TDSSERV-Need help to remove

[ZODD]

I have the trojan tdsserv and need help to remove it from my system. My virus software cant delete it, but spyware doctor detects it (but i have the free version it cant delete it) and do not want to buy more virus software.

So if anyone knows how to manually remove it please help. I have Hijack this.

ps. i have had a string of trojans before this one and have deleted them(zlob and gaslide.b), although they could still be one the system.

[evilfantasy]

Welcome to CH.

Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/149534018/SDFix.exe.html
 
When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
 
Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply[/B].

[ZODD]

Here is the report


SDFix: Version 1.230
Run by User on Thu 02/10/2008 at 06:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
tdssserv

Path :
\systemroot\system32\drivers\TDSSserv.sys

tdssserv - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-02 19:22:32
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Mitch and Greg\Greg\Nero\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:9f,9c,2b,67,cc,da,2a,26,20,9b,cb,50,bf,77,10,ce,d4,8d,7b,37,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6b,25,44,a6,01,ae,01,20,6f,58,3b,36,6d,24,63,47,bd,..
"khjeh"=hex:63,6b,95,b6,1a,b1,a9,e9,ad,c9,fe,8f,be,a2,07,18,cc,0b,df,08,01,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:27,47,77,86,07,12,03,6f,b3,f4,02,a4,e6,60,9c,86,a9,67,02,7f,b9,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Mitch and Greg\Greg\Nero\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:9f,9c,2b,67,cc,da,2a,26,20,9b,cb,50,bf,77,10,ce,d4,8d,7b,37,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,6b,25,44,a6,01,ae,01,20,6f,58,3b,36,6d,24,63,47,bd,..
"khjeh"=hex:63,6b,95,b6,1a,b1,a9,e9,ad,c9,fe,8f,be,a2,07,18,cc,0b,df,08,01,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:27,47,77,86,07,12,03,6f,b3,f4,02,a4,e6,60,9c,86,a9,67,02,7f,b9,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Games\\Battlefield 2\\BF2.exe"="C:\\Games\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Games\\Black and White\\runblack.exe"="C:\\Games\\Black and White\\runblack.exe:*:Enabled:lh"
"C:\\Games\\Bet on Soldier Single Player Demo\\BoS.exe"="C:\\Games\\Bet on Soldier Single Player Demo\\BoS.exe:*:Disabled:BoS"
"C:\\Demos\\Battlefield 2\\BF2.exe"="C:\\Demos\\Battlefield 2\\BF2.exe:*:Disabled:BF2"
"C:\\Demos\\Steam\\SteamApps\\wolvf\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"="C:\\Demos\\Steam\\SteamApps\\wolvf\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe:*:Disabled:Rag_Doll_Kung_Fu_Steam"
"C:\\Demos\\Bet on Soldier Single Player Demo\\BoS.exe"="C:\\Demos\\Bet on Soldier Single Player Demo\\BoS.exe:*:Disabled:BoS"
"C:\\Games\\ragdoll\\SteamApps\\audio_stream\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe"="C:\\Games\\ragdoll\\SteamApps\\audio_stream\\rag doll kung fu demo\\Rag_Doll_Kung_Fu_Steam.exe:*:Enabled:Rag_Doll_Kung_Fu_Steam"
"C:\\Games\\Game Spy\\Aphex.exe"="C:\\Games\\Game Spy\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Demos\\Lord Of The Rings\\Rings.exe"="C:\\Demos\\Lord Of The Rings\\Rings.exe:*:Enabled:Rings"
"C:\\Games\\Little Fighter\\LF2_v1.9c\\lf2.exe"="C:\\Games\\Little Fighter\\LF2_v1.9c\\lf2.exe:*:Enabled:lf2"
