ok hi, this has happened before and started all because of a da** pop-up and acidental download... both times happened like that but I dont remember what I am supposed to do with the hijackthis application and what else after that I am to do. So if you could get back to me that would be great.

Click Here to download the current version of HiJackThis.

• Save HJTInstall.exe to your desktop.
• Open Notepad > Click on Format > Uncheck Word wrap, if checked.
• Double-click on the desktop icon for HJTINstall.exe.
• By default it will install to C:\Program Files\Trend Micro\HiJackThis.
• Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and HijackThis (HJT) will launch.
  
• Close any/all browsers, messenger, mediaplayer, Office and mail client windows and applications.
  
• Click on the 'Scan' button. When the scan is finished, press the 'Save' button. HiJackThis will open a Notepad document with scan in it. Save the log to your Desktop for ease in locating it.
  
• Click on Edit > Select All then click on Edit > Copy to copy the contents of the log to your clipboard.
• Come back here to this thread, right click your mouse and select Paste to paste the log in your next reply.
• DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
• Make certain your post shows the entire log, please.

To see a tutorial with screenshots on using HijackThis you can click on the link below:
How to use HijackThis to remove Browser Hijackers, Malware, & Spyware

ok thanks and Ive done this here it is...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:34 PM, on 3/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NetProject\scm.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = ˆ3¹




 
gX|¹
ˆ3¹
ð¶Hþ
ÍÖM
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {6860A44B-5D3E-433D-A7B5-D517F810D0E7} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Internet Service - {DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40} - C:\Program Files\NetProject\wamdl.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] E:\Documents and Settings\James\aim.exe -cnetwait.odl
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Documents and Settings\James\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: hyperproduction - {9d19a1a9-3cdf-4f15-a5ca-ea3905febded} - C:\WINDOWS\system32\wcscqa.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6649 bytes

Also I dont know if this helps but when I was waiting I found the thing that was causing all this but couldnt remove it, its kinda like an aplication it has 2 folders in my program files list under the name NetMeeting and NetProject both of which have things that have to do with this. One has like a .mp3 and others while the other has some icons. One thing anoying with it though it is like a few seconds/min intervals of showing up and saying something about a virus or network work and high damage lvl?? ( hope it doesnt affect the scan if I had a window like explorer open with these directions?)

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application. (If using Windows Vista, be sure to "Run As Administrator")
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Malwarebytes' Anti-Malware 1.08
Database version: 506

Scan type: Quick Scan
Objects scanned: 29249
Time elapsed: 9 minute(s), 24 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 3
Registry Keys Infected: 10
Registry Values Infected: 10
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 13

Memory Processes Infected:
c:\program files\netproject\scit.exe (Trojan.Zlob) -> Unloaded process successfully.
c:\program files\netproject\sbmntr.exe (Trojan.Zlob) -> Unloaded process successfully.
c:\program files\netproject\scm.exe (Trojan.Zlob) -> Unloaded process successfully.
c:\program files\netproject\sbsm.exe (Trojan.Zlob) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\wcscqa.dll (Trojan.Zlob) -> Unloaded module successfully.
c:\program files\netproject\wamdl.dll (Trojan.Zlob) -> Unloaded module successfully.
c:\program files\netproject\sbmdl.dll (Trojan.Zlob) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9d19a1a9-3cdf-4f15-a5ca-ea3905febded} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6860a44b-5d3e-433d-a7b5-d517f810d0e7} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6860a44b-5d3e-433d-a7b5-d517f810d0e7} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e94eb13e-d78f-0857-7734-5e67a49ffff1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Secure Browsing (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{9d19a1a9-3cdf-4f15-a5ca-ea3905febded} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\some (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\AdwareAlert\ (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\NetProject (Trojan.Zlob) -> Delete on reboot.
C:\Program Files\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\VirusHeat 4.3 (Rogue.VirusHeat) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\wcscqa.dll (Trojan.Zlob) -> Delete on reboot.
c:\program files\netproject\scit.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\program files\netproject\sbmntr.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\program files\netproject\scm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\program files\netproject\sbsm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\program files\netproject\wamdl.dll (Trojan.Zlob) -> Delete on reboot.
c:\program files\netproject\sbmdl.dll (Trojan.Zlob) -> Delete on reboot.
C:\Program Files\NetProject\sbun.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\NetProject\scu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\NetProject\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temp\zs1.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temp\zs2.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\VirusHeat 4.3\vpp.ini (Rogue.VirusHeat) -> Quarantined and deleted successfully.

