virtumonde

M

music angel

New member
I have been getting virtumonde over and over when I scan I have been reading some of the forums on this but it seems I will need personalized help. I do not know what all this hijak this and the other (cant remamber its name) reports are so I am a little lost SORRY for being a little middle ages here but I am a little behind on the times. Thank you in advance for any help in fixing my computer as it is my only link to school.
 
Hi music angel and welcome to Safer Networking Forums :)

Click here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
 
HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:39 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [14b20e69] rundll32.exe "C:\WINDOWS\system32\jhewgdbm.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\rachp\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\wuoqynifsi.html

--
End of file - 5891 bytes
 
Hi

Rename HijackThis.exe to music.exe and post back a fresh HijackThis log, please :)
 
new log

I hope I did this right????


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:13 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\music.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: (no name) - {00E37622-B2CE-405E-9EFE-DF7B95493FF3} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {314962DC-22C5-4288-8498-528E9F7FB691} - (no file)
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - (no file)
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {5DF6AFEE-2291-4041-9A74-354624861746} - (no file)
O2 - BHO: (no name) - {5F811539-C263-4BD2-9DF6-1EF9C2A6DAE7} - C:\WINDOWS\system32\ddcya.dll
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8EFBA3A0-6708-4F9C-B577-FDCBFF6ADE7D} - (no file)
O2 - BHO: (no name) - {91C56471-C1DE-491C-86C9-505B62717093} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - C:\WINDOWS\system32\mljhfda.dll
O2 - BHO: (no name) - {AA9B6101-A336-49A2-878B-A06D6693A8A7} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C7DCFF4D-15FB-3B2B-D85A-4DE605F3599D} - C:\WINDOWS\system32\ogfuhfgc.dll
O2 - BHO: (no name) - {D760BC35-3F8C-46E4-8102-12025521060E} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DA74AF32-80B1-45B4-8E75-4282C4711546} - (no file)
O2 - BHO: (no name) - {E1B987CD-8C91-4CD5-A7CA-E4C0515530C7} - (no file)
O2 - BHO: (no name) - {E60261F1-7525-48D8-9F56-F2EF8FEA3A92} - (no file)
O2 - BHO: egmulhxk.msdn_hlp - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EAE158E8-E25B-46D4-838E-C89A4A26B8A3} - (no file)
O2 - BHO: (no name) - {EF15D661-C2B8-4790-ADB0-E7AC20D6A31C} - (no file)
O2 - BHO: (no name) - {F87298B5-BF2B-47E0-ACCA-0EC11610279D} - (no file)
O2 - BHO: (no name) - {FBBADC36-691D-4DB3-87D8-473814B9BF0A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [14b20e69] rundll32.exe "C:\WINDOWS\system32\jhewgdbm.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\rachp\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: ddcyywx - ddcyywx.dll (file missing)
O20 - Winlogon Notify: mljhfda - C:\WINDOWS\SYSTEM32\mljhfda.dll
O20 - Winlogon Notify: mlljk - C:\WINDOWS\System32\mlljk.dll (file missing)
O20 - Winlogon Notify: tuvvsqp - tuvvsqp.dll (file missing)
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\wuoqynifsi.html

--
End of file - 9206 bytes
 
Hi

Yes you did :)

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report
 
combo and new hjt

just some fyi the computer did not want to restart during combofix it said "specified path could not be found please allow combofix to reboot system" I used the handy dandy ctrl alt del method to reboot.Also I still get error messages when starting most programs. It says "invalid windows file" RichEd20.dll and sometimes all caps of the same.

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:18 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Trend Micro\HijackThis\music.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {C7DCFF4D-15FB-3B2B-D85A-4DE605F3599D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [14b20e69] rundll32.exe "C:\WINDOWS\system32\jhewgdbm.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\rachp\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: ddcyywx - ddcyywx.dll (file missing)
O20 - Winlogon Notify: mlljk - C:\WINDOWS\System32\mlljk.dll (file missing)
O20 - Winlogon Notify: tuvvsqp - tuvvsqp.dll (file missing)
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Hosts Plugin - Unknown owner - C:\WINDOWS\system32\spoolcv.exe (file missing)