"C:\\Demos\\Savage\\silverback.exe"="C:\\Demos\\Savage\\silverback.exe:*:Enabled:silverback"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Demos\\Battlefield 2\\Bf2_w32ded.exe"="C:\\Demos\\Battlefield 2\\Bf2_w32ded.exe:*:Enabled:Bf2_w32ded"
"C:\\Demos\\Battlefield 2\\BF2VoipServer_w32ded.exe"="C:\\Demos\\Battlefield 2\\BF2VoipServer_w32ded.exe:*:Enabled:BF2VoipServer_w32ded"
"C:\\Demos\\Battlefield 2\\BF2VoipServer.exe"="C:\\Demos\\Battlefield 2\\BF2VoipServer.exe:*:Enabled:BF2VoipServer"
"C:\\Demos\\panzer\\PEA.exe"="C:\\Demos\\panzer\\PEA.exe:*:Disabled:PEA"
"C:\\Games\\Steam\\SteamApps\\audio_stream\\counter-strike source\\hl2.exe"="C:\\Games\\Steam\\SteamApps\\audio_stream\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Caplio Software\\RGateLXP.exe"="C:\\Program Files\\Caplio Software\\RGateLXP.exe:*:Enabled:RICOH Gate La for DSC"
"C:\\Program Files\\Microsoft Games\\Rise Of Legends Demo\\legends.exe"="C:\\Program Files\\Microsoft Games\\Rise Of Legends Demo\\legends.exe:*:Enabled:Rise of Legends"
"C:\\Demos\\Act of War High Treason Demo\\ActOfWar_HighTreason_Demo.exe"="C:\\Demos\\Act of War High Treason Demo\\ActOfWar_HighTreason_Demo.exe:*:Enabled:ActOfWar_HighTreason_Demo"
"C:\\Games\\X Fire\\Xfire\\Xfire.exe"="C:\\Games\\X Fire\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Documents and Settings\\User\\Local Settings\\Temporary Internet Files\\Content.IE5\\133531VC\\WoW-Intro-enUS-downloader[1].exe"="C:\\Documents and Settings\\User\\Local Settings\\Temporary Internet Files\\Content.IE5\\133531VC\\WoW-Intro-enUS-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\\Games\\Raikon\\Rakion\\Bin\\Rakion.bin"="C:\\Games\\Raikon\\Rakion\\Bin\\Rakion.bin:*:Enabled:Rakion"
"C:\\Games\\Steam\\SteamApps\\audio_stream\\half-life 2 deathmatch\\hl2.exe"="C:\\Games\\Steam\\SteamApps\\audio_stream\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Demos\\LimeWire\\LimeWire.exe"="C:\\Demos\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Demos\\riseandfall\\Bin\\RiseAndFallDemo.exe"="C:\\Demos\\riseandfall\\Bin\\RiseAndFallDemo.exe:*:Disabled:Application"
"C:\\Games\\Steam\\SteamApps\\audio_stream\\half-life 2\\hl2.exe"="C:\\Games\\Steam\\SteamApps\\audio_stream\\half-life 2\\hl2.exe:*:Enabled:hl2"
"C:\\Mitch and Greg\\Mitch\\LimeWire\\LimeWire.exe"="C:\\Mitch and Greg\\Mitch\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Games\\Warcraft III\\Warcraft III.exe"="C:\\Games\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Demos\\firefox.exe"="C:\\Demos\\firefox.exe:*:Enabled:Firefox"
"C:\\Games\\Trem\\tremulous.exe"="C:\\Games\\Trem\\tremulous.exe:*:Enabled:tremulous"
"C:\\Demos\\Warhammer\\DarkCrusade.exe"="C:\\Demos\\Warhammer\\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\\Games\\Defcon\\defcon.exe"="C:\\Games\\Defcon\\defcon.exe:*:Enabled:Defcon"
"C:\\Mitch and Greg\\Greg\\ChiChi\\Comet\\BitComet\\BitComet.exe"="C:\\Mitch and Greg\\Greg\\ChiChi\\Comet\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Games\\Warcraft III\\war3.exe"="C:\\Games\\Warcraft III\\war3.exe:*:Enabled:Warcraft III"
"C:\\Games\\Never Winter Nights 2\\nwn2main.exe"="C:\\Games\\Never Winter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Games\\Never Winter Nights 2\\nwn2main_amdxp.exe"="C:\\Games\\Never Winter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Games\\Never Winter Nights 2\\nwupdate.exe"="C:\\Games\\Never Winter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Games\\Never Winter Nights 2\\nwn2server.exe"="C:\\Games\\Never Winter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Games\\Steam\\SteamApps\\audio_stream\\half-life deathmatch source\\hl2.exe"="C:\\Games\\Steam\\SteamApps\\audio_stream\\half-life deathmatch source\\hl2.exe:*:Enabled:hl2"
