Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)

[green tea]

I have no clue where my XP cd is at this time. It's been a good couple of years since I've seen it.

And my cd drive/dvd drive have not been working for a while as well. Only way I can get stuff into my pc is d/l through the internet or via usb.

I know doing system restore is dangerous since all the virus would still be there, but would it bring this application back?

[green tea]

Only found the 4-disc Recovery CD that came with my machine. I think XP was already pre-installed on the computer when we got it.

Is there another way I can get the correct version? Would it be possible for you to post a d/l link for it and then I d/l and add it to the System folders?

[evilfantasy]

Is there another way I can get the correct version? Would it be possible for you to post a d/l link for it and then I d/l and add it to the System folders?

That's illegal.

Try to find the install disk, or use the recovery CD's and reinstall. Stop downloading torrents. I can't do much good if you are just going to keep making the same mistakes over and over.

[green tea]

I honestly didn't think torrents could be dangerous if I got them from reliable sites. I've been using them for many years and it's only this year that the problems happened. I know, it's really stupid..

Would you still be able to help one more time (Hopefully)?? Can I use the recovery cd and replace that one system file, or does using the Recovery cd mean everything I have gets wiped out?
..

I went into the system32 folder to see if the Rundll32.exe was in there.. it is but the icon is a blank sheet of paper. The other exe all look like windows.

[green tea]

Update:

Still not having any luck when I double click a program.. the "Open with" window still pops up. But I decided to test it, and did "Browse" and was able to open up the programs by going to Program file folder, and double clicking on the "exe" files from there.

I could open up SAS again, but cannot access the logs. I was able to run MBAM though, and here is the log. I can only paste it, because when I try to do Save As, Notepad crashes.


...................

Malwarebytes' Anti-Malware 1.11
Database version: 660

Scan type: Full Scan (C:\|)
Objects scanned: 112995
Time elapsed: 50 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 21
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 6
Files Infected: 54

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkkKcDvt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRJCUon.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0bd6303c-42be-4a7c-8eaf-1cb19d7eeff4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0bd6303c-42be-4a7c-8eaf-1cb19d7eeff4} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186f05-bbbb-4a39-864f-72d84615c679} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a69f6966-e4f3-4290-8301-cc9342894fe5} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WLCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrjcuon (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebProxy (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM1f8c01e5 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1d0b1b2f-4d44-48dc-ae5a-f4bbbae2a83f} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkkcdvt -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkkcdvt  -> Delete on reboot.

Folders Infected:
C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\b1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ccvdxtdx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xdtxdvcc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkKcDvt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tvDcKkkj.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tvDcKkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuxslnhr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rhnlsxuw.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sockots64.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\CPV\CPV8.dll (Adware.Bestrevenue) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore\JavaCore.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000070.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000071.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000073.dll (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000078.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000079.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000095.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000096.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000099.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0000100.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001182.exe (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001184.dll (Adware.TargetSaver) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001185.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001186.dll (AdWare.CommAd) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001187.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0001190.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\b116.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b138.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b152.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\WINDOWS\b155.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\b157.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lcntmkdn.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwwnw64d.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vptyufqy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\nvxbarr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\n3\predircom3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wTMP\idevdpll.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\Program Files\JavaCore\UnInstall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrixtvyx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000070.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg. (Adware.ZenoSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WLCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1000106.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJCUon.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\b156.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[green tea]

OMG OMG!!
After running MBAM and rebooting, I can now double click on any application and it will load. No "open with" window as of now! I can also access the Add/Remove program section again.

Evilfantasy, hope you're still on board with helping me again (and everyone else too). Should I continue with HJT?
..........