--
End of file - 6040 bytes
 
combo

ComboFix 08-01-04.1 - rachp 2008-01-04 12:47:13.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.41 [GMT -5:00]
Running from: C:\Documents and Settings\rachp\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Danielle\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Danielle\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\asembl~1
C:\Program Files\asembl~1\r?ndll.exe
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\fnts~1
C:\Program Files\fnts~1\F?nts\
C:\Program Files\Internet Explorer\wuoqynifsi.html
C:\Program Files\outerinfo
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\SpyGuardPro
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe
C:\WINDOWS\aconti.log
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\adbar.dll
C:\WINDOWS\b122.exe
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\default.htm
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\acespy
C:\WINDOWS\system32\acespy\__acelog.ndx
C:\WINDOWS\system32\acespy\systune.exe
C:\WINDOWS\system32\akkkonro.ini
C:\WINDOWS\system32\aptfrdum.ini
C:\WINDOWS\system32\attvundy.dll
C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\cdkqvmwd.ini
C:\WINDOWS\system32\chwferbr.ini
C:\WINDOWS\system32\cklrbqrl.ini
C:\WINDOWS\system32\cnuvttyk.ini
C:\WINDOWS\system32\d1
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\din.ip
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\YWIB39.sys
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\fdabhebv.ini
C:\WINDOWS\system32\fgsnlvhk.ini
C:\WINDOWS\system32\fomololn.dll
C:\WINDOWS\system32\fufdvxfe.ini
C:\WINDOWS\system32\hkxbfvwl.ini
C:\WINDOWS\system32\imdcgiji.ini
C:\WINDOWS\system32\isfwrcpq.ini
C:\WINDOWS\system32\iujpljxj.ini
C:\WINDOWS\system32\ivpglnrn.ini
C:\WINDOWS\system32\jkkklki.dll
C:\WINDOWS\system32\kbagfuia.ini
C:\WINDOWS\system32\keylqbft.ini
C:\WINDOWS\system32\khgkdhjf.ini
C:\WINDOWS\system32\krlnqnty.ini
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\lnmngejj.ini
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\lyxelygj.ini
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljhfda.dll
C:\WINDOWS\system32\nqtmwiqx.ini
C:\WINDOWS\system32\NSIS.Library.RegTool.v2.{7CFFFE65-D506-4D3C-A7AC-8CA3B0197BE5}.exe
C:\WINDOWS\system32\ogfuhfgc.dll
C:\WINDOWS\system32\ohcgcnib.dll
C:\WINDOWS\system32\ohwkqlvd.ini
C:\WINDOWS\system32\oqkaqtds.ini
C:\WINDOWS\system32\owijbyhp.ini
C:\WINDOWS\system32\oxbmvsll.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\poquqbwo.ini
C:\WINDOWS\system32\pppavxhl.ini
C:\WINDOWS\system32\qanxeqbi.ini
C:\WINDOWS\system32\qfoweltl.ini
C:\WINDOWS\system32\qmortila.ini
C:\WINDOWS\system32\rfatvehg.ini
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rMa06yy
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\stdcpwmj.ini
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\stvojdgx.ini
C:\WINDOWS\system32\sznf.ascii
C:\WINDOWS\system32\tdgfghfm.ini
C:\WINDOWS\system32\tjqccaei.ini
C:\WINDOWS\system32\uhjuhtve.ini
C:\WINDOWS\system32\ujchaecb.ini
C:\WINDOWS\system32\utyafjlc.ini
C:\WINDOWS\system32\uvkevcde.ini
C:\WINDOWS\system32\vdyolnmk.ini
C:\WINDOWS\system32\vmanimbg.ini
C:\WINDOWS\system32\vvmntfoa.ini
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\winpfz37.sys
C:\WINDOWS\system32\wnsapii32.exe
C:\WINDOWS\system32\wosbunyh.ini
C:\WINDOWS\system32\xklgited.ini
C:\WINDOWS\system32\xklgited.ini2
C:\WINDOWS\system32\xklgited.tmp
C:\WINDOWS\system32\xtoffymj.ini
C:\WINDOWS\system32\xwkdrfle.ini
C:\WINDOWS\system32\ydehqcno.ini
C:\WINDOWS\system32\ylahigih.ini
C:\WINDOWS\system32\ylcwjrpr.ini
C:\WINDOWS\system32\ysnalukc.ini
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\wnsxs~1
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NNSERV
-------\LEGACY_YWIB39
-------\nm
-------\NNServ
 
