welp please :(

[joshnx]

sigh system restore keeps coming back on dude..very weird..i ran malware bytes first n then combo fix ..i fgot to delete the items which malware bytes detected tho..realized later so i deleted after combofix..dun kno if that helps ...
Malwarebytes' Anti-Malware 1.34
Database version: 1855
Windows 5.1.2600 Service Pack 2

3/17/2009 8:21:43 AM
mbam-log-2009-03-17 (08-21-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 131516
Time elapsed: 59 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GAZRS7Z6\ybhqvdeo[1].png (Worm.Downadup) -> No action taken.
C:\WINDOWS\services.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\josh\reader_s.exe (Trojan.Agent) -> No action taken.

 

[joshnx]

ComboFix 09-03-15.01 - josh 2009-03-17 8:23:40.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1236 [GMT 5.5:30]
Running from: c:\documents and settings\josh\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090316-0] *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
FW: Bitdefender Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\josh\reader_s.exe
c:\windows\services.exe
c:\windows\system32\5.tmp
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\rpcnet.dll

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-17 06:55 . 2009-03-17 08:34 34,816 --a------ c:\windows\system32\rpcnetp.exe
2009-03-17 06:45 . 2009-03-17 06:45 90,112 --a------ c:\windows\system32\71.tmp
2009-03-17 06:45 . 2009-03-17 06:45 124 --a------ c:\windows\system32\6F.tmp
2009-03-17 06:30 . 2009-03-17 07:11 <DIR> d-------- c:\program files\CrossLoop
2009-03-17 06:05 . 2009-03-17 06:05 112,640 -rahs---- c:\windows\system32\xbjlpat.dll
2009-03-17 04:45 . 2009-03-17 04:45 124 --a------ c:\windows\system32\3.tmp
2009-03-17 03:19 . 2009-03-17 03:19 <DIR> d-------- c:\windows\system32\HouseCall 6.6
2009-03-17 03:19 . 2009-03-17 03:19 <DIR> d-------- c:\documents and settings\josh\Application Data\HouseCall 6.6
2009-03-16 23:51 . 2009-03-16 23:51 <DIR> d-------- C:\fsaua.data
2009-03-16 23:38 . 2008-03-03 14:25 5,702 --ah----- c:\windows\nod32restoretemdono.reg
2009-03-16 23:38 . 2008-03-03 18:21 568 --ah----- c:\windows\nod32fixtemdono.reg
2009-03-16 23:35 . 2009-03-16 23:35 <DIR> d-------- c:\program files\ESET
2009-03-16 23:35 . 2009-03-16 23:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2009-03-16 09:22 . 2009-03-16 09:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 09:22 . 2009-03-16 09:22 <DIR> d-------- c:\documents and settings\josh\Application Data\Malwarebytes
2009-03-16 09:22 . 2009-03-16 09:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-16 09:22 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 09:22 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-16 01:33 . 2009-03-16 01:33 0 --a------ c:\windows\system32\33.tmp
2009-03-16 01:32 . 2009-03-16 01:32 <DIR> d-------- c:\windows\ERUNT
2009-03-16 01:32 . 2009-03-16 01:51 130 --a------ c:\windows\adobe.bat
2009-03-16 01:32 . 2009-03-16 01:32 0 --a------ c:\windows\_id.dat
2009-03-16 01:28 . 2009-03-16 19:33 <DIR> d-------- C:\SDFix
2009-03-16 01:14 . 2009-03-16 01:14 <DIR> d-------- c:\program files\CCleaner
2009-03-16 01:10 . 2009-03-16 01:10 <DIR> d-------- c:\program files\CleanUp!
2009-03-16 00:00 . 2009-03-17 07:04 64,512 --a------ c:\windows\system32\rpcnet.exe
2009-03-15 23:29 . 2009-03-15 23:29 <DIR> d-------- c:\program files\Trend Micro
2009-03-14 17:41 . 2009-03-14 19:31 0 --a------ C:\tmp.xml
2009-03-14 17:20 . 2009-03-14 17:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nokia
2009-03-14 17:19 . 2008-02-01 15:17 138,112 --a------ c:\windows\system32\drivers\nmwcdnsu.sys
2009-03-14 17:19 . 2008-02-01 15:17 8,320 --a------ c:\windows\system32\drivers\nmwcdnsuc.sys
2009-03-14 14:31 . 2004-08-03 23:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys
2009-03-14 14:31 . 2004-08-03 23:08 25,600 --a--c--- c:\windows\system32\dllcache\usbser.sys
2009-03-14 14:31 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2009-03-14 14:31 . 2009-03-14 14:31 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-03-14 14:31 . 2009-03-14 14:31 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-03-14 00:53 . 2009-03-14 00:53 <DIR> d-------- c:\program files\MSXML 6.0
2009-03-14 00:40 . 2009-03-14 15:56 <DIR> d-------- c:\documents and settings\josh\Application Data\PC Suite