Here is the SAS log. This was done on 4/26 but due to the rundll32.exe problem, I couldn't access it until now.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2008 at 12:32 PM

Application Version : 3.9.1008

Core Rules Database Version : 3376
Trace Rules Database Version: 1370

Scan type       : Complete Scan
Total Scan Time : 01:46:06

Memory items scanned      : 199
Memory threats detected   : 2
Registry items scanned    : 6117
Registry threats detected : 50
File items scanned        : 88434
File threats detected     : 20

Adware.Vundo Variant/Resident
   C:\WINDOWS\SYSTEM32\JKKKCDVT.DLL
   C:\WINDOWS\SYSTEM32\JKKKCDVT.DLL

Worm.Rbot-LD
   C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   [ntuser] C:\WINDOWS\SYSTEM32\DRIVERS\SPOOLS.EXE
   HKLM\System\ControlSet005\Services\Schedule
   HKLM\System\ControlSet006\Services\Schedule
   HKLM\System\CurrentControlSet\Services\Schedule
   C:\WINDOWS\Prefetch\SPOOLS.EXE-1394AE12.pf

Adware.Vundo-Variant
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2797E8D2-3473-4A53-946C-C090C02A72CA}
   HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}
   HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}\InprocServer32
   HKCR\CLSID\{2797E8D2-3473-4A53-946C-C090C02A72CA}\InprocServer32#ThreadingModel

Unclassified.Unknown Origin
   HKLM\System\ControlSet005\Services\cmdService
   C:\WINDOWS\VXNLCG\COMMAND.EXE
   HKLM\System\ControlSet006\Services\cmdService
   HKLM\System\CurrentControlSet\Services\cmdService
   C:\WINDOWS\Prefetch\COMMAND.EXE-14E8AF63.pf

Adware.WebHancer
   HKLM\Software\WebHancer
   HKLM\Software\WebHancer#BaseDir
   HKLM\Software\WebHancer\CC
   HKLM\Software\WebHancer\CC#DistTag
   HKLM\Software\WebHancer\CC#id

Adware.ClickSpring
   HKLM\Software\ClickSpring
   HKLM\Software\ClickSpring#UBWKR

Trojan.cmdService
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Start
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ErrorControl
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ImagePath
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#DisplayName
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService#ObjectName
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Security#Security
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
   HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Trojan.ZenoSearch
   C:\WINDOWS\system32\msnav32.ax

Adware.Adservs
   C:\WINDOWS\system32\atmtd.dll
   C:\WINDOWS\system32\atmtd.dll._
   C:\WINDOWS\SYSTEM32\B1\CBWA3UI.EXE
   C:\WINDOWS\VXNLCG\ASAPPSRV.DLL
   C:\WINDOWS\Prefetch\CBWA3UI.EXE-14E989A8.pf

Trojan.NetMon/DNSChange
   C:\Program Files\Network Monitor\netmon.exe
   C:\Program Files\Network Monitor
   C:\WINDOWS\Prefetch\NETMON.EXE-09C9CC43.pf

Adware.Tracking Cookie
   C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt

Trojan.Downloader-Gen/Win
   C:\WINDOWS\MROFINU72.EXE

Adware.ClickSpring/Yazzle
   C:\WINDOWS\PREFETCH\YAZZLE1552OINADMIN.EXE-01D813FF.PF

Adware.Vundo-Variant/Small-A
   C:\WINDOWS\SYSTEM32\CYNFGQWG.DLL

Trojan.Unknown Origin
   C:\WINDOWS\UNINSTALL_NMON.VBS
   C:\WINDOWS\VXNLCG\PRH5W0.VBS

[green tea]

Here's the HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:29 AM, on 2008-04-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [1cbf3279] rundll32.exe "C:\WINDOWS\system32\ccvdxtdx.dll",b
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vcsron] C:\Program Files\Vcsron\Vcsron.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199778064781
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[evilfantasy]

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard).
  
• Finally add the contents of the Report.txt in your next post.

[green tea]

Same situation with SDfix as before. It ran completely and then prompted me to reboot. However, after rebooting in safe mode and logging in, the desktop icons loaded automatically. No Fixtools or anything from SDfix popped up.

Here's what my report.txt says
...