combo2

((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 12:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 12:34 . 2008-01-04 12:34 29 --a------ C:\WINDOWS\system32\fyqgihat.tmp
2008-01-03 10:58 . 2008-01-03 10:58 <DIR> d-------- C:\Program Files\Avira
2008-01-03 10:58 . 2008-01-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-03 10:37 . 2008-01-03 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 10:08 . 2008-01-03 10:08 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-02 17:13 . 2008-01-02 17:13 <DIR> d-------- C:\kav
2008-01-02 15:59 . 2008-01-02 15:59 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-02 10:41 . 2008-01-02 10:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-02 10:41 . 2008-01-02 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-01 20:00 . 2008-01-03 11:30 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-01 18:55 . 2008-01-01 20:02 1,031,199 --ahs---- C:\WINDOWS\system32\mbdgwehj.ini
2008-01-01 16:22 . 2008-01-01 16:45 1,031,148 --ahs---- C:\WINDOWS\system32\cdbeyvdy.ini
2007-12-31 22:10 . 2008-01-03 13:23 <DIR> d-------- C:\Program Files\kernel
2007-12-31 22:01 . 2007-12-31 22:01 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2007-12-31 22:01 . 2007-12-31 22:01 <DIR> d-------- C:\Temp\cEeer12
2007-12-31 12:15 . 2007-12-31 12:16 1,031,139 --ahs---- C:\WINDOWS\system32\mvhplesj.ini
2007-12-30 18:28 . 2007-12-30 21:30 1,031,139 --ahs---- C:\WINDOWS\system32\cvhfaosa.ini
2007-12-30 10:42 . 2007-12-30 10:42 1,031,319 --ahs---- C:\WINDOWS\system32\dkpuxvdr.tmp
2007-12-29 20:02 . 2007-12-29 20:03 1,031,199 --ahs---- C:\WINDOWS\system32\dkpuxvdr.ini2
2007-12-29 18:48 . 2008-01-02 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 09:56 . 2007-12-28 10:33 1,031,199 --ahs---- C:\WINDOWS\system32\cxdxixcl.ini
2007-12-25 18:30 . 2007-12-26 11:06 1,027,582 --ahs---- C:\WINDOWS\system32\okjqjxci.ini
2007-12-24 18:31 . 2007-12-24 18:31 294 --ahs---- C:\WINDOWS\system32\qhhggccv.ini
2007-12-21 14:53 . 2007-12-21 14:53 137,216 --a------ C:\WINDOWS\system32\drivers\Pjmr55.sys
2007-12-15 14:00 . 2007-12-15 14:03 <DIR> d-------- C:\Program Files\iTunes
2007-12-15 13:40 . 2007-12-15 13:45 <DIR> d-------- C:\Program Files\QuickTime
2007-12-14 19:50 . 2007-12-18 07:44 4,565 --a------ C:\WINDOWS\system32\sft.res
2007-12-14 12:19 . 2007-12-14 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-13 09:34 . 2008-01-03 14:14 <DIR> d-------- C:\WINDOWS\sdir
2007-12-12 15:32 . 2007-12-12 15:32 294 --ahs---- C:\WINDOWS\system32\mxpcwkwh.ini
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-11 09:18 . 2007-12-11 09:18 <DIR> d--h----- C:\C_DILLA
2007-12-11 09:18 . 2007-12-11 09:17 112,128 -r-h----- C:\WINDOWS\CdaC14BA.DLL
2007-12-11 09:18 . 2007-12-11 09:18 39,936 --a------ C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-12-11 09:18 . 2007-12-11 09:17 30,720 -r-h----- C:\WINDOWS\CdaC13BA.EXE
2007-12-07 13:58 . 2007-12-13 09:48 <DIR> d-------- C:\Documents and Settings\rachp\Application Data\ArcSoft
2007-12-07 13:50 . 2007-12-12 19:13 8,864 --a------ C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-12-05 16:09 . 2007-12-29 14:20 <DIR> d-------- C:\Documents and Settings\Danielle\Application Data\BLSTOOLBAR
2007-12-05 10:27 . 2007-12-05 10:27 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-04 21:03 . 2007-12-04 21:03 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-04 18:35 . 2007-12-06 16:19 4 --a------ C:\WINDOWS\system32\jpewocmz.ini
2007-12-04 09:29 . 2007-12-04 10:11 7,043 --ahs---- C:\WINDOWS\system32\jmllm.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 14:53 --------- d-----w C:\Program Files\Common Files\okwf
2008-01-03 14:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\BLSTOOLBAR
2008-01-01 07:43 --------- d-----w C:\Program Files\Microsoft Image Composer
2007-12-30 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-29 19:20 --------- d-----w C:\Documents and Settings\rachp\Application Data\blstoolbar
2007-12-29 19:19 --------- d-----w C:\Documents and Settings\rachp\Application Data\LimeWire
2007-12-15 19:02 --------- d-----w C:\Program Files\iPod
2007-12-13 17:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 17:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-05 19:34 --------- d-----w C:\Program Files\Zpsekzdo
2007-12-05 19:33 --------- d-----w C:\Program Files\Twpejcvz
2007-12-03 16:17 --------- d-----w C:\Program Files\wdcbcxyx
2007-11-29 21:45 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-11-29 13:38 --------- d-----w C:\Documents and Settings\Administrator.TOSHIBA-USER.000\Application Data\Viewpoint
2007-11-29 03:40 --------- d-----w C:\Documents and Settings\Administrator.TOSHIBA-USER.000\Application Data\PC Tools
2007-11-26 18:16 --------- d-----w C:\Program Files\MySpace
2007-11-26 15:22 --------- d-----w C:\Program Files\Cool
2007-11-24 18:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-24 16:19 --------- d-----w C:\Program Files\blstoolbar
2007-11-24 14:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-23 20:54 --------- d-----w C:\Documents and Settings\rachp\Application Data\Viewpoint
2007-11-23 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-23 19:41 --------- d-----w C:\Program Files\Symantec