First:
Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Second:
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

sorry thid took long I was busy with easter preparing...




ComboFix 08-03-23.2 - James 2008-03-24 12:31:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.730 [GMT -4:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Other TimeOuts --
CF17116.exe /c " VFind.exe -ltf -s-1300000 -d+2007-12-24 C:\WINDOWS\* >Windir.dat"
VFind.exe -ltf -s-1300000 -d+2007-12-24 C:\WINDOWS\*
CF17116.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*"
CF17116.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\x64
C:\WINDOWS\Downloaded Program Files\x64\racodec.ax
C:\WINDOWS\Downloaded Program Files\x86
C:\WINDOWS\Downloaded Program Files\x86\racodec.ax

.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-22 17:48 . 2006-08-12 19:21 8,320 --a------ C:\WINDOWS\system32\RenameMe.sys
2008-03-20 15:14 . 2008-03-24 12:27 <DIR> d-------- C:\Program Files\InternetSoftware
2008-03-20 12:21 . 2008-03-20 12:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Documents and Settings\James\Application Data\Malwarebytes
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-18 21:24 . 2008-03-18 21:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 19:17 . 2008-03-17 19:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-03-16 20:38 . 2008-03-16 20:38 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-03-16 20:38 . 2008-03-16 20:38 <DIR> d-------- C:\Documents and Settings\James\Application Data\teamspeak2
2008-03-16 20:38 . 2008-03-16 20:38 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-03-16 16:49 . 2008-03-16 16:49 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-16 13:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-16 13:04 . 2008-03-16 13:05 <DIR> d-------- C:\Program Files\Java
2008-03-16 13:03 . 2008-03-16 13:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-16 12:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-16 12:10 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-16 12:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-15 22:41 . 2008-03-21 23:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-15 22:41 . 2008-03-15 22:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-14 19:30 . 2008-03-14 19:30 <DIR> d-------- C:\Program Files\Skype
2008-03-14 19:30 . 2008-03-14 19:30 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-13 19:06 . 2008-03-13 19:06 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-02-29 20:25 . 2008-03-18 18:22 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-29 20:22 . 2008-02-29 20:22 <DIR> d-------- C:\Program Files\Corel
2008-02-28 19:52 . 2008-02-28 19:52 <DIR> d-------- C:\Program Files\Microsoft Works
2008-02-28 19:51 . 2008-02-28 19:51 <DIR> d-------- C:\Program Files\MSBuild
2008-02-28 19:49 . 2008-02-28 19:49 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-28 19:45 . 2008-02-28 19:50 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-28 19:44 . 2008-02-28 19:44 <DIR> dr-h----- C:\MSOCache
2008-02-28 18:10 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-02-28 17:29 . 2008-03-16 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 15:45 --------- d-----w C:\Program Files\Steam
2008-03-23 04:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 02:37 --------- d-----w C:\Documents and Settings\James\Application Data\Xfire
2008-03-23 01:58 --------- d-----w C:\Documents and Settings\James\Application Data\Skype
2008-03-22 23:57 --------- d-----w C:\Program Files\Xfire
2008-03-22 21:52 --------- d-----w C:\Documents and Settings\James\Application Data\skypePM
2008-03-22 04:32 --------- d-s---w C:\Program Files\HLSW
2008-03-22 00:18 --------- d-----w C:\Documents and Settings\James\Application Data\Sites
2008-03-21 23:55 --------- d-----w C:\Documents and Settings\James\Application Data\SiteClasses
2008-03-20 19:23 --------- d-----w C:\Documents and Settings\James\Application Data\LimeWire
2008-03-20 16:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 22:24 --------- d-----w C:\Program Files\Google
2008-03-14 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-07 02:40 --------- d-----w C:\Documents and Settings\James\Application Data\FileZilla
2008-03-01 00:24 --------- d-----w C:\Documents and Settings\James\Application Data\Ventrilo
2008-02-29 13:52 --------- d-----w C:\Program Files\Yahoo!
2008-02-13 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-13 16:31 --------- d-----w C:\Program Files\FileZilla Client
2008-02-13 01:27 --------- d-----w C:\Program Files\LimeWire
2008-02-07 00:24 --------- d-----w C:\Documents and Settings\James\Application Data\LogMeIn Rescue
2008-01-26 00:22 --------- d-----w C:\Program Files\Lavasoft
2008-01-26 00:22 --------- d-----w C:\Documents and Settings\James\Application Data\Lavasoft
2008-01-14 12:52 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-12-25 04:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF7E9EBB-E1CF-7F7C-C608-13185698F3E9}]
2007-12-30 16:48 1019904 --a------ C:\Program Files\InternetSoftware\InternetSoftware-2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"AIM"="E:\Documents and Settings\James\aim.exe" [2005-08-05 15:08 67160]
"Steam"="c:\program files\steam\steam.exe" [2008-03-20 11:39 1266936]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-08 18:05 729178]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"Broadcom Wireless Manager"="C:\WINDOWS\system32\wltray.exe" [2007-06-14 16:48 1282048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-25 00:14 249896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 07:05 344064]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - C:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe [2007-12-24 17:13:58 1458176]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-07-01 10:58 88201 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 15:08 67160 E:\Documents and Settings\James\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-08-18 01:39 90112 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"RasAuto"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"C:\\Program Files\\Steam\\steamapps\\magawichi0\\condition zero\\hl.exe"=
"E:\\Documents and Settings\\James\\aim.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\magawichi0\\garrysmod\\hl2.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Steam\\steamapps\\magawichi0\\condition zero deleted scenes\\hl.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Steam\\steamapps\\onleadwings\\condition zero\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\magawichi0\\counter-strike\\hl.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"E:\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Steam\\steamapps\\onleadwings\\counter-strike\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\magawichi0\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\magawichi0\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\magawichi0\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 NdisWDM;Dynex Enhanced Wireless G USB Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ndiswdm.sys [2007-08-31 19:20]
S3 RenameMe;RenameMe;C:\WINDOWS\system32\RenameMe.sys [2006-08-12 19:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 12:34:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-24 12:34:48
ComboFix-quarantined-files.txt 2008-03-24 16:34:35
.
2008-03-16 20:51:22 --- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:22 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe
C:\Program Files\Steam\Steam.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = ˆ3¹