2009-03-14 00:40 . 2009-03-14 05:24 <DIR> d-------- c:\documents and settings\josh\Application Data\Nokia
2009-03-14 00:40 . 2009-03-14 01:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Suite
2009-03-14 00:09 . 2009-03-14 00:09 <DIR> d-------- c:\program files\Common Files\PCSuite
2009-03-14 00:09 . 2009-03-14 17:19 <DIR> d-------- c:\program files\Common Files\Nokia
2009-03-14 00:09 . 2008-08-26 09:26 18,816 --a------ c:\windows\system32\drivers\pccsmcfd.sys
2009-03-14 00:08 . 2009-03-14 00:08 <DIR> d-------- c:\program files\PC Connectivity Solution
2009-03-14 00:08 . 2009-03-14 17:19 <DIR> d-------- c:\program files\Nokia
2009-03-14 00:08 . 2008-09-15 07:29 1,112,288 --a------ c:\windows\system32\wdfcoinstaller01007.dll
2009-03-14 00:08 . 2008-09-15 07:56 659,968 --a------ c:\windows\system32\nmwcdcocls.dll
2009-03-14 00:08 . 2008-02-01 15:17 90,624 --a------ c:\windows\system32\nmwcdcls.dll
2009-03-14 00:08 . 2008-09-15 07:56 22,016 --a------ c:\windows\system32\drivers\ccdcmbo.sys
2009-03-14 00:08 . 2008-09-15 07:56 17,664 --a------ c:\windows\system32\drivers\ccdcmb.sys
2009-03-14 00:08 . 2008-09-15 07:56 8,064 --a------ c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-03-14 00:08 . 2008-09-15 07:56 8,064 --a------ c:\windows\system32\drivers\usbser_lowerflt.sys
2009-03-14 00:07 . 2009-03-14 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Installations
2009-03-13 23:40 . 2001-08-17 22:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-03-13 23:40 . 2001-08-17 22:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2009-03-13 23:40 . 2001-08-17 22:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-03-13 23:40 . 2001-08-17 22:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2009-03-13 23:40 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd106.dll
2009-03-13 23:40 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-03-13 23:40 . 2001-08-17 14:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-03-13 23:40 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-03-13 23:40 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2009-03-13 23:40 . 2001-08-17 14:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2009-03-13 23:40 . 2001-08-17 14:55 5,632 --a------ c:\windows\system32\kbd103.dll
2009-03-13 23:40 . 2001-08-17 14:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2009-03-13 19:02 . 2009-03-13 19:02 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Intel
2009-03-13 19:02 . 2009-03-13 19:02 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Intel
2009-03-13 19:01 . 2009-03-13 19:01 <DIR> d-------- c:\program files\Common Files\Intel
2009-03-13 19:00 . 2009-03-13 19:00 <DIR> d-------- c:\documents and settings\josh\Application Data\Intel
2009-03-13 19:00 . 2009-03-13 19:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Intel
2009-03-13 03:47 . 2009-03-13 03:47 <DIR> d-------- c:\program files\Oxygen Software
2009-03-12 10:04 . 2009-03-12 10:04 <DIR> d-------- c:\program files\Unibrain
2009-03-11 01:13 . 2008-03-26 11:15 53,248 --a------ c:\windows\system32\CSVer.dll
2009-02-28 08:53 . 2009-02-28 08:53 <DIR> d-------- c:\documents and settings\LocalService\Application Data\WTablet
2009-02-27 22:11 . 2002-03-20 17:14 21,376 -ra------ c:\windows\system32\drivers\dm9usb.sys
2009-02-26 18:27 . 2009-02-26 18:27 6,855,014 --a------ C:\apoca copy.jpg
2009-02-26 16:18 . 2009-02-21 03:28 358,965,094 --a------ C:\apoca.psd
2009-02-26 14:40 . 2009-03-16 01:28 7,680 --ahs---- c:\windows\Thumbs.db
2009-02-25 17:29 . 2009-02-25 17:30 <DIR> d-------- c:\program files\CONEXANT
2009-02-25 17:29 . 2008-02-01 13:18 732,160 --a------ c:\windows\system32\drivers\CHDAud.sys
2009-02-25 17:17 . 2009-03-16 01:11 <DIR> d-------- C:\temp
2009-02-20 02:23 . 2009-02-20 02:23 <DIR> d-------- c:\program files\Common Files\snp2uvc
2009-02-20 02:23 . 2006-12-28 16:20 9,599,744 --a------ c:\windows\system32\drivers\snp2uvc.sys
2009-02-20 02:23 . 2006-12-28 19:48 589,824 --a------ c:\windows\vsnp2uvc.exe
2009-02-20 02:23 . 2007-01-11 18:01 299,008 --a------ c:\windows\system32\vsnp2uvc.dll
2009-02-20 02:23 . 2006-12-22 16:25 98,304 --a------ c:\windows\system32\rsnp2uvc.dll
2009-02-20 02:23 . 2005-11-23 13:55 53,248 --a------ c:\windows\system32\csnp2uvc.dll
2009-02-20 02:23 . 2006-12-28 11:21 27,904 --a------ c:\windows\system32\drivers\sncduvc.sys