2007-11-20 00:30 --------- d-----w C:\Documents and Settings\rachp\Application Data\Media Player Classic
2007-11-15 03:05 --------- d-----w C:\Documents and Settings\Danielle\Application Data\Yahoo!
2007-11-15 03:02 --------- d-----w C:\Documents and Settings\Danielle\Application Data\TuneUp Software
2007-11-15 03:01 --------- d-----w C:\Documents and Settings\Danielle\Application Data\MySpace
2007-11-13 16:06 --------- d-----w C:\Program Files\Microsoft Plus!
2007-11-13 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-11-13 00:44 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-13 00:43 --------- d-----w C:\Program Files\InterVideo
2007-11-09 04:24 --------- d-----w C:\Program Files\Plus! for Windows XP
2007-11-09 04:19 --------- d-----w C:\Program Files\TuneUp Utilities 2004
2007-11-09 04:18 --------- d-----w C:\Documents and Settings\rachp\Application Data\TuneUp Software
2007-10-27 17:27 66,269 ----a-w C:\Program Files\INSTALL.LOG
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
2005-09-26 22:49 422,726 --sha-w C:\WINDOWS\system32\kjllm.bak1
2005-10-07 19:20 338,578 --sha-w C:\WINDOWS\system32\kjllm.bak2
2005-10-07 21:32 338,982 --sha-w C:\WINDOWS\system32\kjllm.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00E37622-B2CE-405E-9EFE-DF7B95493FF3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{314962DC-22C5-4288-8498-528E9F7FB691}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DF6AFEE-2291-4041-9A74-354624861746}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F811539-C263-4BD2-9DF6-1EF9C2A6DAE7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EFBA3A0-6708-4F9C-B577-FDCBFF6ADE7D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91C56471-C1DE-491C-86C9-505B62717093}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA9B6101-A336-49A2-878B-A06D6693A8A7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7DCFF4D-15FB-3B2B-D85A-4DE605F3599D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D760BC35-3F8C-46E4-8102-12025521060E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA74AF32-80B1-45B4-8E75-4282C4711546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B987CD-8C91-4CD5-A7CA-E4C0515530C7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E60261F1-7525-48D8-9F56-F2EF8FEA3A92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E78B911A-6F68-4B84-8C19-EC417C9590E2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAE158E8-E25B-46D4-838E-C89A4A26B8A3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF15D661-C2B8-4790-ADB0-E7AC20D6A31C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F87298B5-BF2B-47E0-ACCA-0EC11610279D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBBADC36-691D-4DB3-87D8-473814B9BF0A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 19:09 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 19:08 495616]
"TPSMain"="TPSMain.exe" [2004-03-03 14:57 278528 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 16:47 1089589]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 10:39 159744]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 11:14 2061816]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"14b20e69"="C:\WINDOWS\system32\jhewgdbm.dll" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-03 11:37 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-12-15 14:05:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyywx]
ddcyywx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhfda]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]
C:\WINDOWS\System32\mlljk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvsqp]
tuvvsqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuqw32]
winuqw32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddcya.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bilkxezq]
rundll32.exe C:\Program Files\wdcbcxyx\cjyxcnct.dll,Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nudgxazm]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\nudgxazm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
C:\Program Files\PC Tools AntiVirus\PCTAV.exe /MONITORSCAN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]
C:\WINDOWS\winshow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yjyvstov]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\yjyvstov.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"TUWinStylerThemeSvc"=2 (0x2)
"SymWSC"=2 (0x2)
"Swupdtmr"=2 (0x2)
"PCTAVSvc"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NNServ"=2 (0x2)
"NICSer_WPC54G"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 16:52]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-25 02:36]
S2 Windows Hosts Plugin;Windows Hosts Plugin;"C:\WINDOWS\system32\spoolcv.exe" []
S3 atimtai;atimtai;C:\WINDOWS\system32\DRIVERS\atimtai.sys [2001-08-17 12:48]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-17 01:28]
S4 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 16:29]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 23:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-26 21:10:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 13:10:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\QTFont.for 1409 bytes
C:\WINDOWS\QTFont.qfn 54156 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-01-04 13:15:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-04 18:15:20
.
2008-01-02 21:01:22 --- E O F ---
 