 
gX|¹
ˆ3¹
ð¶Hþ
ÍÖM
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: InternetSoftware - {AF7E9EBB-E1CF-7F7C-C608-13185698F3E9} - C:\Program Files\InternetSoftware\InternetSoftware-2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] E:\Documents and Settings\James\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Documents and Settings\James\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6379 bytes

First:
Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.



Second;
Run HiJackThis and press the Scan' button

When the scan is finished:
Check the following items in HijackThis.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = ˆ3¹

O2 - BHO: InternetSoftware - {AF7E9EBB-E1CF-7F7C-C608-13185698F3E9} - C:\Program Files\InternetSoftware\InternetSoftware-2.dll

Close all windows except HijackThis and click Fix checked.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

ComboFix 08-04-01.2 - James 2008-04-01 17:09:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.811 [GMT -4:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
TimedOut: Windir.dat
TimedOut: progfile.dat

((((((((((((((((((((((((( Files Created from 2008-03-01 to 2008-04-01 )))))))))))))))))))))))))))))))
.

2008-03-30 15:44 . 2008-04-01 16:41 <DIR> d-------- C:\Program Files\Steam
2008-03-30 07:54 . 2008-03-30 07:54 <DIR> d-------- C:\Program Files\Dynex Enhanced G USB Network Adapter
2008-03-30 07:54 . 2008-03-30 07:54 <DIR> d-------- C:\Documents and Settings\James\Application Data\InstallShield
2008-03-22 17:48 . 2006-08-12 19:21 8,320 --a------ C:\WINDOWS\system32\RenameMe.sys
2008-03-20 15:14 . 2008-03-27 15:53 <DIR> d-------- C:\Program Files\InternetSoftware
2008-03-20 12:21 . 2008-03-20 12:21 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Documents and Settings\James\Application Data\Malwarebytes
2008-03-19 17:33 . 2008-03-19 17:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-18 21:24 . 2008-03-18 21:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 19:17 . 2008-03-17 19:17 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Xfire
2008-03-16 20:38 . 2008-03-16 20:38 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-03-16 20:38 . 2008-03-16 20:38 <DIR> d-------- C:\Documents and Settings\James\Application Data\teamspeak2
2008-03-16 20:38 . 2008-03-16 20:38 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-03-16 16:49 . 2008-03-16 16:49 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-16 13:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-16 13:04 . 2008-03-16 13:05 <DIR> d-------- C:\Program Files\Java
2008-03-16 13:03 . 2008-03-16 13:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-16 12:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-16 12:10 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-16 12:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-15 22:41 . 2008-04-01 16:28 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-15 22:41 . 2008-03-15 22:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-14 19:30 . 2008-03-14 19:30 <DIR> d-------- C:\Program Files\Skype
2008-03-14 19:30 . 2008-03-14 19:30 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-13 19:06 . 2008-03-13 19:06 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 20:30 --------- d-----w C:\Documents and Settings\James\Application Data\LimeWire
2008-03-30 17:07 --------- d-----w C:\Documents and Settings\James\Application Data\Sites
2008-03-30 11:54 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-24 18:20 --------- d-----w C:\Documents and Settings\James\Application Data\Xfire
2008-03-23 04:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 01:58 --------- d-----w C:\Documents and Settings\James\Application Data\Skype
2008-03-22 23:57 --------- d-----w C:\Program Files\Xfire
2008-03-22 21:52 --------- d-----w C:\Documents and Settings\James\Application Data\skypePM
2008-03-22 04:32 --------- d-s---w C:\Program Files\HLSW
