Recycler virus. Need help

[Klean]

[sherriec09]

Since it didn't work and my computer is now restarting on it's own I have decided to just reformat & re install XP. I need to know how to save all my driver files and XP updates. Do I need to open a new thread?

Thank you for all your help Klean. If you have anymore ideas on Recycler I would be happy to hear them since I really don't want to reformat my Laptop too, so I would be willing to try them on it.

Again, thanks for all your help and input.

[Klean]

I'm not sure you are infected:

[sherriec09]

Scanning now

[sherriec09]

ComboFix 09-05-03.6 - FunnyFace 05/04/2009 11:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1610 [GMT -7:00]
Running from: c:\documents and settings\FunnyFace\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-04-30 00:04 . 2009-04-30 00:04 -------- d-----w c:\documents and settings\FunnyFace\Application Data\cerasus.media
2009-04-30 00:01 . 2009-05-01 23:17 -------- d-----w c:\program files\Mystery Stories Island of Hope
2009-04-29 23:58 . 2009-04-29 23:59 -------- d-----w c:\program files\Gazillionaire III
2009-04-29 01:44 . 2009-04-29 01:44 -------- d-----w c:\program files\Virtual Families
2009-04-29 01:41 . 2009-04-29 01:41 -------- d-----w c:\program files\Home Cookin 5.8
2009-04-29 00:34 . 2001-02-27 05:54 853408 ----a-w c:\windows\system32\Msmapi32.dll
2009-04-29 00:34 . 2005-07-01 18:09 507904 ----a-w c:\windows\system32\tdbgpp8.dll
2009-04-29 00:34 . 2005-07-01 18:10 249856 ----a-w c:\windows\system32\todgub8.dll
2009-04-29 00:34 . 1998-06-18 07:00 89360 ----a-w c:\windows\system32\Vb5db.dll
2009-04-29 00:34 . 2009-04-29 00:34 -------- d-----w c:\program files\Cooks Palate Trial
2009-04-29 00:03 . 2009-04-29 00:24 -------- d-----w c:\program files\CookBook+Calendar
2009-04-28 23:48 . 2009-04-28 23:48 -------- d-----w c:\program files\Lakefront Software
2009-04-28 17:35 . 2009-04-28 17:35 -------- d-----w c:\program files\CBS Software
2009-04-28 00:41 . 2009-04-28 00:41 -------- d-----w c:\program files\Romopolis
2009-04-26 14:59 . 2009-04-26 14:59 -------- d-----w c:\program files\Team DEViANT
2009-04-26 12:58 . 2009-04-26 12:59 -------- d-----w c:\program files\DAEMON Tools Toolbar
2009-04-26 12:58 . 2009-04-26 12:59 -------- d-----w c:\program files\DAEMON Tools Lite
2009-04-25 05:10 . 2009-04-25 05:10 -------- d-----w c:\program files\Hasbro
2009-04-23 01:29 . 2009-04-23 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\UClick
2009-04-23 01:29 . 2009-04-23 01:29 -------- d-----w c:\documents and settings\FunnyFace\Application Data\UClick
2009-04-22 22:30 . 2009-04-22 22:30 -------- d-----w c:\program files\Brightstar Games
2009-04-22 22:07 . 2009-04-22 22:07 -------- d-----w c:\documents and settings\FunnyFace\Application Data\DAEMON Tools
2009-04-22 22:07 . 2009-04-22 22:07 -------- d-----w c:\documents and settings\FunnyFace\Application Data\DAEMON Tools Pro
2009-04-22 22:06 . 2009-04-22 22:06 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-04-22 21:57 . 2009-04-26 12:52 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-22 21:57 . 2009-04-27 01:14 -------- d-----w c:\documents and settings\FunnyFace\Application Data\DAEMON Tools Lite
2009-04-22 05:51 . 2009-04-22 05:51 -------- d-----w c:\documents and settings\All Users\Application Data\TikGames
2009-04-22 05:51 . 2009-04-22 05:51 -------- d-----w c:\documents and settings\FunnyFace\Application Data\TikGames
2009-04-22 05:50 . 2009-04-29 20:15 -------- d-----w c:\program files\Wild Tribe
2009-04-21 15:38 . 2009-04-21 15:38 -------- d-----w C:\!KillBox
2009-04-21 05:10 . 2009-04-21 05:10 -------- d-----w c:\documents and settings\FunnyFace\Application Data\Desktopicon
2009-04-21 05:10 . 2009-05-04 07:57 -------- d-----w c:\program files\Unlocker