2009-02-20 02:23 . 2006-05-19 11:39 15,497 --a------ c:\windows\snp2uvc.ini
2009-02-20 02:23 . 2006-05-19 11:53 13,022 --a------ c:\windows\snp2uvc.src
2009-02-19 23:11 . 2009-02-19 23:11 <DIR> d-------- c:\program files\Uniblue
2009-02-19 23:11 . 2009-02-19 23:11 <DIR> d-------- c:\documents and settings\josh\Application Data\Uniblue
2009-02-19 23:11 . 2009-03-12 10:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-19 20:54 . 2009-02-20 01:15 <DIR> d-------- c:\program files\Microsoft Bootvis
2009-02-19 19:49 . 2009-02-19 23:11 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2009-02-19 19:39 . 2009-03-17 01:43 90,112 --a------ c:\windows\DUMPadb4.tmp
2009-02-17 16:05 . 2009-02-26 18:28 13,824 --ahs---- C:\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 03:04 64,512 ----a-w c:\windows\system32\rpcnet.dll
2009-03-17 03:04 --------- d-----w c:\documents and settings\josh\Application Data\WTablet
2009-03-17 01:30 17,408 ----a-w c:\windows\system32\rpcnetp.dll
2009-03-16 22:43 --------- d-----w c:\program files\Autodesk
2009-03-16 22:00 --------- d-----w c:\program files\Ares
2009-03-16 21:06 --------- d-----w c:\program files\O2Micro Flash Memory Card Driver
2009-03-16 20:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-15 20:23 182,912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-15 19:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-15 18:42 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-15 15:57 --------- d-----w c:\program files\MagicISO
2009-03-15 11:40 81,984 ----a-w c:\windows\system32\bdod.bin
2009-03-14 20:40 --------- d-----w c:\documents and settings\josh\Application Data\Hamachi
2009-03-13 13:31 --------- d-----w c:\program files\Intel
2009-03-13 13:30 397,312 ----a-w c:\windows\system32\AegisI5Installer.exe
2009-03-11 15:08 --------- d-----w c:\program files\Garena
2009-03-11 08:29 --------- d-----w c:\program files\Winamp
2009-03-11 00:07 --------- d-----w c:\program files\PC Auto Shutdown
2009-02-26 09:13 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 04:16 --------- d-----w c:\program files\BitLord
2009-02-24 21:05 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2009-02-16 12:06 --------- d-----w c:\program files\Common Files\BitDefender
2009-02-16 12:06 --------- d-----w c:\program files\BitDefender
2009-02-15 14:17 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-15 14:17 --------- d-----w c:\documents and settings\josh\Application Data\SUPERAntiSpyware.com
2009-02-15 14:17 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-08 10:34 --------- d-----w c:\documents and settings\josh\Application Data\Autodesk
2009-02-08 07:27 --------- d-----w c:\program files\Common Files\Autodesk Shared
2009-02-08 07:23 --------- d-----w c:\program files\MSBuild
2009-02-08 07:20 --------- d-----w c:\program files\Reference Assemblies
2009-02-03 09:42 --------- d-----w c:\documents and settings\josh\Application Data\Media Player Classic
2009-02-03 09:41 --------- d-----w c:\program files\K-Lite Codec Pack
2009-01-30 20:01 62,464 ----a-w c:\windows\system32\UTSCSI.EXE
2009-01-30 18:10 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-30 18:10 12,552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-01-30 18:10 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-30 18:10 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-30 17:06 --------- d-----w c:\program files\AVG
2009-01-30 15:40 --------- d-----w c:\program files\My directory
2009-01-26 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-26 14:59 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-25 20:39 --------- d-----w c:\program files\Tablet
2009-01-25 08:18 --------- d-----w c:\program files\Yahoo!
2009-01-25 08:17 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-24 15:13 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-01-23 07:44 --------- d-----w c:\documents and settings\josh\Application Data\Red Kawa
2009-01-19 15:37 --------- d-----w c:\program files\Red Kawa
2009-01-19 15:37 --------- d-----w c:\program files\AviSynth 2.5
2009-01-18 12:16 234,418 ----a-w c:\windows\EasyGifAnimator_Toolbar_Uninstaller_3359.exe
2009-01-18 12:16 --------- d-----w c:\program files\Easy Gif Animator Extension
2009-01-18 12:16 --------- d-----w c:\program files\Easy GIF Animator
2008-11-13 14:26 144,198 ----a-w c:\documents and settings\All Users\Application Data\firstlsp.reg.dat
.

