kristen930

Could anyone please tell me what SMDialog is and if I need to get rid of it? I have noticed that when I start up my computer, SMDialog appears in the Applications tab of the Windows Task Manager. I have found very little information when I googled it. One site said, "This signature detects attempts to exploit a known vulnerability in Microsoft Internet Explorer (IE). IE 5.5 is vulnerable; IE 5 SP2 and 6.0 SP1 are not vulnerable. IE does not confirm that multiple open browser windows are operating in the proper security zones; attackers can obtain sensitive information from the host cache." If this is something malicious, I definitely want to get rid of it, but have not been able to find any sources stating how. Thanks for any info!

Hi all, I was online today on the same websites I always go to and am very familiar with. All of a sudden, the site I was on switched itself over to another site I had never been to. I immediately clicked back to my homepage and looked at my recent history. Aside from the normal sites I had been it, the history said I was just at valarysearch. com, clickndirect. com, and also listed findwhat.dll, go.php, and click.valary. Has anyone heard of these and if they can harm my computer in any way?? I really don't think I had a stray click when I was online. Nothing has happened since, but it's only been a few minutes. I have the trial version of Norton Internet Security. I ran a Quick Scan and everything came up clear. I am currently running the Full System Scan. Thanks for any advice you can give! Kristen

I am using a different computer to reply right now. I have been keeping my computer offline today and re-ran several of the programs recommended here. ThreatExpert came back with everything being safe. I will have a more secure internet connection this weekend, and will wait until then to do your suggestions. I am not familiar with Mediafire. Since ThreatExpert has its log come up on the internet browser, so I just do "Save Page As" and send that via Mediafire? Thank you

Thank you for the clarification. To me, my computer seems to be running well. When I ran ThreatExpert yesterday afternoon, it told me my computer was clean. Later that night, it found some malicious entries. I just re-ran ThreatExpert, and here are the details. Thank you. Full Scan Summary: * Scan details: o Scan started: Wednesday, December 17, 2008 15:32:01 o Scan time: 02 minutes, 02 seconds o Number of memory objects scanned: 4708 + processes: 41 + modules: 1471 + heap pages: 3196 o Number of suspicious memory objects detected: 0 o Number of malicious memory objects detected: 5 o Overall Risk Level: High * Summary of the detected threat characteristics: Severity Level What's been found Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe. View detected locations * Process "winlogon.exe", module "mlJBTkHb.dll": [0x10000000 - 0x1001b000] * Process "ccApp.exe", module "mlJBTkHb.dll": [0x01010000 - 0x0102b000] * Process "SUPERAntiSpyware.exe", module "mlJBTkHb.dll": [0x048f0000 - 0x0490b000] * Process "explorer.exe", module "mlJBTkHb.dll": [0x015c0000 - 0x015db000] A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks. View detected locations * Process "csrsc.exe", main module: [0x00400000 - 0x00484000] MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots). View detected locations * Process "csrsc.exe", main module: [0x00400000 - 0x00484000] Communication with a remote IRC server. View detected locations * Process "csrsc.exe", main module: [0x00400000 - 0x00484000] * Summary of the detected memory objects: Severity Level Memory Object Process "winlogon.exe", module "mlJBTkHb.dll": [0x10000000 - 0x1001b000] View detected characteristics * Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe. Process "ccApp.exe", module "mlJBTkHb.dll": [0x01010000 - 0x0102b000] View detected characteristics * Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe. Process "SUPERAntiSpyware.exe", module "mlJBTkHb.dll": [0x048f0000 - 0x0490b000] View detected characteristics * Threat characteristics of Vundo (aka VirtuMonde/VirtuMundo), a trojan horse that cause popups and advertises rogue antispyware programs. Vundo can be installed by visiting a Web site link contained in a spammed email. It is known to create a DLL file in the Windows system32 directory and inject it into system processes winlogon.exe and explorer.exe. Process "csrsc.exe", main module: [0x00400000 - 0x00484000] View detected characteristics * A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks. * MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots). * Communication with a remote IRC server. Process "explorer.exe", module "mlJBTkHb.dll": [0x015c0000 - 0x015db000] View detected characteristics