SDFix: Version 1.177
Run by User on 2008-04-29 at 06:19 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MRV47

Path :
\??\C:\WINDOWS\System32\drivers\Mrv47.sys

MRV47 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

[green tea]

Just noticed these in the Add/Remove list:

vcsron
csvnro
svconr

I first saw "vcsron", deleted that. But after I went back to check the list, "csvnro" appeared in it's place. Deleted that, and then the next one appeared. I hope more doesn't show up.

[evilfantasy]

We need to try combofix.

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

[green tea]

Just got home, and finished my Combofix. It didn't reboot to normal mode like the first time though. It was rebooting and then after the Window XP load screen, the monitor just said no signal, and then the pc shut down. Then it rebooted, and I went to Safemode with networking.

ComboFix 08-04-29.5 - User 2008-04-30 18:14:31.8 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.260 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\ASKS~1
C:\Temp\1cb
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cxhfywlk.dll
C:\WINDOWS\system32\ewdlftut.dll
C:\WINDOWS\system32\gwqgfnyc.ini
C:\WINDOWS\system32\hiqvdcgt.dll
C:\WINDOWS\system32\hpyqchfc.dll
C:\WINDOWS\system32\jkkKcDvt.dll
C:\WINDOWS\system32\kjbblsww.dll
C:\WINDOWS\system32\lelptvxx.dll
C:\WINDOWS\system32\n3
C:\WINDOWS\system32\oyxyaglt.dll
C:\WINDOWS\system32\rqRJCUon.dll
C:\WINDOWS\system32\tutfldwe.ini
C:\WINDOWS\system32\tvDcKkkj.ini
C:\WINDOWS\system32\tvDcKkkj.ini2
C:\WINDOWS\system32\wgpaftim.dll
C:\WINDOWS\system32\wnbqxspc.dll
C:\WINDOWS\system32\wnvgthhx.dll
C:\WINDOWS\system32\wwslbbjk.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSECURITY1.209.4
-------\Service_MsSecurity1.209.4


(((((((((((((((((((((((((   Files Created from 2008-04-01 to 2008-05-01  )))))))))))))))))))))))))))))))
.

2008-04-29 21:17 . 2008-04-29 21:17   <DIR>   d--------   C:\Program Files\Vcsron
2008-04-29 18:12 . 2008-04-30 18:16   <DIR>   d--------   C:\SDFix
2008-04-26 10:26 . 2002-08-29 05:00   4,224   --a------   C:\WINDOWS\system32\beep.sys
2008-04-26 10:26 . 2008-04-26 10:35   578   --a------   C:\WINDOWS\index.html
2008-04-26 10:06 . 2008-04-30 10:10   109,738   --a------   C:\WINDOWS\BM1f8c01e5.xml
2008-04-26 10:00 . 2008-04-26 10:00   861   --a------   C:\WINDOWS\system32\winpfz33.sys
2008-04-26 09:59 . 2008-04-26 12:33   <DIR>   d--hs----   C:\WINDOWS\VXNlcg
2008-04-26 09:59 . 2008-04-29 00:06   <DIR>   d--------   C:\WINDOWS\system32\wTMP
2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\WINDOWS\system32\pnVes06
2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\Temp\zvebs14
2008-04-26 09:59 . 2008-04-26 09:59   <DIR>   d--------   C:\Temp\kvebs14
2008-04-26 09:59 . 2008-04-26 09:59   400,585   --a------   C:\WINDOWS\system32\g4.exe
2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Program Files\BillP Studios
2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Documents and Settings\User\Application Data\WinPatrol
2008-04-22 21:06 . 2008-04-22 21:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-22 21:06 . 2008-04-22 21:06   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-22 20:22 . 2008-04-22 20:22   <DIR>   d--------   C:\Program Files\CleanUp!
2008-04-20 10:01 . 2008-04-20 10:02   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\User\Application Data\Malwarebytes
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 07:24   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2003-03-12 00:39   32   --sha-w   C:\WINDOWS\{2FFF1D80-86D2-4182-B08D-B83B0BA71F57}.dat
2003-03-12 00:39   32   --sha-w   C:\WINDOWS\system32\{AA0C2FA6-E16C-49D0-B082-57DD9A57705D}.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-26 10:02 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 09:07 5529600]
"nwiz"="nwiz.exe" [2005-01-26 09:07 1490944 C:\WINDOWS\system32\nwiz.exe]
"Disk Monitor"="C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe" [2008-01-08 08:27 440832]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 09:07 86016]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-07 22:35 455168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 08:27 278528]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]
"Malwarebytes Anti-Malware Reboot"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-04-07 20:17 1175160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-03-12 15:04:53 102400]
InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2003-03-12 15:06:28 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJCUon]
rqRJCUon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7467:TCP"= 7467:TCP:BitComet 7467 TCP
"7467:UDP"= 7467:UDP:BitComet 7467 UDP