------- Sigcheck -------

2009-03-16 01:53 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\dllcache\ndis.sys
2009-03-16 01:53 213376 558635d3af1c7546d26067d5d9b6959e c:\windows\system32\drivers\ndis.sys

2004-08-04 05:37 1049600 ae3af584f769a87ba153940bc90dcf8b c:\windows\explorer.exe
2004-08-04 05:37 1049600 f586cece46277ea2a04670ec7c0f05ec c:\windows\system32\dllcache\explorer.exe

2004-08-04 05:37 32768 ab8810dcc6d7a2882f5e61e23675cc98 c:\windows\system32\ctfmon.exe
2004-08-04 05:37 32768 627fb6ed99fd4a475bb415e43c728feb c:\windows\system32\dllcache\ctfmon.exe

2004-08-04 05:37 75776 e740fe6f4e10182a7ab9663cec0b39f7 c:\windows\system32\spoolsv.exe
2004-08-04 05:37 75264 12eeb2aa03e81118d89d18c3b3953c40 c:\windows\system32\dllcache\spoolsv.exe

2004-08-04 05:37 41984 26c2b8316816647f710da9613e1f809d c:\windows\system32\userinit.exe
2004-08-04 05:37 41984 c30c24067416ae1bf23afbc8e860e8c3 c:\windows\system32\dllcache\userinit.exe
.