Hi

Better :)

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\fyqgihat.tmp
C:\WINDOWS\system32\mbdgwehj.ini
C:\WINDOWS\system32\cdbeyvdy.ini
C:\WINDOWS\system32\mvhplesj.ini
C:\WINDOWS\system32\cvhfaosa.ini
C:\WINDOWS\system32\dkpuxvdr.tmp
C:\WINDOWS\system32\dkpuxvdr.ini2
C:\WINDOWS\system32\cxdxixcl.ini
C:\WINDOWS\system32\okjqjxci.ini
C:\WINDOWS\system32\qhhggccv.ini
C:\WINDOWS\system32\mxpcwkwh.ini
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini2

Folder::
C:\Temp\cEeer12
C:\WINDOWS\system32\ardCo01
C:\Program Files\Common Files\okwf
C:\Program Files\Zpsekzdo
C:\Program Files\Twpejcvz
C:\Program Files\wdcbcxyx

Driver::
Windows Hosts Plugin

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00E37622-B2CE-405E-9EFE-DF7B95493FF3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{314962DC-22C5-4288-8498-528E9F7FB691}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DF6AFEE-2291-4041-9A74-354624861746}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F811539-C263-4BD2-9DF6-1EF9C2A6DAE7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EFBA3A0-6708-4F9C-B577-FDCBFF6ADE7D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91C56471-C1DE-491C-86C9-505B62717093}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA9B6101-A336-49A2-878B-A06D6693A8A7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7DCFF4D-15FB-3B2B-D85A-4DE605F3599D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D760BC35-3F8C-46E4-8102-12025521060E}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA74AF32-80B1-45B4-8E75-4282C4711546}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B987CD-8C91-4CD5-A7CA-E4C0515530C7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E60261F1-7525-48D8-9F56-F2EF8FEA3A92}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E78B911A-6F68-4B84-8C19-EC417C9590E2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAE158E8-E25B-46D4-838E-C89A4A26B8A3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF15D661-C2B8-4790-ADB0-E7AC20D6A31C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F87298B5-BF2B-47E0-ACCA-0EC11610279D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBBADC36-691D-4DB3-87D8-473814B9BF0A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"14b20e69"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyywx]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhfda]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvsqp]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuqw32]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bilkxezq]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nudgxazm]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshow]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yjyvstov]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
new HJT

That went faster!

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:12:42 PM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\music.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\rachp\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5658 bytes

Combo
 
new combo log

ComboFix 08-01-04.1 - rachp 2008-01-04 13:56:54.2 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\rachp\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\rachp\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\cdbeyvdy.ini
C:\WINDOWS\system32\cvhfaosa.ini
C:\WINDOWS\system32\cxdxixcl.ini
C:\WINDOWS\system32\dkpuxvdr.ini2
C:\WINDOWS\system32\dkpuxvdr.tmp
C:\WINDOWS\system32\fyqgihat.tmp
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini2
C:\WINDOWS\system32\mbdgwehj.ini
C:\WINDOWS\system32\mvhplesj.ini
C:\WINDOWS\system32\mxpcwkwh.ini
C:\WINDOWS\system32\okjqjxci.ini
C:\WINDOWS\system32\qhhggccv.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\okwf
C:\Program Files\Common Files\okwf\okwfd\class-barrel
C:\Program Files\Common Files\okwf\okwfd\vocabulary
C:\Program Files\Common Files\okwf\okwfh
C:\Program Files\Twpejcvz
C:\Program Files\wdcbcxyx
C:\Program Files\Zpsekzdo
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\ardCo01\ardCo011065.exe
C:\WINDOWS\system32\cdbeyvdy.ini
C:\WINDOWS\system32\cvhfaosa.ini
C:\WINDOWS\system32\cxdxixcl.ini
C:\WINDOWS\system32\dkpuxvdr.ini2
C:\WINDOWS\system32\dkpuxvdr.tmp
C:\WINDOWS\system32\fyqgihat.tmp
C:\WINDOWS\system32\jpewocmz.ini
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini2
C:\WINDOWS\system32\mbdgwehj.ini
C:\WINDOWS\system32\mvhplesj.ini
C:\WINDOWS\system32\mxpcwkwh.ini
C:\WINDOWS\system32\okjqjxci.ini
C:\WINDOWS\system32\qhhggccv.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_WINDOWS_HOSTS_PLUGIN
-------\Windows Hosts Plugin