"C:\\Games\\MoC\\Warhammer.exe"="C:\\Games\\MoC\\Warhammer.exe:*:Enabled:Warhammerİ: Mark of ChaosT"
"C:\\Games\\Condition Zero\\czero.exe"="C:\\Games\\Condition Zero\\czero.exe:*:Enabled:Condition Zero Launcher"
"C:\\Games\\Counter-Strike\\cstrike.exe"="C:\\Games\\Counter-Strike\\cstrike.exe:*:Enabled:CounterStrike Launcher"
"C:\\Mitch and Greg\\Greg\\pics\\ImagineFX\\3dsMax8\\3dsmax.exe"="C:\\Mitch and Greg\\Greg\\pics\\ImagineFX\\3dsMax8\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 8"
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"="C:\\Program Files\\Autodesk\\backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\backburner\\server.exe"="C:\\Program Files\\Autodesk\\backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Games\\Steam\\Steam.exe"="C:\\Games\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"="C:\\Program Files\\Sierra On-Line\\SIGSPat.exe:*:Enabled:Update Counter-Strike"
"C:\\Mitch and Greg\\Greg\\Miller Stuff\\weird al\\Weird\\CounterStrike2D.exe"="C:\\Mitch and Greg\\Greg\\Miller Stuff\\weird al\\Weird\\CounterStrike2D.exe:*:Enabled:CounterStrike2D"
"C:\\Games\\Silver\\Silverfall Demo\\Silverfall.exe"="C:\\Games\\Silver\\Silverfall Demo\\Silverfall.exe:*:Enabled:Silverfall"
"C:\\Games\\Mechcommander Gold\\MCX.EXE"="C:\\Games\\Mechcommander Gold\\MCX.EXE:*:Enabled:MechCommander Desperate Measures"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\MicroProse\\MCX\\MCX.EXE"="C:\\Program Files\\MicroProse\\MCX\\MCX.EXE:*:Enabled:MechCmdr Expansion"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\Games\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="C:\\Games\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Games\\World of Warcraft\\WoW.exe"="C:\\Games\\World of Warcraft\\WoW.exe:*:Enabled:World of Warcraft"
"C:\\Games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="C:\\Games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Games\\Soldat\\Soldat.exe"="C:\\Games\\Soldat\\Soldat.exe:*:Enabled:Soldat"
"C:\\Mitch and Greg\\Greg\\ChiChi\\Torrent\\bittorrent.exe"="C:\\Mitch and Greg\\Greg\\ChiChi\\Torrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Mitch and Greg\\Greg\\Bittorent\\BitTorrent\\bittorrent.exe"="C:\\Mitch and Greg\\Greg\\Bittorent\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Games\\Fury\\Binaries\\Fury.exe"="C:\\Games\\Fury\\Binaries\\Fury.exe:*:Enabled:Fury"
"C:\\Games\\Fury\\Binaries\\DiamondWare\\dwTVC.exe"="C:\\Games\\Fury\\Binaries\\DiamondWare\\dwTVC.exe:*:Enabled:Fury VOIP"
"C:\\Games\\Warcraft III\\GG-Client\\GGclient.exe"="C:\\Games\\Warcraft III\\GG-Client\\GGclient.exe:*:Enabled:GG E-Sports Platform Client"
"C:\\Games\\Ventrilo\\ventrilo_srv.exe"="C:\\Games\\Ventrilo\\ventrilo_srv.exe:*:Enabled:ventrilo_srv"
"C:\\Mitch and Greg\\Greg\\Veoh\\VeohClient.exe"="C:\\Mitch and Greg\\Greg\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Games\\AOWSM\\Age of Wonders Shadow Magic\\AoWSM.exe"="C:\\Games\\AOWSM\\Age of Wonders Shadow Magic\\AoWSM.exe:*:Enabled:Age of Wonders: Shadow Magic"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Games\\MC2\\Mc2Rel.exe"="C:\\Games\\MC2\\Mc2Rel.exe:*:Enabled:MechCommander 2 Game Executable"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

