Thanks in advance for your help! I was unable to boot into safe mode - it gets hung up at c:\windows\system32\drivers\mup.sys. Here's the HJT log ( I had to rename the exe to brad.exe in order to be able to save the log)

Logfile of HijackThis v1.99.1
Scan saved at 06:17, on 2007-05-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\avp.exe
C:\WINDOWS\smanager.7.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\brad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0FD94D17-4F45-4D09-B3C9-2F894BBE2225} - C:\WINDOWS\system32\jkhhf.dll
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tpdfsofo.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {66C7F911-37A4-4427-A33C-6FE33C94FDCD} - C:\WINDOWS\system32\gzbfvsbo.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F5C7EFB5-8B32-4FFC-885D-1064D5AF53A2} - C:\WINDOWS\system32\yayya.dll (file missing)
O2 - BHO: (no name) - {FC1F1603-BD10-4C8A-AF57-4E2E3D7BE277} - C:\WINDOWS\system32\gebyaba.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [Hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\xbtopqvv.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: gebyaba - C:\WINDOWS\SYSTEM32\gebyaba.dll
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\system32\jkhhf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winydp32 - winydp32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Win32 Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe" "C:\Program Files\NewDotNet\nncore.dll" ServiceStart (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

AND HERE'S THE ETRUST ONLINE AV SCAN:

Virus scan finished. 24 viruses found.
Scan Results: 148116 files scanned. 24 viruses were detected.

File Infection Status Path
version.jar-4d048a14-38284acb.zip>BaaaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
version.jar-4d048a14-38284acb.zip>VaaaaaaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
version.jar-4d048a14-38284acb.zip>Baaaaa.class Java/Shinwow.BJ infected C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
crtdcghcn.jar-584f6c7e-36182cf2.zip>BaaaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
crtdcghcn.jar-584f6c7e-36182cf2.zip>VaaaaaaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
crtdcghcn.jar-584f6c7e-36182cf2.zip>Baaaaa.class Java/Shinwow.BJ infected C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
Anima.class-67ae6f9c-1a067b1e.class Java/ByteVerify!exploit infected C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
version.jar-4d048a14-2114bd90.zip>BaaaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
version.jar-4d048a14-2114bd90.zip>VaaaaaaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
version.jar-4d048a14-2114bd90.zip>Baaaaa.class Java/Shinwow.BJ infected C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
animan.class-4379dbf2-727fe57c.class Java/ByteVerify!exploit infected C:\Documents and Settings\Amy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
wn0032.exe Win32/Oneraw!generic infected C:\Documents and Settings\Amy\
crtdcghcn.jar-7b1b014c-485400d4.zip>BaaaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Ashley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
crtdcghcn.jar-7b1b014c-485400d4.zip>VaaaaaaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Ashley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
crtdcghcn.jar-7b1b014c-485400d4.zip>Baaaaa.class Java/Shinwow.BJ infected C:\Documents and Settings\Ashley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
keygen.exe Win32/Harnig!generic infected C:\Program Files\Mozilla Firefox\
dk.dial.Vir Win32/SilentCaller.V infected C:\QUARANTINE\
gdnOT2202[1].exe.Vir Win32/SilentCaller.V infected C:\QUARANTINE\
dk.dial.Vir.0 Win32/SilentCaller.V infected C:\QUARANTINE\
gdnOT2202[1].exe.Vir.0 Win32/SilentCaller.V infected C:\QUARANTINE\
dk.dial.Vir.1 Win32/SilentCaller.V infected C:\QUARANTINE\
gdnOT2202[1].exe.Vir.1 Win32/SilentCaller.V infected C:\QUARANTINE\
backup-20040817-201612-338.dll Win32/Clspring!generic infected C:\My Documents\backups\
winstall.exe.vir Win32/Oneraw!generic infected C:\QooBox\Quarantine\C\

Thanx!