((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 12:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 10:58 . 2008-01-03 10:58 <DIR> d-------- C:\Program Files\Avira
2008-01-03 10:58 . 2008-01-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-03 10:37 . 2008-01-03 10:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 10:08 . 2008-01-03 10:08 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-02 17:13 . 2008-01-02 17:13 <DIR> d-------- C:\kav
2008-01-02 15:59 . 2008-01-02 15:59 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-01-02 10:41 . 2008-01-02 10:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-02 10:41 . 2008-01-02 10:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-01 20:00 . 2008-01-03 11:30 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-31 22:10 . 2008-01-03 13:23 <DIR> d-------- C:\Program Files\kernel
2007-12-29 18:48 . 2008-01-02 12:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 14:53 . 2007-12-21 14:53 137,216 --a------ C:\WINDOWS\system32\drivers\Pjmr55.sys
2007-12-15 14:00 . 2007-12-15 14:03 <DIR> d-------- C:\Program Files\iTunes
2007-12-15 13:40 . 2007-12-15 13:45 <DIR> d-------- C:\Program Files\QuickTime
2007-12-14 19:50 . 2007-12-18 07:44 4,565 --a------ C:\WINDOWS\system32\sft.res
2007-12-14 12:19 . 2007-12-14 12:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-13 09:34 . 2008-01-03 14:14 <DIR> d-------- C:\WINDOWS\sdir
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-11 09:18 . 2007-12-11 09:18 <DIR> d--h----- C:\C_DILLA
2007-12-11 09:18 . 2007-12-11 09:17 112,128 -r-h----- C:\WINDOWS\CdaC14BA.DLL
2007-12-11 09:18 . 2007-12-11 09:18 39,936 --a------ C:\WINDOWS\system32\drivers\CDAC11BA.EXE
2007-12-11 09:18 . 2007-12-11 09:17 30,720 -r-h----- C:\WINDOWS\CdaC13BA.EXE
2007-12-07 13:58 . 2007-12-13 09:48 <DIR> d-------- C:\Documents and Settings\rachp\Application Data\ArcSoft
2007-12-07 13:50 . 2007-12-12 19:13 8,864 --a------ C:\WINDOWS\system32\drivers\CDAC15BA.SYS
2007-12-05 16:09 . 2007-12-29 14:20 <DIR> d-------- C:\Documents and Settings\Danielle\Application Data\BLSTOOLBAR
2007-12-05 10:27 . 2007-12-05 10:27 <DIR> d-------- C:\Program Files\Alwil Software
2007-12-04 21:03 . 2007-12-04 21:03 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-12-04 09:29 . 2007-12-04 10:11 7,043 --ahs---- C:\WINDOWS\system32\jmllm.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 14:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\BLSTOOLBAR
2008-01-01 07:43 --------- d-----w C:\Program Files\Microsoft Image Composer
2007-12-30 02:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-29 19:20 --------- d-----w C:\Documents and Settings\rachp\Application Data\blstoolbar
2007-12-29 19:19 --------- d-----w C:\Documents and Settings\rachp\Application Data\LimeWire
2007-12-15 19:02 --------- d-----w C:\Program Files\iPod
2007-12-13 17:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-13 17:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-29 21:45 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-11-29 13:38 --------- d-----w C:\Documents and Settings\Administrator.TOSHIBA-USER.000\Application Data\Viewpoint
2007-11-29 03:40 --------- d-----w C:\Documents and Settings\Administrator.TOSHIBA-USER.000\Application Data\PC Tools
2007-11-26 18:16 --------- d-----w C:\Program Files\MySpace
2007-11-26 15:22 --------- d-----w C:\Program Files\Cool
2007-11-24 18:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-24 16:19 --------- d-----w C:\Program Files\blstoolbar
2007-11-24 14:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-23 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-23 20:54 --------- d-----w C:\Documents and Settings\rachp\Application Data\Viewpoint
2007-11-23 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-23 19:41 --------- d-----w C:\Program Files\Symantec
2007-11-20 00:30 --------- d-----w C:\Documents and Settings\rachp\Application Data\Media Player Classic
2007-11-15 03:05 --------- d-----w C:\Documents and Settings\Danielle\Application Data\Yahoo!
2007-11-15 03:02 --------- d-----w C:\Documents and Settings\Danielle\Application Data\TuneUp Software
2007-11-15 03:01 --------- d-----w C:\Documents and Settings\Danielle\Application Data\MySpace
2007-11-13 16:06 --------- d-----w C:\Program Files\Microsoft Plus!
2007-11-13 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2007-11-13 00:44 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-11-13 00:43 --------- d-----w C:\Program Files\InterVideo
2007-11-09 04:24 --------- d-----w C:\Program Files\Plus! for Windows XP
2007-11-09 04:19 --------- d-----w C:\Program Files\TuneUp Utilities 2004
2007-11-09 04:18 --------- d-----w C:\Documents and Settings\rachp\Application Data\TuneUp Software
2007-10-27 17:27 66,269 ----a-w C:\Program Files\INSTALL.LOG
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00E37622-B2CE-405E-9EFE-DF7B95493FF3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D39A900-0F3A-4C29-A254-3E65244FDC34}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{314962DC-22C5-4288-8498-528E9F7FB691}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A54500A-65FE-4F4A-B860-20EAE2F577F9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DF6AFEE-2291-4041-9A74-354624861746}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F811539-C263-4BD2-9DF6-1EF9C2A6DAE7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EFBA3A0-6708-4F9C-B577-FDCBFF6ADE7D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91C56471-C1DE-491C-86C9-505B62717093}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA9B6101-A336-49A2-878B-A06D6693A8A7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7DCFF4D-15FB-3B2B-D85A-4DE605F3599D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D760BC35-3F8C-46E4-8102-12025521060E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA74AF32-80B1-45B4-8E75-4282C4711546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1B987CD-8C91-4CD5-A7CA-E4C0515530C7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E60261F1-7525-48D8-9F56-F2EF8FEA3A92}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E78B911A-6F68-4B84-8C19-EC417C9590E2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EAE158E8-E25B-46D4-838E-C89A4A26B8A3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF15D661-C2B8-4790-ADB0-E7AC20D6A31C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F87298B5-BF2B-47E0-ACCA-0EC11610279D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FBBADC36-691D-4DB3-87D8-473814B9BF0A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 19:09 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 19:08 495616]
"TPSMain"="TPSMain.exe" [2004-03-03 14:57 278528 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-02-03 16:47 1089589]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2003-10-20 10:39 159744]
"BellSouthAlertManager.exe"="C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" [2007-01-28 11:14 2061816]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-03 11:37 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2006-12-15 14:05:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyywx]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhfda]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlljk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvvsqp]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuqw32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
C:\Program Files\PC Tools AntiVirus\PCTAV.exe /MONITORSCAN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"TUWinStylerThemeSvc"=2 (0x2)
"SymWSC"=2 (0x2)
"Swupdtmr"=2 (0x2)
"PCTAVSvc"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NNServ"=2 (0x2)
"NICSer_WPC54G"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"DVD-RAM_Service"=2 (0x2)
"CFSvcs"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=2 (0x2)