2009-04-20 17:05 . 2009-04-20 17:05 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-20 17:04 . 2009-04-20 17:04 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-20 17:04 . 2009-04-20 17:04 -------- d-----w c:\documents and settings\FunnyFace\Application Data\SUPERAntiSpyware.com
2009-04-20 17:03 . 2009-04-20 17:03 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-20 02:53 . 2009-05-01 04:49 -------- d-----w c:\program files\Koi Solitaire
2009-04-20 01:26 . 2009-04-20 01:26 -------- d-----w c:\documents and settings\FunnyFace\Application Data\Reflexivev1002
2009-04-20 01:26 . 2009-04-20 01:26 -------- d-----w c:\program files\Escape Rosecliff Island
2009-04-20 01:08 . 2009-04-20 01:08 -------- d-----w c:\program files\Charm Solitaire
2009-04-19 23:13 . 2009-04-19 23:13 -------- d-----w c:\program files\CCleaner
2009-04-19 16:09 . 2009-04-19 16:09 -------- d-----w C:\VundoFix Backups
2009-04-19 01:40 . 2009-04-21 07:18 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-19 01:40 . 2009-04-19 01:43 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-17 05:18 . 2009-04-17 05:18 -------- d-----w c:\program files\Ancient Tripeaks
2009-04-17 04:48 . 2009-04-20 05:22 -------- d-----w c:\program files\Aloha Solitaire
2009-04-16 16:22 . 2009-04-23 14:56 -------- d-----w c:\program files\RegCure
2009-04-16 07:06 . 2009-04-16 07:06 -------- d-----w c:\documents and settings\All Users\Application Data\Playtonium Games
2009-04-16 07:05 . 2009-04-16 07:06 -------- d-----w c:\program files\Tic A Tac Royale
2009-04-16 06:58 . 2009-04-16 06:58 -------- d-----w c:\program files\Solitaire Pop
2009-04-16 06:46 . 2009-04-16 06:46 -------- d-----w c:\documents and settings\FunnyFace\Application Data\Skip-Bo
2009-04-16 06:44 . 2009-04-16 06:57 -------- d-----w c:\program files\SKIPBO Castaway Caper
2009-04-16 06:15 . 2009-04-16 06:44 -------- d-----w c:\program files\Hotel Solitaire
2009-04-16 06:01 . 2009-04-20 03:29 -------- d-----w c:\program files\Astral Masters
2009-04-16 05:49 . 2009-04-16 06:00 -------- d-----w c:\program files\Aloha Tripeaks
2009-04-16 04:49 . 2009-04-16 04:49 -------- d-----w c:\program files\MumboJumbo
2009-04-16 01:07 . 2009-04-16 01:07 -------- d-----w c:\program files\Elf Bowling The Last Insult
2009-04-15 22:21 . 2009-04-15 22:22 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-15 21:53 . 2009-04-15 21:53 -------- d-----w c:\program files\Electronic Arts
2009-04-15 21:50 . 2008-03-05 23:03 479752 ----a-w c:\windows\system32\XAudio2_0.dll
2009-04-15 21:50 . 2008-03-05 23:03 238088 ----a-w c:\windows\system32\xactengine3_0.dll
2009-04-15 21:50 . 2008-03-05 23:00 25608 ----a-w c:\windows\system32\X3DAudio1_3.dll
2009-04-15 21:50 . 2008-03-05 22:56 1420824 ----a-w c:\windows\system32\D3DCompiler_37.dll
2009-04-15 21:50 . 2008-02-06 06:07 462864 ----a-w c:\windows\system32\d3dx10_37.dll
2009-04-15 21:49 . 2008-03-05 22:56 3786760 ----a-w c:\windows\system32\D3DX9_37.dll
2009-04-15 21:49 . 2007-10-22 10:39 267272 ----a-w c:\windows\system32\xactengine2_10.dll
2009-04-15 21:48 . 2007-10-02 16:56 444776 ----a-w c:\windows\system32\d3dx10_36.dll
2009-04-15 21:48 . 2007-10-12 22:14 1374232 ----a-w c:\windows\system32\D3DCompiler_36.dll
2009-04-15 21:48 . 2007-10-12 22:14 3734536 ----a-w c:\windows\system32\d3dx9_36.dll
2009-04-15 21:47 . 2007-07-20 07:57 267112 ----a-w c:\windows\system32\xactengine2_9.dll
2009-04-15 21:47 . 2007-07-20 01:14 444776 ----a-w c:\windows\system32\d3dx10_35.dll
2009-04-15 21:47 . 2007-07-20 01:14 1358192 ----a-w c:\windows\system32\D3DCompiler_35.dll
2009-04-15 21:47 . 2007-07-20 01:14 3727720 ----a-w c:\windows\system32\d3dx9_35.dll
2009-04-15 21:47 . 2007-06-21 03:46 266088 ----a-w c:\windows\system32\xactengine2_8.dll
2009-04-15 21:47 . 2007-10-22 10:37 17928 ----a-w c:\windows\system32\X3DAudio1_2.dll
2009-04-15 21:47 . 2007-05-16 23:45 443752 ----a-w c:\windows\system32\d3dx10_34.dll
2009-04-15 21:47 . 2007-05-16 23:45 1124720 ----a-w c:\windows\system32\D3DCompiler_34.dll