Hello,

Perform next steps in the right order..;

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {0FD94D17-4F45-4D09-B3C9-2F894BBE2225} - C:\WINDOWS\system32\jkhhf.dll
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll (file missing)
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tpdfsofo.dll (file missing)
O2 - BHO: (no name) - {66C7F911-37A4-4427-A33C-6FE33C94FDCD} - C:\WINDOWS\system32\gzbfvsbo.dll
O2 - BHO: (no name) - {F5C7EFB5-8B32-4FFC-885D-1064D5AF53A2} - C:\WINDOWS\system32\yayya.dll (file missing)
O2 - BHO: (no name) - {FC1F1603-BD10-4C8A-AF57-4E2E3D7BE277} - C:\WINDOWS\system32\gebyaba.dll
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\xbtopqvv.dll",realset
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -
O20 - AppInit_DLLs: sfklg.dll
O20 - Winlogon Notify: gebyaba - C:\WINDOWS\SYSTEM32\gebyaba.dll
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\system32\jkhhf.dll
O20 - Winlogon Notify: winydp32 - winydp32.dll (file missing)
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe" "C:\Program Files\NewDotNet\nncore.dll" ServiceStart (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if you receive an error in HijackThis.

* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

I put a post in the "if you have waited 4 days..." thread - I'm thinking you haven't seen it. BTW - all of you helper folks rock! My son has made great progress in healing our computer and it is behaving much better. I'm thinking I should do a fresh HJT scan and possibly an online AV scan?

Hi,

Yes, I did read your post in the "if you have waited 4 days..." thread
Please perform the steps I asked and post the logs I asked. That's the only way to clean your system properly from leftovers. :)

I checked for those items within HijackThis - none of them were there anymore.

Here is the Combofix log:

"Administrator2" - 2007-05-23 16:18:05 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Administrator2\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\ICROSO~1.NET


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-23 ))))))))))))))))))))))))))))))))))


2007-05-22 18:50 <DIR> d-------- C:\DOCUME~1\Daniel\APPLIC~1\WinRAR
2007-05-21 22:15 <DIR> d-------- C:\WINDOWS\pss
2007-05-21 00:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1.WEB\APPLIC~1\Google
2007-05-20 22:26 <DIR> d-------- C:\DOCUME~1\Brad\APPLIC~1\Prevx
2007-05-20 21:52 <DIR> d-------- C:\Program Files\RegCleaner
2007-05-20 20:23 1,506,349 ---hs---- C:\WINDOWS\system32\fhhkj.bak2
2007-05-20 19:47 <DIR> d--hs---- C:\FOUND.000
2007-05-20 19:17 77,312 --a------ C:\WINDOWS\ua2.dll
2007-05-19 22:26 <DIR> d-------- C:\DOCUME~1\ADMINI~2\APPLIC~1\Webroot
2007-05-19 22:25 <DIR> d-------- C:\DOCUME~1\ADMINI~2\APPLIC~1\GetRightToGo
2007-05-19 20:51 1,500,193 ---hs---- C:\WINDOWS\system32\fhhkj.ini2
2007-05-18 06:13 <DIR> d-------- C:\HJT
2007-05-17 16:55 1,498,278 ---hs---- C:\WINDOWS\system32\fhhkj.bak1
2007-05-17 16:12 <DIR> d-------- C:\VundoFix Backups
2007-05-16 23:21 29,184 --a------ C:\DOCUME~1\Amy\wn0032.exe
2007-05-15 01:09 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-13 01:32 <DIR> d-------- C:\DOCUME~1\Brad\APPLIC~1\SmartShopper
2007-05-13 01:30 <DIR> d-------- C:\Program Files\?icrosoft.NET
2007-05-13 01:23 <DIR> d--hs---- C:\WINDOWS\QnJhZCAmIExhdXJpZSBIb2xjb21i
2007-05-05 22:24 <DIR> d-------- C:\Program Files\Microsoft Games
2007-04-27 16:26 <DIR> d-------- C:\DOCUME~1\Ali\APPLIC~1\AdobeUM
2007-04-23 18:21 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-13 06:30:20 -------- d-----w C:\Program Files\?icrosoft.NET
2007-04-23 03:18:34 -------- d-----w C:\Program Files\DANCE!ONLINE
2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-10 18:18:00 -------- d-----w C:\Program Files\The Weather Channel FW
2007-04-10 18:17:42 -------- d-----w C:\Program Files\Freeze.com
2007-04-10 18:16:54 -------- d-----w C:\Program Files\SmartShopper
2007-04-10 18:16:52 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-04-10 02:52:36 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG
2007-04-10 02:51:52 -------- d-----w C:\Program Files\Strategy First
2007-04-01 18:43:30 -------- d-----w C:\Program Files\AOL Games
2007-03-31 05:06:04 -------- d-----w C:\Program Files\WarRock
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 12:51:28 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-03-15 17:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 17:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-04 22:58:48 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-03-04 22:58:48 118,784 ----a-w C:\WINDOWS\system32\pdfmona.dll
2007-03-02 02:34:00 2,669,989 ----a-w C:\WINDOWS\Power Of Prayers Screensaver.scr
2007-03-02 02:32:38 2,278,004 ----a-w C:\WINDOWS\Walk Despite Everything Screensaver.scr
2007-03-02 02:29:54 1,382,016 ----a-w C:\WINDOWS\Sun Rises Again Screensaver.scr
2007-03-02 02:29:30 845,578 ----a-w C:\WINDOWS\Real Happiness Screensaver.scr
2007-03-01 20:02:18 4,096 ----a-w C:\WINDOWS\d3dx.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-08-17 09:40]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2005-03-22 19:05 C:\WINDOWS\system32\atiptaxx.exe]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63e654e1-e10a-11d9-a1d9-806d6172696f}]
AutoRun\command- E:\AutoRun.exe

