall any tools I had you download earlier.



I'm thinking your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

Juliet----

Thank you again---
You are tops!

 

Glad we could help