2009-04-15 21:47 . 2007-05-16 23:45 3497832 ----a-w c:\windows\system32\d3dx9_34.dll
2009-04-15 19:13 . 2009-04-16 01:08 -------- d-----w c:\documents and settings\All Users\Application Data\MumboJumbo
2009-04-15 19:12 . 2009-04-20 03:45 -------- d-----w c:\program files\Luxor 3
2009-04-15 19:07 . 2009-04-15 19:09 -------- d-----w c:\program files\Nertz Solitaire
2009-04-15 11:04 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 11:04 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 11:00 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 11:00 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 11:00 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 11:00 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 11:00 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 11:00 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 11:00 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 11:00 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 11:00 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 05:52 . 2009-04-15 05:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2009-04-15 05:23 . 2009-04-20 03:33 -------- d-----w c:\program files\FreshGames
2009-04-13 20:50 . 2009-04-13 20:50 -------- d-----w c:\documents and settings\FunnyFace\Application Data\Pogo Games
2009-04-13 20:02 . 2008-05-30 21:17 65032 ----a-w c:\windows\system32\XAPOFX1_0.dll
2009-04-13 20:02 . 2008-05-30 21:19 507400 ----a-w c:\windows\system32\XAudio2_1.dll
2009-04-13 20:02 . 2008-05-30 21:18 238088 ----a-w c:\windows\system32\xactengine3_1.dll
2009-04-13 20:02 . 2008-05-30 21:17 25608 ----a-w c:\windows\system32\X3DAudio1_4.dll
2009-04-13 20:02 . 2008-05-30 21:11 1491992 ----a-w c:\windows\system32\D3DCompiler_38.dll
2009-04-13 20:02 . 2008-05-30 21:11 467984 ----a-w c:\windows\system32\d3dx10_38.dll
2009-04-13 20:02 . 2008-05-30 21:11 3850760 ----a-w c:\windows\system32\D3DX9_38.dll
2009-04-13 20:02 . 2009-04-13 20:02 -------- d-----w c:\windows\Logs
2009-04-13 20:02 . 2009-04-17 04:29 -------- d-----w c:\program files\Oberon Media
2009-04-13 08:53 . 2009-04-13 08:53 -------- d-----w c:\documents and settings\FunnyFace\Application Data\monkey money
2009-04-13 08:35 . 2009-05-03 02:46 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-12 05:12 . 2009-04-12 05:12 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-04-12 05:12 . 2008-12-11 20:31 27904 ----a-w c:\windows\system32\uxtuneup.dll
2009-04-12 05:12 . 2009-04-12 05:12 360192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-04-12 05:12 . 2009-04-12 05:12 -------- d-----w c:\documents and settings\FunnyFace\Application Data\TuneUp Software
2009-04-12 05:11 . 2009-04-12 05:11 -------- d-----w c:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-12 05:11 . 2009-04-17 03:45 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-04-12 05:10 . 2009-04-12 05:10 -------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-10 06:25 . 2009-04-10 06:25 -------- d-----w c:\documents and settings\FunnyFace\Local Settings\Application Data\Thinstall
2009-04-10 06:02 . 2009-05-02 05:14 -------- d-----w c:\documents and settings\FunnyFace\Application Data\IDM
2009-04-10 06:02 . 2009-05-04 18:46 -------- d-----w c:\documents and settings\FunnyFace\Application Data\DMCache
2009-04-10 06:02 . 2009-04-25 18:05 -------- d-----w c:\program files\Internet Download Manager
2009-04-10 05:30 . 2003-06-06 00:15 57436 ----a-w c:\windows\DASShp.dll
2009-04-10 05:30 . 2009-04-10 05:30 -------- d-----w c:\program files\Microsoft Reader
2009-04-10 04:11 . 2009-04-10 04:11 5742270 ----a-w c:\documents and settings\FunnyFace\Application Data\Internet Download Manager.exe
2009-04-09 22:31 . 2009-04-09 22:31 -------- d-----w c:\program files\Maxis
2009-04-09 22:00 . 2009-04-09 22:00 -------- d-----w c:\program files\PowerISO