*Newly Created Service* -ENTDRV51


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070521-220828-171
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)

backup-20070521-220530-897
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070521-220530-669
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

backup-20070521-220530-648
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} -

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070521-220530-448
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

???????????????????????????????????????????4????????????????????????????????????????????=????????????????????????????????????????????????????????

backup-20070521-220530-515
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

???????????????????????????????????????????4????????????????????????????????????????????=????????????????????????????????????????????????????????

backup-20070521-220531-939
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)

backup-20070520-225327-271
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)

backup-20070520-223911-304
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

backup-20070520-223911-225
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe" "C:\Program Files\NewDotNet\nncore.dll" ServiceStart (file missing)

backup-20070520-223910-172
O20 - Winlogon Notify: gebyaba - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebyaba]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"



backup-20070520-223910-680
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkhhf]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Startup"="RealLogon"
"Logoff"="RealLogoff"



backup-20070520-223911-478
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"InstallNotifyShown"=dword:00000001
"Event"=dword:00000002
"EulaAccepted"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,7b,72,2c,8d,1d,84,4a,45,80,9d,de,77,24,d2,85,f1,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,2a,c6,00,dd,a2,94,7b,c8,\
1b,b2,eb,46,a0,ea,6c,28,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,14,\
3d,62,82,43,79,95,ad,85,d1,8f,75,1a,e1,ba,da,50,04,00,00,4a,a9,5d,32,13,00,\
78,77,e6,29,21,0c,ba,68,32,ff,6c,b3,b8,46,5c,cd,d7,25,f5,86,a0,59,f5,5f,8c,\