[ZODD]

Files with Hidden Attributes :

Thu  9 Nov 2006     1,649,152 A..H. --- "C:\Games\Jumper.exe"
Wed 31 Jul 2002           104 ..SH. --- "C:\WINDOWS\WSYS049.SYS"
Mon 29 Aug 2005       121,240 A..HR --- "C:\Games\DoW\Disk1CheckW40k.EXE"
Fri 19 Aug 2005       121,237 A..HR --- "C:\Games\DoW\Disk1Check.EXE"
Mon  7 Jul 2008     1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon  7 Jul 2008     4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon  7 Jul 2008     2,156,368 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed  4 Oct 2006         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 16 Nov 2003       137,728 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL0221.tmp"
Sun 16 Nov 2003       140,800 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL0248.tmp"
Sat 15 Nov 2003        28,672 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL0461.tmp"
Sat 15 Nov 2003        28,672 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL1292.tmp"
Sat 15 Nov 2003        26,112 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL1463.tmp"
Sat 15 Nov 2003        26,112 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL1531.tmp"
Mon 11 Nov 2002        71,680 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL1674.tmp"
Sat 15 Nov 2003        25,088 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL1831.tmp"
Sat 15 Nov 2003        28,672 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL3070.tmp"
Sat 19 Feb 2005        29,696 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL3185.tmp"
Sat 15 Nov 2003        29,184 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL3309.tmp"
Mon 11 Nov 2002        72,192 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL3649.tmp"
Mon 11 Nov 2002        75,264 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\~WRL3799.tmp"
Mon 14 Mar 2005       299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\Maint.exe"
Mon 28 Feb 2005        61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 2.0\uinstrsc.dll"
Sun  4 Mar 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu  9 Nov 2006     1,649,152 A..H. --- "C:\Documents and Settings\User\Desktop\Stuff on USB\Jumper.exe"
Sat  3 Jun 2006        56,320 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\Chemistry\~WRL0707.tmp"
Sat  3 Jun 2006        25,600 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\Chemistry\~WRL1009.tmp"
Sat  3 Jun 2006        50,688 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\Chemistry\~WRL1453.tmp"
Sat  3 Jun 2006        47,104 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\Chemistry\~WRL2735.tmp"
Sat  3 Jun 2006        25,088 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\Chemistry\~WRL3719.tmp"
Sat  3 Jun 2006        44,032 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\Chemistry\~WRL3918.tmp"
Wed 17 May 2006        24,576 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\SOR2U\~WRL0003.tmp"
Thu 18 May 2006        26,624 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\SOR2U\~WRL2813.tmp"
Thu 18 May 2006        26,112 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\SOR2U\~WRL3638.tmp"
Thu 18 May 2006        25,600 ...H. --- "C:\Mitch and Greg\Mitch\Year 12\SOR2U\~WRL3722.tmp"
Thu 16 Jun 2005        32,768 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\english\~WRL0001.tmp"
Thu 16 Jun 2005        33,280 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\english\~WRL3862.tmp"
Thu 16 Jun 2005        33,280 A..H. --- "C:\Previous Computer\Mitch & Greg\mitch\english\~WRL4052.tmp"
Sat 13 Nov 2004        37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sat 19 Jan 2008           400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Sat 19 Jan 2008           403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Fri  9 May 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT5.tmp"
Sat 30 Aug 2008     1,390,120 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6d60af59b300e891ebe3b192b8cb9849\BIT6.tmp"
Mon  1 Sep 2008       249,881 ...HR --- "C:\WINDOWS\system32\drivers\etc\Hosts.bak"
Sat  3 Jun 2006        39,424 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0527.tmp"
Sat  3 Nov 2007         1,745 ...HR --- "C:\Documents and Settings\User\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 18 May 2008        26,112 ...H. --- "C:\Mitch and Greg\Greg\School\Year 11\Physics\~WRL3103.tmp"

Finished!

[evilfantasy]

Now go HERE and follow the steps and post the 3 logs when complete.