2009-04-09 21:57 . 2009-04-10 06:25 -------- d-----w c:\documents and settings\FunnyFace\Application Data\Thinstall
2009-04-09 00:49 . 2009-04-09 02:25 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-09 00:21 . 2009-04-09 00:21 -------- d-----w c:\documents and settings\FunnyFace\Application Data\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 23:48 . 2005-01-23 21:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-20 04:11 . 2009-04-02 20:06 -------- d-----w c:\program files\Natalie Brooks The Treasures of the Lost Kingdom
2009-04-20 03:48 . 2009-04-01 17:44 -------- d-----w c:\program files\Emerald City Confidential
2009-04-20 03:48 . 2009-04-02 05:04 -------- d-----w c:\program files\Mortimer Beckett And The Time Paradox
2009-04-20 03:44 . 2008-06-10 07:04 -------- d-----w c:\program files\Flip Words 2
2009-04-20 03:30 . 2009-04-02 19:37 -------- d-----w c:\program files\Can You See What I See Dream Machine
2009-04-18 21:07 . 2008-05-29 07:41 -------- d-----w c:\program files\Eye For Design
2009-04-16 23:33 . 2008-05-29 07:22 -------- d-----w c:\program files\Yahtzee Texas Hold Em
2009-04-16 23:27 . 2008-05-29 07:28 -------- d-----w c:\program files\The Hidden Object Show
2009-04-16 23:27 . 2008-05-29 07:29 -------- d-----w c:\program files\Slingo Quest
2009-04-16 22:46 . 2008-05-29 07:43 -------- d-----w c:\program files\Escape The Museum
2009-04-10 16:12 . 2008-05-29 08:51 63496 ----a-w c:\documents and settings\FunnyFace\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-08 22:25 . 2005-01-24 22:28 -------- d-----w c:\program files\Common Files\Adobe
2009-04-03 05:10 . 2009-04-03 05:09 -------- d-----w c:\program files\Mystery PI - The New York Fortune
2009-04-03 00:57 . 2009-04-03 00:55 -------- d-----w c:\program files\Nightshift Legacy The Jaguar's Eye
2009-03-31 23:30 . 2009-03-31 17:22 -------- d-----w c:\program files\Wild West Quest 2
2009-03-31 23:30 . 2009-03-31 19:10 -------- d-----w c:\program files\Hot Dish 2
2009-03-31 23:29 . 2009-03-31 19:57 -------- d-----w c:\program files\Masters of Mystery Crime of Fashion
2009-03-31 06:32 . 2009-03-29 17:23 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-31 06:05 . 2009-03-31 06:05 -------- d-----w c:\program files\The Three Stooges Treasure Hunt Hijinks
2009-03-30 22:15 . 2009-03-28 07:23 -------- d-----w c:\program files\Chocolatier Decadence by Design
2009-03-29 06:00 . 2009-03-29 05:18 -------- d-----w c:\program files\Mysterious City Cairo
2009-03-29 00:19 . 2009-03-18 16:14 -------- d-----w c:\program files\Trivial Pursuit Bring On The 90s
2009-03-28 20:17 . 2009-03-28 19:55 -------- d-----w c:\program files\Heartwild Solitaire
2009-03-28 19:55 . 2009-03-28 19:26 -------- d-----w c:\program files\Top Chef
2009-03-28 19:19 . 2009-03-28 19:19 -------- d-----w c:\program files\Youda Farmer
2009-03-28 16:47 . 2009-03-28 16:09 -------- d-----w c:\program files\County Fair
2009-03-28 00:47 . 2009-03-28 00:45 -------- d-----w c:\program files\Neverland
2009-03-27 23:26 . 2008-06-22 06:09 -------- d-----w c:\program files\Build in Time
2009-03-27 23:25 . 2009-03-16 21:42 -------- d-----w c:\program files\eGames
2009-03-27 23:23 . 2009-03-18 17:03 -------- d-----w c:\program files\TriviaNet Challenge
2009-03-27 23:22 . 2008-09-18 19:56 -------- d-----w c:\program files\The Race
2009-03-27 23:22 . 2008-05-29 07:25 -------- d-----w c:\program files\The Lost Treasures Of Alexandria
2009-03-27 23:21 . 2009-03-18 05:03 -------- d-----w c:\program files\Shape Solitaire
2009-03-27 23:19 . 2009-03-13 21:18 -------- d-----w c:\program files\Ricochet Lost Worlds
2009-03-27 23:19 . 2008-07-22 23:04 -------- d-----w c:\program files\Ranch Rush
2009-03-27 23:17 . 2008-09-17 14:50 -------- d-----w c:\program files\Jojos Fashion Show 2
2009-03-27 23:16 . 2008-07-06 02:14 -------- d-----w c:\program files\Jojos Fashion Show