I think something may have messed up today. I was on my computer tonight and pressed "Control+ALT+DEL" for the Windows Task Manager, and under the Processes, I saw (and still see) csrss.exe. I have spent limited time on-line today, mainly coming to this forum to check this post. I am currently on a shared wireless internet at a hotel, and was wondering if it might be possible that someone is infecting my computer through this shared connection? I have run MBAM, and have also re-ran ComboFix and HJT. I did not see csrss.exe in the logs, but it is still under the Processes. Thank you, and I am sorry if this is causing any inconvenience. MBAM Malwarebytes' Anti-Malware 1.31 Database version: 1510 Windows 5.1.2600 Service Pack 1 12/16/2008 11:01:24 PM mbam-log-2008-12-16 (23-01-24).txt Scan type: Quick Scan Objects scanned: 48767 Time elapsed: 3 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 5 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ComboFix ComboFix 08-12-15.08 - Kristen 2008-12-16 22:19:31.3 - NTFSx86 Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\csrsc.exe c:\windows\system32\cylwqogs.ini c:\windows\system32\hgGwvuvV.dll c:\windows\system32\jgkhkr.dll c:\windows\System32\jkkkHbYr.dll c:\windows\system32\rYbHkkkj.ini c:\windows\system32\rYbHkkkj.ini2 c:\windows\system32\sgoqwlyc.dll c:\windows\system32\wuykimfn.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_WINSPOOLSVC -------\Service_WinSpoolSvc ((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 ))))))))))))))))))))))))))))))) . 2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\documents and settings\Kristen\Application Data\SUPERAntiSpyware.com 2008-12-16 18:48 . 2008-12-16 18:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-16 16:40 . 2008-12-16 16:40 <DIR> d-------- c:\program files\Trend Micro 2008-12-16 16:22 . 2008-10-08 16:29 28,672 --a------ c:\windows\system32\drivers\RKHit.sys 2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll 2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix 2008-12-15 22:15 . 2008-12-16 16:28 <DIR> d-------- c:\program files\Spyware Cease 2008-12-15 21:41 . 2008-12-16 22:13 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner 2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft 2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-15 21:01 . 2008-12-16 18:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe 2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe 2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET 2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus 2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks 2008-11-18 02:47 --------- d-----w c:\program files\AWS 2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint 2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug . ((((((((((((((((((((((((((((( [email protected]_14.36.53.28 ))))))))))))))))))))))))))))))))))))))))) . + 2008-12-17 00:48:22 18,944 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2008-12-17 00:48:22 65,024 ----a-r c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe - 2008-12-16 03:23:44 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2008-12-17 04:05:28 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2008-12-16 03:23:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-12-17 04:05:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2008-12-16 03:23:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2008-12-17 04:05:28 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960] "SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152] "AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe] "nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe] c:\documents and settings\Kristen\Start Menu\Programs\Startup\ PowerReg Scheduler V3.exe [2008-09-11 225280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=jgkhkr.dll R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024] R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys [2008-12-16 28672] R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408] S2 mrtRate;mrtRate; [] S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys [] . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job - c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46] 2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42] 2005-12-28 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-HookURL - (no file) URLSearchHooks-Rank - (no file) BHO-{634D1F43-24C9-49F9-8BE6-C2A6C435CDC0} - c:\windows\System32\jkkkHbYr.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/ IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-16 22:25:12 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(660) c:\windows\system32\ODBC32.dll - - - - - - - > 'lsass.exe'(716) c:\windows\System32\dssenh.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\gearsec.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\program files\Apoint2K\ApntEx.exe c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-12-16 22:29:21 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-17 04:29:07 ComboFix2.txt 2008-12-16 22:24:57 ComboFix3.txt 2008-12-16 20:37:43 Pre-Run: 43,720,171,520 bytes free Post-Run: 43,712,733,184 bytes free 177 HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:31:27 PM, on 12/16/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\gearsec.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Spyware Cease\SpywareCease.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\system32\imapi.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Kristen\Desktop\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/ R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/ R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\KRISTEN\Application Data\Mozilla\Profiles\default\yrt50d3g.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file) O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [spywareCease.exe] C:\Program Files\Spyware Cease\SpywareCease.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kristen\Local Settings\Temp\{ECD5ECCC-8CB6-432E-928E-FA88CA29880E}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab O20 - AppInit_DLLs: jgkhkr.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 9607 bytes