[ZODD]

Ok I will just paste them in that i dont want the attachment (the logs )to be corripted or something

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/03/2008 at 10:22 AM

Application Version : 4.20.1046

Core Rules Database Version : 3584
Trace Rules Database Version: 1572

Scan type       : Complete Scan
Total Scan Time : 01:38:50

Memory items scanned      : 519
Memory threats detected   : 0
Registry items scanned    : 6713
Registry threats detected : 0
File items scanned        : 155158
File threats detected     : 0

MALWARE BYTES SCAN**************************

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 2

3/10/2008 11:09:46 AM
mbam-log-2008-10-03 (11-09-46).txt

Scan type: Quick Scan
Objects scanned: 48302
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:50 AM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe
C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Demos\UltimateZip\uzqkst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Mitch and Greg\Greg\Quick Time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Veoh] "C:\Mitch and Greg\Greg\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Mitch and Greg\Greg\pics\ImagineFX\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10470 bytes

THANKS FOR THE HELP!!
I ran a scan with spydoctor and it still detected tdsserv in the registry....

[evilfantasy]

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[ZODD]

ComboFix 08-10-02.04 - User 2008-10-03 12:35:48.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.569 [GMT 10:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\MSINET.oca

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Legacy_NPF
-------\Service_NPF


(((((((((((((((((((((((((   Files Created from 2008-09-03 to 2008-10-03  )))))))))))))))))))))))))))))))
.

2008-10-03 12:25 . 2008-06-10 02:32   73,728   --a------   C:\WINDOWS\system32\javacpl.cpl
2008-10-03 12:24 . 2008-10-03 12:25   <DIR>   d--------   C:\Program Files\Java
2008-10-03 12:24 . 2008-10-03 12:24   <DIR>   d--------   C:\Program Files\Common Files\Java
2008-10-03 08:35 . 2008-10-03 08:35   <DIR>   d--------   C:\Program Files\CCleaner
2008-10-02 19:29 . 2008-10-02 19:58   <DIR>   d--------   C:\WINDOWS\system32\CatRoot_bak
2008-10-02 18:54 . 2008-10-02 18:54   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-10-02 18:30 . 2008-10-03 12:13   <DIR>   d--------   C:\SDFix
2008-10-02 11:32 . 2008-10-02 11:32   <DIR>   d--------   C:\Documents and Settings\All Users\Symantec Temporary Files
2008-10-02 11:01 . 2008-10-02 12:10   <DIR>   d--------   C:\Documents and Settings\User\Application Data\Symantec
2008-10-02 10:59 . 2008-10-02 10:59   <DIR>   d--------   C:\Program Files\Windows Sidebar
2008-10-02 10:58 . 2008-10-02 11:39   <DIR>   d--------   C:\Program Files\Norton 360 Premier Edition
2008-10-02 10:57 . 2008-10-02 11:18   123,952   --a------   C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-02 10:57 . 2008-10-02 11:18   60,800   --a------   C:\WINDOWS\system32\S32EVNT1.DLL
2008-10-02 10:57 . 2008-10-02 11:18   10,671   --a------   C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-02 10:57 . 2008-10-02 11:18   805   --a------   C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-02 10:56 . 2008-10-02 11:18   <DIR>   d--------   C:\Program Files\Symantec
2008-10-02 10:56 . 2008-10-02 13:42   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-02 10:55 . 2008-10-03 12:40   <DIR>   d--------   C:\Program Files\Common Files\Symantec Shared
2008-09-06 15:31 . 2008-09-06 15:31   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-09-06 15:30 . 2008-09-06 15:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-06 15:29 . 2008-09-06 15:29   <DIR>   dr-hs----   C:\_Backup.RC
2008-09-06 15:29 . 2008-10-02 10:40   <DIR>   d--h-----   C:\_Backup
2008-09-06 15:27 . 2008-09-06 15:27   <DIR>   d--------   C:\Program Files\Avanquest
2008-09-06 15:27 . 2008-09-06 15:27   <DIR>   d--------   C:\Documents and Settings\User\Application Data\Avanquest
2008-09-05 09:39 . 2008-09-05 09:39   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\f-secure
2008-09-05 08:50 . 2008-09-05 08:50   <DIR>   d--------   C:\Documents and Settings\Administrator
2008-09-05 07:57 . 2008-09-05 07:57   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ESET