R1 GearAspiSys;GearAspiSys;C:\WINDOWS\system32\drivers\gearaspisys.sys [2002-06-24 11:00]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
S1 nvxbarr;nvxbarr;C:\WINDOWS\system32\drivers\nvxbarr.sys []
S2 BT848;CxVCap, WDM Video Capture;C:\WINDOWS\system32\drivers\cxvcap.sys [2002-08-14 20:03]
S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2001-04-11 17:58]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2001-04-11 17:58]
S2 CXTUNER;CxTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\CXTUNER.sys [2002-08-14 19:58]
S2 CXXBAR;CxXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\CXXBAR.sys [2002-08-14 19:58]
S2 nhksrv;Netropa NHK Server;C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]

*Newly Created Service* - CXTUNER
*Newly Created Service* - CXXBAR
.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 10:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware .ex
- C:\Program Files\AntiSpywareApp
"2008-04-26 03:35:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-04-26 16:17:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:21:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
.
**************************************************************************
.
Completion time: 2008-04-30 18:26:07 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-01 01:26:04

Pre-Run: 4,014,170,112 bytes free
Post-Run: 4,019,470,336 bytes free

167   --- E O F ---   2008-04-09 10:04:51

[green tea]

I just tried saving my Combofix log but when I when to click "Save as", notepad automatically closed by itself.

I know the CFScript step is next, but since I can't save the notepad files on my own, can you help save a CFScript.txt for me, and then attach it so I can d/l the entire file. As long as I don't open up notepad and try and save it, I'm ok.

Also, vcsron is still on my Add/Remove list.

[evilfantasy]

cfscript log attached.

Drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Next:

Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files
When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start > Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:

• Temporary Files
  
• Temporary Internet Files
  
• RecycleBin

Agree to the prompt to perform the action...


Next:

Please download    ATF Cleaner by Atribuneand save it to your Desktop
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

• Windows Temp
  
• Current User Temp
  
• All Users Temp
  
• Temporary Internet Files
  
• Java Cache

The rest are optional - if you want to remove everything, check Select All
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
It is important to restart the computer after running ATF Cleaner.

Next post
Combofix log
Fresh Hijackthis log



[recovering space - attachment deleted by admin]

[green tea]

ComboFix 08-04-29.5 - User 2008-04-30 19:26:35.9 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.326 [GMT -7:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\cfscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\g4.exe
C:\WINDOWS\system32\winpfz33.sys
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\kvebs14
C:\Temp\kvebs14\zvKarru.log
C:\Temp\zvebs14
C:\WINDOWS\system32\beep.sys
C:\WINDOWS\system32\g4.exe
C:\WINDOWS\system32\pnVes06
C:\WINDOWS\system32\pnVes06\pnVes061083.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wTMP
C:\WINDOWS\VXNlcg

.
(((((((((((((((((((((((((   Files Created from 2008-04-01 to 2008-05-01  )))))))))))))))))))))))))))))))
.