I hope these are what you need below! ComboFix ComboFix 08-12-15.08 - Kristen 2008-12-16 16:18:14.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.284 [GMT -6:00] Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Kristen\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system\VMwareService.exe c:\windows\system32\drivers\RKHit.sys c:\windows\system32\drivers\srwsvc.sys c:\windows\system32\mlJYrSjK.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system\VMwareService.exe c:\windows\system32\drivers\RKHit.sys c:\windows\system32\drivers\srwsvc.sys c:\windows\system32\mlJYrSjK.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_RKHIT -------\Legacy_SRWSVC -------\Legacy_VMWARESERVICE -------\Service_RkHit -------\Service_srwsvc -------\Service_VMwareService ((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 ))))))))))))))))))))))))))))))) . 2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll 2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix 2008-12-15 22:15 . 2008-12-15 23:33 <DIR> d-------- c:\program files\Spyware Cease 2008-12-15 21:41 . 2008-12-16 14:55 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner 2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft 2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-15 21:01 . 2008-12-15 21:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe 2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe 2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET 2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus 2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks 2008-11-18 02:47 --------- d-----w c:\program files\AWS 2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint 2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960] "SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152] "AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe] "nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe] c:\documents and settings\Kristen\Start Menu\Programs\Startup\ PowerReg Scheduler V3.exe [2008-09-11 225280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344] R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys [] S2 mrtRate;mrtRate; [] S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys [] *Newly Created Service* - RKHIT . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job - c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46] 2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42] 2005-12-28 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-HookURL - (no file) URLSearchHooks-Rank - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/ IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-16 16:21:35 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(660) c:\windows\system32\ODBC32.dll - - - - - - - > 'lsass.exe'(716) c:\windows\System32\dssenh.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\gearsec.exe c:\windows\system32\nvsvc32.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Apoint2K\ApntEx.exe c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe . ************************************************************************** . Completion time: 2008-12-16 16:24:47 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-16 22:24:32 ComboFix2.txt 2008-12-16 20:37:43 Pre-Run: 43,557,396,480 bytes free Post-Run: 43,558,584,320 bytes free 159 HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:41:29 PM, on 12/16/2008 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\gearsec.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Spyware Cease\SpywareCease.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Netscape\Netscape Browser\netscape.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\AOL\1134501755\ee\aolsoftware.exe c:\program files\common files\aol\1134501755\ee\aexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dogpile.com/info.dogpl.toolbar/...orms/search.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/ R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/ R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\KRISTEN\Application Data\Mozilla\Profiles\default\yrt50d3g.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file) O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [spywareCease.exe] C:\Program Files\Spyware Cease\SpywareCease.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Kristen\Local Settings\Temp\{ECD5ECCC-8CB6-432E-928E-FA88CA29880E}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wo...jo/wordmojo.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- End of file - 9638 bytes