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-03 02:42   ---------   d-----w   C:\Documents and Settings\User\Application Data\Skype
2008-10-03 02:14   ---------   d-----w   C:\Documents and Settings\User\Application Data\skypePM
2008-10-02 22:46   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-02 22:39   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-02 09:39   ---------   d-----w   C:\Program Files\Spyware Doctor
2008-09-27 04:05   77,824   ----a-w   C:\WINDOWS\system32\kdfapi.dll
2008-09-27 04:05   722,472   ----a-w   C:\WINDOWS\system32\kdfmgr.exe
2008-09-27 04:05   53,248   ----a-w   C:\WINDOWS\system32\Kdfhok.dll
2008-09-27 04:05   192,512   ----a-w   C:\WINDOWS\system32\kdfvmgr.exe
2008-09-27 01:14   81,288   ----a-w   C:\WINDOWS\system32\drivers\iksyssec.sys
2008-09-27 01:14   66,952   ----a-w   C:\WINDOWS\system32\drivers\iksysflt.sys
2008-09-27 01:14   40,840   ----a-w   C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-09-27 01:14   ---------   d-----w   C:\Program Files\Malwarebytes' Anti-Malware
2008-09-09 14:04   38,528   ----a-w   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 14:03   17,200   ----a-w   C:\WINDOWS\system32\drivers\mbam.sys
2008-09-06 05:23   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2008-09-01 11:54   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-09-01 11:17   ---------   d-----w   C:\Program Files\Lavasoft
2008-09-01 11:17   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-01 10:38   ---------   d-----w   C:\Program Files\RegFix Mantra
2008-09-01 10:35   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-01 06:29   ---------   d-----w   C:\Documents and Settings\User\Application Data\Malwarebytes
2008-09-01 06:29   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-31 06:41   ---------   d-----w   C:\Program Files\DNA
2008-08-31 02:12   ---------   d-----w   C:\Program Files\Exterminate It!
2008-08-31 01:59   ---------   d-----w   C:\Documents and Settings\User\Application Data\Sunbelt
2008-08-31 01:59   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Sunbelt
2008-08-31 01:58   ---------   d-----w   C:\Program Files\Sunbelt Software
2008-08-30 13:54   ---------   d-----w   C:\Program Files\Enigma Software Group
2008-08-30 13:46   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2008-08-30 13:46   ---------   d-----w   C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-08-30 13:46   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-30 13:33   ---------   d-----w   C:\Documents and Settings\User\Application Data\PC Tools
2008-08-30 12:06   ---------   d-----w   C:\Documents and Settings\User\Application Data\Uniblue
2008-08-30 12:05   ---------   dc-h--w   C:\Documents and Settings\All Users\Application Data\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2008-08-30 12:05   ---------   d-----w   C:\Program Files\Uniblue
2008-08-30 08:29   846,336   ----a-w   C:\WINDOWS\system32\kdfinj.dll
2008-08-30 07:46   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-08-30 07:40   ---------   d-----w   C:\Program Files\Trend Micro
2008-08-26 07:20   59,176   ----a-w   C:\WINDOWS\system32\sbbd.exe
2008-08-04 01:30   ---------   d-----w   C:\Documents and Settings\User\Application Data\SPORE Creature Creator
2008-07-18 12:10   94,920   ----a-w   C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10   53,448   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10   45,768   ----a-w   C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10   36,552   ----a-w   C:\WINDOWS\system32\wups.dll
2008-07-18 12:09   563,912   ----a-w   C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09   325,832   ----a-w   C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09   205,000   ----a-w   C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09   1,811,656   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2008-07-14 08:35   107,888   ----a-w   C:\WINDOWS\system32\CmdLineExt.dll
2008-07-07 20:32   253,952   ----a-w   C:\WINDOWS\system32\es.dll