.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 23:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-10-26 21:10:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 14:07:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\QTFont.for 1409 bytes
C:\WINDOWS\QTFont.qfn 54156 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-01-04 14:12:00
ComboFix-quarantined-files.txt 2008-01-04 19:11:35
ComboFix2.txt 2008-01-04 18:15:32
.
2008-01-02 21:01:22 --- E O F ---
 
Hi

And looks good, too :)

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Delete this:

C:\WINDOWS\system32\jmllm.tmp

Empty Recycle Bin.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
 
kaspersky and HJT

Kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 05, 2008 11:57:01 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/01/2008
Kaspersky Anti-Virus database records: 502981
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 54105
Number of viruses found: 7
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 02:49:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService1.zip/core.sys Infected: Rootkit.Win32.Agent.sg skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCCoreService1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip/ddcyywx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll3.zip/ddcyywx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll5.zip/ddcyywx.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\rachp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\rachp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\rachp\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\rachp\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rachp\Local Settings\Temp\~DF8AC7.tmp Object is locked skipped
C:\Documents and Settings\rachp\Local Settings\Temp\~DFAA32.tmp Object is locked skipped
C:\Documents and Settings\rachp\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rachp\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\rachp\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\ASEMBL~1\rυndll.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gq skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.haq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fomololn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkklki.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ogfuhfgc.dll.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ohcgcnib.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped
C:\QooBox\Quarantine\catchme2008-01-04_131016.93.zip/mljhfda.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clb skipped
C:\QooBox\Quarantine\catchme2008-01-04_131016.93.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{28192166-DCD0-4901-AD1A-CB57DD193595}\RP2\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB822624$\hal.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntkrnlmp.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntkrnlpa.exe.000 Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntkrpamp.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828012$\ntoskrnl.exe.000 Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB830680$\keymgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

Scan process completed.
 