2009-03-27 23:15 . 2008-09-18 20:31 -------- d-----w c:\program files\Hawaiian Explorer The Lost Island
2009-03-27 23:15 . 2008-05-29 07:41 -------- d-----w c:\program files\Fatal Hearts
2009-03-27 23:15 . 2008-06-10 05:55 -------- d-----w c:\program files\Fashion Solitaire
2009-03-27 23:13 . 2008-06-26 00:42 -------- d-----w c:\program files\CLUE Classic
2009-03-27 23:13 . 2009-03-16 03:11 -------- d-----w c:\program files\Brain Booster
2009-03-27 23:13 . 2008-07-22 22:51 -------- d-----w c:\program files\Alices Magical Mahjong
2009-03-27 01:24 . 2009-03-27 01:24 -------- d-----w c:\program files\Yahoo!
2009-03-27 01:02 . 2009-03-27 01:01 -------- d-----w c:\program files\ATT-PRT22-WISE
2009-03-27 01:02 . 2009-03-27 01:02 -------- d-----w c:\program files\att-prt22
2009-03-27 01:02 . 2009-03-27 01:02 -------- d-----w c:\program files\Common Files\Motive
2009-03-26 15:35 . 2009-04-03 13:24 210352 ----a-w c:\windows\system32\idmmbc.dll
2009-03-25 05:14 . 2009-03-18 17:02 -------- d-----w c:\program files\Trivial Pursuit Silver Screen Edition
2009-03-24 03:48 . 2009-03-19 02:17 -------- d-----w c:\program files\Polly Pride Pet Detective
2009-03-24 01:25 . 2008-08-22 18:31 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-03-23 00:50 . 2009-03-18 17:18 -------- d-----w c:\program files\Mosaic Tomb of Mystery
2009-03-22 23:31 . 2009-03-18 05:51 -------- d-----w c:\program files\Yahtzee
2009-03-18 17:04 . 2009-03-18 17:04 -------- d-----w c:\program files\WordJong
2009-03-18 16:07 . 2009-03-18 16:06 -------- d-----w c:\program files\Real Jigsaw Puzzle
2009-03-18 05:48 . 2009-03-18 05:36 -------- d-----w c:\program files\Pastime Puzzles
2009-03-17 02:35 . 2009-03-16 03:55 -------- d-----w c:\program files\MaxGammon
2009-03-16 22:37 . 2009-03-11 07:08 -------- d-----w c:\program files\Sierra On-Line
2009-03-16 06:52 . 2009-03-16 03:15 -------- d-----w c:\program files\Jig Art Quest
2009-03-16 04:37 . 2009-03-16 04:14 -------- d-----w c:\program files\Trivia Machine
2009-03-15 10:25 . 2009-03-15 10:25 56268 ----a-w c:\windows\system32\drivers\scdemu.sys
2009-03-11 07:06 . 2008-09-18 15:12 -------- d-----w c:\program files\Tropix 2 Quest For The Golden Banana
2009-03-09 20:41 . 2009-03-09 20:40 -------- d-----w c:\program files\Casino Island To Go
2009-03-09 18:27 . 2009-03-09 18:27 -------- d-----w c:\program files\Monte Cristo
2009-03-09 18:06 . 2009-03-09 18:06 18048 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-03-09 18:06 . 2009-03-09 18:06 165376 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-03-06 14:22 . 2005-01-20 22:39 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-01-20 22:39 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-01-20 22:39 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2005-01-20 22:39 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-01-20 22:39 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-01-20 22:39 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-01-20 22:39 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-01-20 22:39 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-01-20 22:39 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-01-20 22:39 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-01-20 22:39 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-01-20 22:39 56832 ----a-w c:\windows\system32\secur32.dll
2007-02-02 01:11 . 2009-04-08 16:25 582 ----a-w c:\program files\readme.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-04-03 2794928]
"SpeedConnectStartUp"="c:\program files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe" [2008-08-19 565760]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FunnyFace^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\FunnyFace\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\FunnyFace\\My Documents\\Downloads\\World_War_III_Black_Gold\\World_War_III_Black_Gold\\Setup\\Setup.exe"=