2008-04-15 03:20   32   ----a-w   C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-06 05:33   1   ----a-w   C:\Documents and Settings\User\SI.bin
2005-03-31 11:17   40,960   ----a-w   C:\Program Files\Uninstall_CDS.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 18:34   576352   --a------   C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 18:34   576352   --a------   C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 18:34   576352   --a------   C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 1694208]
"Steam"="c:\games\steam\steam.exe" [2008-03-28 1271032]
"Start WingMan Profiler"="C:\Program Files\Logitech\Profiler\lwemon.exe" [2004-04-23 77824]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"Veoh"="C:\Mitch and Greg\Greg\Veoh\VeohClient.exe" [2008-02-22 3537968]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-03 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-06-11 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"OpwareSE2"="C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe" [2003-05-08 49152]
"VirtualCloneDrive"="C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"QuickTime Task"="C:\Mitch and Greg\Greg\Quick Time\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"SBAMTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-08-26 677160]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2007-10-12 173312]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-19 51048]
"osCheck"="C:\Program Files\Norton 360 Premier Edition\osCheck.exe" [2008-02-27 988512]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
UltimateZip Quick Start.lnk - C:\Demos\UltimateZip\uzqkst.exe [2005-02-26 303616]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Demos\\Battlefield 2\\BF2.exe"=
"C:\\Demos\\Bet on Soldier Single Player Demo\\BoS.exe"=
"C:\\Games\\Game Spy\\Aphex.exe"=
"C:\\Games\\Little Fighter\\LF2_v1.9c\\lf2.exe"=
"C:\\Demos\\Battlefield 2\\Bf2_w32ded.exe"=
"C:\\Demos\\Battlefield 2\\BF2VoipServer_w32ded.exe"=
"C:\\Demos\\Battlefield 2\\BF2VoipServer.exe"=
"C:\\Games\\Steam\\SteamApps\\audio_stream\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Caplio Software\\RGateLXP.exe"=
"C:\\Games\\X Fire\\Xfire\\Xfire.exe"=
"C:\\Demos\\LimeWire\\LimeWire.exe"=
"C:\\Mitch and Greg\\Mitch\\LimeWire\\LimeWire.exe"=
"C:\\Demos\\firefox.exe"=
"C:\\Mitch and Greg\\Greg\\ChiChi\\Comet\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2main.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Games\\Never Winter Nights 2\\nwupdate.exe"=
"C:\\Games\\Never Winter Nights 2\\nwn2server.exe"=
"C:\\Games\\Counter-Strike\\cstrike.exe"=
"C:\\Mitch and Greg\\Greg\\pics\\ImagineFX\\3dsMax8\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\backburner\\server.exe"=
"C:\\Games\\Steam\\Steam.exe"=
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\Mitch and Greg\\Greg\\Miller Stuff\\weird al\\Weird\\CounterStrike2D.exe"=
"C:\\Games\\Mechcommander Gold\\MCX.EXE"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\MicroProse\\MCX\\MCX.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Games\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"C:\\Games\\World of Warcraft\\WoW.exe"=
"C:\\Games\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Games\\Soldat\\Soldat.exe"=
"C:\\Mitch and Greg\\Greg\\Bittorent\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Games\\Warcraft III\\GG-Client\\GGclient.exe"=
"C:\\Mitch and Greg\\Greg\\Veoh\\VeohClient.exe"=
"C:\\Games\\AOWSM\\Age of Wonders Shadow Magic\\AoWSM.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Games\\MC2\\Mc2Rel.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8940:TCP"= 8940:TCP:BitComet 8940 TCP
"8940:UDP"= 8940:UDP:BitComet 8940 UDP
"6112:TCP"= 6112:TCP:Port 6112 TCP
"6112:UDP"= 6112:UDP:warcraft3(1)
"6113:TCP"= 6113:TCP:warcaft3
"6114:TCP"= 6114:TCP:warcaft3
"6115:TCP"= 6115:TCP:warcaft4
"6116:TCP"= 6116:TCP:warcaft3
"6117:TCP"= 6117:TCP:warcraft3
"6118:TCP"= 6118:TCP:warcraft3
"6119:TCP"= 6119:TCP:warcraft3