didnt all fit here is HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:20 AM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Trend Micro\HijackThis\music.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {00E37622-B2CE-405E-9EFE-DF7B95493FF3} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {314962DC-22C5-4288-8498-528E9F7FB691} - (no file)
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - (no file)
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {5DF6AFEE-2291-4041-9A74-354624861746} - (no file)
O2 - BHO: (no name) - {5F811539-C263-4BD2-9DF6-1EF9C2A6DAE7} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {8EFBA3A0-6708-4F9C-B577-FDCBFF6ADE7D} - (no file)
O2 - BHO: (no name) - {91C56471-C1DE-491C-86C9-505B62717093} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - (no file)
O2 - BHO: (no name) - {AA9B6101-A336-49A2-878B-A06D6693A8A7} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C7DCFF4D-15FB-3B2B-D85A-4DE605F3599D} - (no file)
O2 - BHO: (no name) - {D760BC35-3F8C-46E4-8102-12025521060E} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DA74AF32-80B1-45B4-8E75-4282C4711546} - (no file)
O2 - BHO: (no name) - {E1B987CD-8C91-4CD5-A7CA-E4C0515530C7} - (no file)
O2 - BHO: (no name) - {E60261F1-7525-48D8-9F56-F2EF8FEA3A92} - (no file)
O2 - BHO: (no name) - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EAE158E8-E25B-46D4-838E-C89A4A26B8A3} - (no file)
O2 - BHO: (no name) - {EF15D661-C2B8-4790-ADB0-E7AC20D6A31C} - (no file)
O2 - BHO: (no name) - {F87298B5-BF2B-47E0-ACCA-0EC11610279D} - (no file)
O2 - BHO: (no name) - {FBBADC36-691D-4DB3-87D8-473814B9BF0A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\rachp\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: ddcyywx - C:\WINDOWS\
O20 - Winlogon Notify: mljhfda - C:\WINDOWS\
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O20 - Winlogon Notify: tuvvsqp - C:\WINDOWS\
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 8537 bytes
 
Hi

I see that you have re-enabled TeaTimer.

Please disable it and keep disabled until I say so; it interferes with your fixes.

After that:

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00E37622-B2CE-405E-9EFE-DF7B95493FF3} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {314962DC-22C5-4288-8498-528E9F7FB691} - (no file)
O2 - BHO: (no name) - {4A54500A-65FE-4F4A-B860-20EAE2F577F9} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {5DF6AFEE-2291-4041-9A74-354624861746} - (no file)
O2 - BHO: (no name) - {5F811539-C263-4BD2-9DF6-1EF9C2A6DAE7} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {8EFBA3A0-6708-4F9C-B577-FDCBFF6ADE7D} - (no file)
O2 - BHO: (no name) - {91C56471-C1DE-491C-86C9-505B62717093} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D} - (no file)
O2 - BHO: (no name) - {AA9B6101-A336-49A2-878B-A06D6693A8A7} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {C7DCFF4D-15FB-3B2B-D85A-4DE605F3599D} - (no file)
O2 - BHO: (no name) - {D760BC35-3F8C-46E4-8102-12025521060E} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DA74AF32-80B1-45B4-8E75-4282C4711546} - (no file)
O2 - BHO: (no name) - {E1B987CD-8C91-4CD5-A7CA-E4C0515530C7} - (no file)
O2 - BHO: (no name) - {E60261F1-7525-48D8-9F56-F2EF8FEA3A92} - (no file)
O2 - BHO: (no name) - {E78B911A-6F68-4B84-8C19-EC417C9590E2} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EAE158E8-E25B-46D4-838E-C89A4A26B8A3} - (no file)
O2 - BHO: (no name) - {EF15D661-C2B8-4790-ADB0-E7AC20D6A31C} - (no file)
O2 - BHO: (no name) - {F87298B5-BF2B-47E0-ACCA-0EC11610279D} - (no file)
O2 - BHO: (no name) - {FBBADC36-691D-4DB3-87D8-473814B9BF0A} - (no file)
O20 - Winlogon Notify: ddcyywx - C:\WINDOWS\
O20 - Winlogon Notify: mljhfda - C:\WINDOWS\
O20 - Winlogon Notify: mlljk - C:\WINDOWS\
O20 - Winlogon Notify: tuvvsqp - C:\WINDOWS\
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\

Close all windows including browser and press fix checked.

Reboot.

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
C:\QooBox\Quarantine

Empty Recycle Bin.

Post back a fresh HijackThis log.
 
That was scary

trying to read all those crazy letters to make sure I had the right ones! Well I hope I did it right

New HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:16 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Trend Micro\HijackThis\music.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] "C:\Program Files\BellSouth\AM\BellSouthAlertManager.exe" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\rachp\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5667 bytes
 
You must log in or register to reply here.
Back
Top