2008-04-29 21:17 . 2008-04-29 21:17   <DIR>   d--------   C:\Program Files\Vcsron
2008-04-29 18:12 . 2008-04-30 18:16   <DIR>   d--------   C:\SDFix
2008-04-26 10:26 . 2008-04-26 10:35   578   --a------   C:\WINDOWS\index.html
2008-04-26 10:06 . 2008-04-30 10:10   109,738   --a------   C:\WINDOWS\BM1f8c01e5.xml
2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Program Files\BillP Studios
2008-04-22 21:19 . 2008-04-22 21:19   <DIR>   d--------   C:\Documents and Settings\User\Application Data\WinPatrol
2008-04-22 21:06 . 2008-04-22 21:06   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-04-22 21:06 . 2008-04-22 21:06   1,409   --a------   C:\WINDOWS\QTFont.for
2008-04-22 20:22 . 2008-04-22 20:22   <DIR>   d--------   C:\Program Files\CleanUp!
2008-04-20 10:01 . 2008-04-20 10:02   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\User\Application Data\Malwarebytes
2008-04-19 23:35 . 2008-04-19 23:35   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 07:24   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2003-03-12 00:39   32   --sha-w   C:\WINDOWS\{2FFF1D80-86D2-4182-B08D-B83B0BA71F57}.dat
2003-03-12 00:39   32   --sha-w   C:\WINDOWS\system32\{AA0C2FA6-E16C-49D0-B082-57DD9A57705D}.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-04-30_18.25.51.17   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-01 01:21:23   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
+ 2008-05-01 02:28:34   2,048   --s-a-w   C:\WINDOWS\bootstat.dat
- 2008-05-01 01:21:26   16,384   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-01 02:28:35   16,384   ----a-w   C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-01 01:21:26   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-01 02:28:35   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-01 01:21:26   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-01 02:28:35   32,768   ----a-w   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"Vcsron"="C:\Program Files\Vcsron\Vcsron.exe" [2008-04-26 10:02 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-01-26 09:07 5529600]
"nwiz"="nwiz.exe" [2005-01-26 09:07 1490944 C:\WINDOWS\system32\nwiz.exe]
"Disk Monitor"="C:\Program Files\\IC Card Reader Driver v1.8e2\Disk_Monitor.exe" [2008-01-08 08:27 440832]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-01-26 09:07 86016]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2008-01-07 22:35 455168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-08 08:27 278528]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 22:38 316728]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-03-12 15:04:53 102400]
InterVideo WinScheduler.lnk - C:\Program Files\InterVideo\WinDVR\WinScheduler.exe [2003-03-12 15:06:28 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_SZ            msv1_0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7467:TCP"= 7467:TCP:BitComet 7467 TCP
"7467:UDP"= 7467:UDP:BitComet 7467 UDP

R1 GearAspiSys;GearAspiSys;C:\WINDOWS\system32\drivers\gearaspisys.sys [2002-06-24 11:00]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
R2 BT848;CxVCap, WDM Video Capture;C:\WINDOWS\system32\drivers\cxvcap.sys [2002-08-14 20:03]
R2 CXTUNER;CxTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\CXTUNER.sys [2002-08-14 19:58]
R2 CXXBAR;CxXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\CXXBAR.sys [2002-08-14 19:58]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe [2001-08-06 07:41]
S1 nvxbarr;nvxbarr;C:\WINDOWS\system32\drivers\nvxbarr.sys []
S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS [2001-04-11 17:58]
S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS [2001-04-11 17:58]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-04-07 20:17]
S3 NETGEAR_MA111;NETGEAR 802.11b MA111 Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2003-08-29 08:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 10:00:00 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
- C:\Program Files\AntiSpywareApp\AntiSpyware .ex
- C:\Program Files\AntiSpywareApp
"2008-04-26 03:35:30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-04-26 16:17:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 19:29:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\clbdriver.sys 6656 bytes executable
C:\WINDOWS\system32\clb.dll 10752 bytes executable
C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
C:\WINDOWS\system32\clbcfg.dat 1695 bytes
C:\WINDOWS\system32\clbdll.dll 29184 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\clbdriver]
"imagepath"="\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\IC Card Reader Driver v1.8e2\Disk_Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-30 19:33:49 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-01 02:33:43
ComboFix2.txt  2008-05-01 01:26:08

Pre-Run: 4,032,126,976 bytes free
Post-Run: 4,015,120,384 bytes free

162   --- E O F ---   2008-04-09 10:04:51