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-19 149352]
S2 SBAMSvc;Sunbelt VIPRE Antivirus Service;C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-08-26 869672]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2007-10-12 20496]
S3 SBRE;SBRE;C:\WINDOWS\system32\drivers\SBREdrv.sys [2007-11-06 87848]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdcb93cf-55f8-11dd-b276-0013d3635782}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\9icl1eap.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com.au/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 12:41:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-03 12:47:29 - machine was rebooted
ComboFix-quarantined-files.txt  2008-10-03 02:47:23

Pre-Run: 82,341,744,640 bytes free
Post-Run: 82,276,352,000 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

280   --- E O F ---   2008-10-02 11:54:15

[ZODD]

here is HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:58 AM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe
C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Demos\UltimateZip\uzqkst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Demos\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\Cannon MF5700\Software 1\OpwareSE2.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Games\Mechcommander Gold\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Mitch and Greg\Greg\Quick Time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360 Premier Edition\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Demos\UltimateZip\uzqkst.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Mitch and Greg\Greg\pics\ImagineFX\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

Thank you very much! You don't know how much I owe you!!!

[evilfantasy]

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
MCHINJDRV
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Disable the System Restore Utility to flush infected restore points

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Run CCleaner.

----------

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

----------

How is everything now?

[ZODD]

I will have the results from your steps tomorrow or later today, I am hung up in arrangements. I appreciate you waiting. Also i will be unable to run the ESET scan due to restrictions (dont ask why). Is there any other scan i could run that would not require the internet?

Thankyou very much.

[evilfantasy]

You can run Dr Web instead.

Download DrWeb CureIt & save it to your desktop.

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start.
  
• An Express Scan of your PC notice will appear.
  
• Under Start the Express Scan Now Click OK to start.
  • This is a short scan that will scan the files currently running in memory.
  • If or when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
  
• Choose the Scan tab and UNcheck Heuristic analysis and click OK
  
• Back at the main window, select the Complete scan button.
  
• Then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
  
• Save the DrWeb.csv report to your Desktop.
  
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
  
• Copy and paste that log in the next reply

[ZODD]

Here is the Dr.Web scan. But before that, i did the Dr.Web scan first because i was unsure about the notepad script step. If you could explain what it does that would be great and then ill do it and the OTcleaner and CCleaner after. Anyway during the drweb scan i think it moved combofix and said combofix was a virus, will i be able to use it again or should i re download it to desktop? Yeah i checked combofix isnt on the desktop anymore....will i have to redownload  it? Sorry for doing the last step first...i was unsure what the code stuff did.

So sorry. If you could tell me how to redo the steps i skipped and what they do. Sorry.

Thankyou for all your help. Here is the Dr.Web log.

ComboFix.exe\32788R22FWJFW\List-C.bat;C:\Documents and Settings\User\Desktop\ComboFix.exe;Probably BATCH.Virus;;
ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\User\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\User\Desktop;Archive contains infected objects;Moved.;
Dc4.exe\SDFix\apps\Process.exe;C:\RECYCLER\S-1-5-21-1614895754-507921405-725345543-1003\Dc4.exe;Tool.Prockill;;
Dc4.exe;C:\RECYCLER\S-1-5-21-1614895754-507921405-725345543-1003;Archive contains infected objects;Moved.;
Process.exe;C:\RECYCLER\S-1-5-21-1614895754-507921405-725345543-1003\Dc3\apps;Tool.Prockill;Moved.;
A0000590.bat;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP5;Probably BATCH.Virus;Moved.;
A0000602.EXE;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP5;Program.PsExec.170;Moved.;
data007\data001;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7\A0001750.exe\data007;Adware.Shopper;;
data007\data002;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7\A0001750.exe\data007;Adware.SaveNow.128;;
data007;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7\A0001750.exe;Archive contains infected objects;;
A0001750.exe;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7;Archive contains infected objects;Moved.;
A0001751.exe\32788R22FWJFW\List-C.bat;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7\A0001751.exe;Probably BATCH.Virus;;
A0001751.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7\A0001751.exe;Program.PsExec.171;;
A0001751.exe;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7;Archive contains infected objects;Moved.;
A0001752.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7\A0001752.exe;Tool.Prockill;;
A0001752.exe;C:\System Volume Information\_restore{1BBABAE2-E34D-48CE-9DCA-81B84E7BDC7E}\RP7;Archive contains infected objects;Moved.;

Also i will have the next step you give done in the nest 4 four days some more arrangements have popped up and will slow me down in the things i can do on the computer. I appreciate you waiting.

[evilfantasy]

It doesn't look like anything new was found. How is the computer running now?

[ZODD]

My computers running great! Thankyou!!! I owe you a lot.

Should i go back and do the combofix steps to delete that file or whatever it does, because i never did it? The notepad code step.  If you think the computer is ok i wont bother but if you think it would be good ill do it. But the combofix files got quarantined and now i cant use them, should i redownload ?

THANK for all your help!