 

[joshnx]

((((((((((((((((((((((((((((( SnapShot_2009-03-17_ 0.27.10.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 21:11:35 1,256,296 ----a-w c:\windows\system32\aswBoot.exe
+ 2009-02-05 21:04:45 97,480 ----a-w c:\windows\system32\AvastSS.scr
- 2009-03-16 18:55:29 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-17 02:53:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-16 18:55:26 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2009-03-17 02:53:10 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2009-03-16 18:55:29 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-17 02:53:11 65,536 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-16 18:55:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031720090318\index.dat
+ 2009-03-17 02:53:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009031720090318\index.dat
- 2009-03-16 18:55:29 245,760 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-17 02:53:11 311,296 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-05 21:05:11 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2009-02-05 21:07:12 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2009-02-05 21:08:19 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2009-02-05 21:08:10 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2009-02-05 21:06:10 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2009-02-05 21:07:23 114,768 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2009-02-05 21:06:20 51,376 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2005-09-23 00:37:24 95,744 ----a-w c:\windows\system32\HouseCall 6.6\ATL80.dll
+ 2008-12-05 12:01:46 459,264 ----a-w c:\windows\system32\HouseCall 6.6\Housecall_ActiveX.dll
+ 2005-09-23 02:46:14 1,079,808 ----a-w c:\windows\system32\HouseCall 6.6\MFC80U.dll
+ 2005-09-23 00:35:58 548,864 ----a-w c:\windows\system32\HouseCall 6.6\MSVCP80.dll
+ 2005-09-23 00:35:58 626,688 ----a-w c:\windows\system32\HouseCall 6.6\MSVCR80.dll
+ 2009-03-17 03:04:00 16,384 ----atw c:\windows\temp\Perflib_Perfdata_778.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 32768]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-10-16 1212416]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-06 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 23:40 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vlqmcw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JPEG"= P1160Jpg.dll
"VIDC.MJPG"= P1160Jpg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^josh^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\josh\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2009-01-30 23:40 1601304 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
--a------ 2007-10-25 17:41 434176 c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:37 32768 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
--a------ 2003-11-30 23:13 1373696 c:\documents and settings\josh\My Documents\progs\FreeRAM XP Pro 1.40.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-01-25 11:55 166424 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-10-03 15:44 178712 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-01-25 11:56 141848 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-04-17 12:41 217088 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-04-13 06:07 90112 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-01-25 11:56 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-17 02:43 434176 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDFix]
--a------ 2008-11-06 00:58 964661 c:\sdfix\RunThis.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-09-23 14:17 21755688 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
--a------ 2004-12-21 13:34 1810432 c:\program files\Spyware Doctor\swdoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-01-15 16:17 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-20 16:23 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 51200 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Autodesk\\3dsmax.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-30 12552]
R0 sojubus;sojubus;c:\windows\system32\drivers\sojubus.sys [2003-10-05 123520]
R0 sojuscsi;sojuscsi;c:\windows\system32\drivers\sojuscsi.sys [2003-09-28 5504]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-03-17 114768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-30 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-30 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-03-17 20560]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-30 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-30 298264]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit;c:\program files\Autodesk\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-03-10 86016]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [2009-02-25 732160]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-06-19 48600]
S2 DMserv;Config Storage;c:\windows\system32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 amadddezs;amadddezs;\??\c:\windows\system32\082.tmp --> c:\windows\system32\082.tmp [?]
S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [2009-02-27 21376]
S3 epxivi;epxivi;\??\c:\windows\system32\01E.tmp --> c:\windows\system32\01E.tmp [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-14 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-14 8320]
S3 P1160COM;Creative PC-CAM 880 (Camera);c:\windows\system32\drivers\P1160Buk.sys [2008-10-06 42784]
S3 P1160VID;Creative PC-CAM 880 (Video);c:\windows\system32\drivers\P1160Vid.sys [2008-10-06 46048]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 UBFWNet;Unibrain 1394 FireNet Adapter NT Driver;c:\windows\system32\drivers\ubfwnet.sys [2008-11-03 37072]
S3 wmzrcy;wmzrcy;\??\c:\windows\system32\09.tmp --> c:\windows\system32\09.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
DMserv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81bbefc2-d34f-11dd-9144-001e68393f52}]
\Shell\Auto\command - a.net
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL a.net