Here is the ComboFix log. My only problem came at the end when my computer was rebooted. I had disabled Norton Antivirus, but it was back on once the system was rebooted. I did tell it to allow ComboFix to proceed. Sorry about that...if I need to run ComboFix again, please let me know and I will set Norton to not start up during reboot. Thank you! ComboFix 08-12-15.08 - Kristen 2008-12-16 14:27:03.1 - NTFSx86 Running from: c:\documents and settings\Kristen\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\cdpxwsyy.ini c:\windows\system32\csrsc.exe c:\windows\system32\fccdBQkK.dll c:\windows\System32\geBqQGxU.dll c:\windows\system32\mlJCUlLd.dll c:\windows\system32\qoMeFxvW.dll c:\windows\system32\ruszrp.dll c:\windows\system32\UxGQqBeg.ini c:\windows\system32\UxGQqBeg.ini2 c:\windows\system32\xbsnsjhq.dll c:\windows\System32\yayyYqNe.dll c:\windows\system32\yyswxpdc.dll c:\windows\Tasks\trglhoqu.job . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_RPCPATCH -------\Legacy_RPCTFTPD -------\Legacy_WINSPOOLSVC -------\Service_WinSpoolSvc ((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 ))))))))))))))))))))))))))))))) . 2008-12-16 14:05 . 2008-12-16 14:05 70,144 --a------ c:\windows\system32\mlJYrSjK.dll 2008-12-15 23:21 . 2008-12-15 23:21 561,152 --a------ c:\windows\system32\dllcache\user32.dll 2008-12-15 23:18 . 2008-12-15 23:19 <DIR> d-------- c:\windows\ERUNT 2008-12-15 23:15 . 2008-12-15 23:31 <DIR> d-------- C:\SDFix 2008-12-15 22:15 . 2008-12-15 23:33 <DIR> d-------- c:\program files\Spyware Cease 2008-12-15 22:15 . 2008-10-08 16:29 28,672 --a------ c:\windows\system32\drivers\RKHit.sys 2008-12-15 21:41 . 2008-12-15 21:42 <DIR> d-------- c:\program files\ThreatExpert Memory Scanner 2008-12-15 21:02 . 2008-12-15 21:02 <DIR> d-------- c:\program files\Lavasoft 2008-12-15 21:02 . 2008-12-15 21:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-15 21:01 . 2008-12-15 21:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-15 18:54 . 2008-12-15 19:25 54,272 --a------ C:\patch3r.exe 2008-12-13 16:11 . 2008-12-14 22:17 49,152 --a------ C:\patcher.exe 2008-12-13 16:11 . 2008-12-13 16:11 11,656 --a------ c:\windows\system32\drivers\srwsvc.sys 2008-12-12 19:54 . 2008-12-12 19:54 23,552 -r-hs---- c:\windows\system\VMwareService.exe 2008-11-17 20:27 . 2008-11-17 20:29 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-11-17 20:27 . 2008-11-18 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-16 04:27 --------- d-----w c:\program files\PokerStars.NET 2008-12-16 01:44 --------- d-----w c:\program files\Norton AntiVirus 2008-12-10 04:13 --------- d-----w c:\documents and settings\Kristen\Application Data\Move Networks 2008-11-18 02:47 --------- d-----w c:\program files\AWS 2008-11-05 01:15 --------- d-----w c:\documents and settings\Kristen\Application Data\Viewpoint 2008-11-01 15:48 --------- d-----w c:\documents and settings\Kristen\Application Data\WeatherBug . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-04-07 4730880] "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-16 98304] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-01-16 229376] "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592] "HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-22 483328] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-27 95960] "SpywareCease.exe"="c:\program files\Spyware Cease\SpywareCease.exe" [2008-12-15 4593152] "AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 c:\windows\AGRSMMSG.exe] "nwiz"="nwiz.exe" [2004-04-07 c:\windows\system32\nwiz.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-07-29 57344] R2 srwsvc;srwsvc;\??\c:\windows\system32\drivers\srwsvc.sys [2008-12-13 11656] R2 VMwareService;VMwareService;"c:\windows\system\VMwareService.exe" [2008-12-12 23552] R3 RkHit;RkHit;\??\c:\windows\System32\drivers\RKHit.sys [2008-12-15 28672] S2 mrtRate;mrtRate; [] S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Kristen\LOCALS~1\Temp\cdrmkaun.sys [] . Contents of the 'Scheduled Tasks' folder 2008-12-13 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Kristen.job - c:\progra~1\NORTON~1\Navw32.exe [2003-11-24 03:46] 2008-12-16 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42] 2005-12-28 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-HookURL - (no file) URLSearchHooks-Rank - (no file) BHO-{53104df4-6eee-4fbd-8b3b-5396e058d0ba} - c:\windows\System32\ruszrp.dll BHO-{66DECFF2-B0C1-4284-BADB-FDF66C18263E} - c:\windows\System32\geBqQGxU.dll HKCU-Run-RecordNow! - (no file) HKCU-Run-Aim6 - (no file) HKLM-Run-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe HKLM-Run-Microsoft® System Manager - c:\windows\system32\sysmgr.exe MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mSearch Bar = hxxp://www.dogpile.com/info.dogpl.toolbar/dog/forms/search.htm uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.dogpile.com/info.dogpl.toolbar/ IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html IE: Dogpile Cursor Search - c:\documents and settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - FF - ProfilePath - c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - plugin: c:\documents and settings\Kristen\Application Data\Mozilla\Firefox\Profiles\y8tmethi.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-16 14:34:00 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(660) c:\windows\system32\ODBC32.dll - - - - - - - > 'lsass.exe'(720) c:\windows\System32\dssenh.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\gearsec.exe c:\program files\Norton AntiVirus\navapsvc.exe c:\windows\system32\nvsvc32.exe c:\program files\Norton AntiVirus\SAVSCAN.EXE c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\program files\Apoint2K\ApntEx.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe . ************************************************************************** . Completion time: 2008-12-16 14:37:42 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-16 20:37:40 Pre-Run: 43,320,029,184 bytes free Post-Run: 43,580,502,016 bytes free winxpsp1_en_hom_bf.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect 176

Tonight the Norton program on my computer was going crazy with pop-ups saying that I was trying to send e-mails with Subjects that looked like typical spam to addresses I was not familiar with. I ran some other programs, and found that csrsc.exe and VMwareservice.exe and a bunch of backdoor trojans are on my computer. I found on another post here a program called SDFix, and these are the results below. I am stuck as to what to do next. Thank you in advance for any help you can give me!! SDFix: Version 1.240 Run by Kristen on Mon 12/15/2008 at 11:21 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\msvcrt2.dll - Deleted C:\WINDOWS\system32\SysMgr.exe - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-15 23:27:55 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll" Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll" Fri 12 Dec 2008 23,552 ..SHR --- "C:\WINDOWS\system\VMwareService.exe" Thu 11 Dec 2008 32,256 ..SHR --- "C:\WINDOWS\system32\csrsc.exe" Tue 13 Dec 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sat 6 Dec 2008 95 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti2C.tmp" Tue 13 Dec 2005 1,337 A..H. --- "C:\Program Files\Common Files\AOL\IPHSend\IPH.BAK" Finished!