2008-03-21 23:55 --------- d-----w C:\Documents and Settings\James\Application Data\SiteClasses
2008-03-20 16:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-18 22:24 --------- d-----w C:\Program Files\Google
2008-03-16 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-14 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-07 02:40 --------- d-----w C:\Documents and Settings\James\Application Data\FileZilla
2008-03-01 00:24 --------- d-----w C:\Documents and Settings\James\Application Data\Ventrilo
2008-03-01 00:22 --------- d-----w C:\Program Files\Corel
2008-02-29 13:52 --------- d-----w C:\Program Files\Yahoo!
2008-02-28 23:52 --------- d-----w C:\Program Files\Microsoft Works
2008-02-28 23:51 --------- d-----w C:\Program Files\MSBuild
2008-02-28 23:49 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-13 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-13 16:31 --------- d-----w C:\Program Files\FileZilla Client
2008-02-13 01:27 --------- d-----w C:\Program Files\LimeWire
2008-02-07 00:24 --------- d-----w C:\Documents and Settings\James\Application Data\LogMeIn Rescue
2008-01-14 12:52 81,920 ----a-w C:\WINDOWS\system32\frapsvid.dll
2007-12-25 04:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF7E9EBB-E1CF-7F7C-C608-13185698F3E9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-04-01 16:27 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-07-08 18:05 729178]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-12-25 00:14 249896]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 07:05 344064]
"Broadcom Wireless Manager"="C:\WINDOWS\system32\wltray.exe" [2007-06-14 15:48 1282048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - C:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe [2008-03-30 07:54:24 1458176]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dynex Wireless Networking Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dynex Wireless Networking Utility.lnk
backup=C:\WINDOWS\pss\Dynex Wireless Networking Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-07-01 10:58 88201 C:\WINDOWS\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
E:\Documents and Settings\James\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 04:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 19:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-08-18 01:39 90112 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-01 16:27 1271032 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"WmdmPmSN"=3 (0x3)
"wltrysvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 NdisWDM;Dynex Enhanced Wireless G USB Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ndiswdm.sys [2007-08-31 18:20]
S3 RenameMe;RenameMe;C:\WINDOWS\system32\RenameMe.sys [2006-08-12 19:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f42f847e-d43a-11dc-a2e1-00142a95e7a0}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - IPOD_SERVICE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 17:13:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 17:14:02
ComboFix-quarantined-files.txt 2008-04-01 21:13:52
ComboFix2.txt 2008-03-24 16:34:49
Pre-Run: 17,787,731,968 bytes free
Post-Run: 17,775,104,000 bytes free
.
2008-03-16 20:51:22 --- E O F ---




Log under this is hijack






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:51 PM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {AF7E9EBB-E1CF-7F7C-C608-13185698F3E9} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Documents and Settings\James\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 5719 bytes

OK, your system is clean, We are finished unless there are items outstanding not reflected in your recent logs.

The only thing remaining to do is to remove ComboFix. It's updated regulalry and best not to use is unless instructed by a log helper.


Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.

ok thank you so much for the help and hoo raa!!