R3 gtermddo;gtermddo; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-04-12 603904]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 04:36]

2009-05-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-05-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]

2009-04-23 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
.
.
------- Supplementary Scan -------
.
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\FunnyFace\Application Data\Mozilla\Firefox\Profiles\zbb1v367.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\FunnyFace\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 12:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2181014624-4193887601-3606218973-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3d,98,c2,9f,79,0f,bb,ad,ff,73,d9,5d,af,ba,c4,22,e6,bb,ed,13,eb,e2,33,
92,66,4e,43,56,fd,38,93,01,b0,6c,86,d9,96,83,5b,89,69,cf,95,0f,71,8f,1d,44,\
"??"=hex:f0,a4,41,6a,64,c5,a6,28,9f,f8,a2,af,d6,2b,c1,6d

[HKEY_USERS\S-1-5-21-2181014624-4193887601-3606218973-1006\Software\SecuROM\License information*]
"datasecu"=hex:7b,c5,e1,8f,d0,57,9d,66,15,69,fe,df,66,af,7e,77,f3,07,d0,69,b6,
6e,a8,24,46,ed,48,21,04,a6,47,db,d0,41,33,7a,5a,1e,a1,59,d1,67,d6,86,2a,0b,\
"rkeysecu"=hex:92,ac,7d,59,c7,a9,f2,fc,1d,30,ff,2d,c7,b9,10,35
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-04 12:02
ComboFix-quarantined-files.txt 2009-05-04 19:02

Pre-Run: 16,235,134,976 bytes free
Post-Run: 17,151,668,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

342 --- E O F --- 2009-05-04 17:07

[sherriec09]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:37 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [SpeedConnectStartUp] C:\Program Files\CBS Software\SpeedConnect Internet Accelerator\SpeedConnectStartUp.exe -run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106517016812
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 5229 bytes

[Klean]

I don't see anything wrong. Your HJT log is clean. And Gmer (contained in ComboFix) did not detect any rootkits.

Remember, C:/RECYCLER is a location where a users deleted files are stored.

[sherriec09]

Thank you Klean. I guess the actual Recycler Trojan was taken care of before this then. When I saw the Recycler folder I just assumed it was back. I am sorry for all the trouble. Thank you so much for all your help.

[Klean]

To be certain, does the system file hide when using the steps above?

[sherriec09]

Yes it does. I unhid the files during one of the steps to the first cleaning and that is when I assumed it was the same one. Although it did stop showing up in my AV logs I still had files that could not be read and would give me an error, which is why I thought it was the same one.

[Klean]

*************************************************************************************************

This subject has been addressed or corrected. The subject is closed and if the original topic author needs to add to it please P.M. a staff member from this section.

*************************************************************************************************