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fec4a572-88da-11dd-9065-001e68393f52}]
\Shell\AutoRun\command - wscript.exe .\.vbs
\Shell\open\command - wscript.exe .\.vbs
.
Contents of the 'Scheduled Tasks' folder

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2009-03-17 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]

2009-03-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 09:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-reader_s - c:\windows\System32\reader_s.exe


.
------- Supplementary Scan -------
.
uStart Page = Facebook | Welcome to Facebook
uInternet Settings,ProxyOverride = *.local
TCP: {E75DCF64-7F09-4EFD-B561-3DF70D3472E3} = 192.168.0.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-17 08:34:42
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\amadddezs]
"ImagePath"="\??\c:\windows\system32\082.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\epxivi]
"ImagePath"="\??\c:\windows\system32\01E.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\wmzrcy]
"ImagePath"="\??\c:\windows\system32\09.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\DMserv]
"ServiceDll"="c:\windows\system32\xbjlpat.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WudfHost.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\Tablet.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\UTSCSI.EXE
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-03-17 8:38:33 - machine was rebooted [josh]
ComboFix-quarantined-files.txt 2009-03-17 03:08:28
ComboFix2.txt 2009-03-16 18:58:04
ComboFix3.txt 2009-03-16 03:51:20
ComboFix4.txt 2009-03-15 18:30:51

Pre-Run: 23,650,729,984 bytes free
Post-Run: 23,860,383,744 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=1 Sets=1,2,3,4,651
415

 

[joshnx]

oh and i think combofix removes the license of antivirus programs..it would explain why my bitdefender suddenly said expired and even avast.

 

[joshnx]

its 2 30 am so i think i shud let u sleep its 9 am here i not sleep cuz of stupid computer and stupid virus ..stupid

 

[Osiris]

Lets try this:

Download AVG Free, update, the run a Full System Scan. Delete anything it finds, delete the files in quarantine, etc.

Disable System Restore

Disconnect from the Internet and do not reconnect for a few hours at least.

Run Hijackthis, Scan, Remove the 1 or 2 entires that show up as c:\documents and settings\josh\reader_s.exe or anything that shows reader_s.exe. You may need to scan a few times as I did when I was on your system.

Make sure the process is killed in the Task Manager. Keep checking the Task Manager incase it comes back, each time you see it, kill it.

Run Combofix - Save log
Run Malwarebytes - Save log
Run Cleanup!

Delete these entries if found:
C:\windows\system32\reader_s.exe
C:\Documents and Settings\User\reader_s.exe

Delete in registry as well
HKLM\software\windows\currentversion\run\reader_s.exe
HKCU\software\microsoft\windows\currentversion\run\reader_s.exe

Reset your Router by pressing the small reset button on the back of the router. You may need a pen or paper clip to do this. Hold for 15 seconds, then turn off, then back on. This program might have your IP logged, even after a format, once you connect to the internet you will be reinfected.

Now run StopZilla
Install STOPzilla. Be Secure.


Now reboot. Perform this process once again if you see this file back again.

Post results of Stopzilla as well as the new combofix and malwarebytes logs

 

[joshnx]

dude reader was removed cant find it anywhere..i think its completely gone...as for avg im using avg 8 updated and scanning but didnt find anything except a tmp file in sys32 which i deleted scanned with avast also and nothing turned up..as for the router ...err im not using one .lol ..ill run the combofix and others u told me to and post the log

 

[joshnx]

think im using too many av's /spyware progs ..temme which to keep/remove after ..
avast 4.7
avg8
superantispyware
spyware doctor
stopzilla and all the others u told me to download

 

[Osiris]

Just one AVG8

Ignore any message about running the AV. Make sure to run Stopzilla

 

[joshnx]

well stopzilla isn't opening...and i cant get into safemode...it gives me ablue crash screen.
..sigh im at a loss...maybe i shud just do a reinstall of windows on c formating n then installing?
combo fix log still showing the same items as infected tho