7e,56,8b,91,46,dc,e3,6c,24,91,d9,b5,2c,1b,b9,8d,1c,e7,29,63,79,a0,9a,1f,fe,\
b5,23,f8,10,e2,4d,41,68,f7,d5,ff,7e,8f,eb,f3,3b,1c,a7,af,a5,2a,92,99,55,52,\
a1,11,2f,d5,49,ec,43,4e,fb,31,db,f5,23,f3,4b,2a,0a,0d,d9,09,52,92,96,ce,33,\
4d,60,90,08,e8,bd,73,6d,b0,03,28,00,d6,3f,83,af,8f,58,1e,27,91,88,c2,5f,5c,\
e8,bc,6e,bc,90,e0,a6,4b,bb,f9,f3,59,9b,bd,92,31,65,58,b7,d1,6e,e7,26,2c,5d,\
b0,15,41,2e,1b,db,19,bc,4a,5d,7d,44,7a,59,df,95,0f,10,f2,56,0b,fc,f3,3a,8a,\
8f,18,60,77,42,e4,34,21,3a,8d,0e,10,af,3e,8a,29,20,2e,25,b2,e6,cc,8c,f0,95,\
cb,1f,f7,67,10,32,f8,6b,e9,1a,ea,b9,06,b3,27,0e,ec,35,3a,1d,71,63,15,71,b2,\
8d,4d,25,2a,31,6c,12,e5,c3,f1,0c,d9,81,45,19,af,b0,40,38,64,3c,97,41,99,d5,\
3e,8c,13,8e,a0,c0,86,5e,b1,66,31,a9,2f,49,36,a0,81,b1,1f,26,9d,e8,25,81,d1,\
e2,8b,7a,7b,80,8d,9e,0e,9d,c9,76,52,e5,43,d2,e5,f8,25,be,72,cb,b0,fe,48,30,\
38,12,ee,d5,15,a1,b4,b7,28,40,ba,22,0b,a5,cb,a9,24,8f,fb,99,32,ee,0c,3c,e8,\
33,a2,44,d8,61,57,22,01,a9,2a,31,93,86,7f,7d,62,c0,24,bb,ab,84,24,94,ba,e7,\
ba,b0,63,ae,32,b3,f8,1e,20,6e,3a,d1,03,30,60,b0,e5,1d,b0,a0,4c,12,dc,f5,5a,\
13,70,be,43,8f,dc,fd,96,60,f6,03,5f,b7,49,d6,a4,22,73,55,ca,73,e6,dc,ba,7d,\
39,64,41,e0,ea,69,21,e3,eb,cb,3e,42,91,5c,17,2c,ab,43,46,d7,a7,05,a1,c8,7b,\
3c,1c,09,cf,36,71,e9,ca,ce,6c,30,7c,f9,d9,7e,bb,a1,ac,1b,9c,29,50,e7,d3,f8,\
d9,b6,1f,c3,91,b3,4e,fe,53,1c,7c,df,79,25,1a,43,e1,05,38,83,34,50,51,74,a5,\
e2,a2,a8,64,7f,11,f9,a8,a7,98,8b,fa,73,4a,d7,31,42,13,77,c9,1f,38,0f,3d,13,\
41,02,3d,7d,6d,3b,69,1c,16,28,d0,1e,a5,2e,7b,f7,06,2e,4c,4a,47,aa,64,d3,d0,\
f8,23,bd,55,27,d5,da,9d,64,df,db,07,b3,98,40,42,8b,62,df,92,81,d6,c4,bf,5a,\
48,ea,ab,11,21,78,bb,22,d4,b5,fa,6b,db,a8,3e,ee,af,e4,4f,97,21,eb,2d,5c,05,\
fa,5f,b6,2b,67,82,de,de,9e,02,92,17,89,9a,a2,35,ff,37,2b,f8,95,3b,78,71,da,\
59,22,3b,e3,4a,2e,90,72,92,38,79,c7,c1,26,41,ee,09,2d,d8,ff,31,1e,24,56,55,\
1d,58,07,08,0d,bd,15,d9,ac,45,a4,56,9a,98,e0,18,54,87,be,3d,84,de,4a,d5,51,\
45,06,db,56,f6,b4,4f,e9,a5,a5,f3,1e,96,06,2b,5a,5a,51,72,86,33,ae,fe,2b,3e,\
2f,4b,77,71,71,a6,5a,7c,94,4b,5a,47,6e,ec,95,08,d8,a6,09,d6,44,95,ce,92,65,\
fd,4d,67,2d,b2,42,de,a1,e7,ba,36,c8,0a,32,03,55,2a,46,65,c4,a3,57,e8,31,b2,\
82,de,30,38,d9,92,e7,8b,ba,6c,a0,1c,9d,17,fe,78,ad,ba,29,d3,5b,d0,12,95,d2,\
d3,d7,75,3e,28,c0,35,08,79,b9,9d,14,0f,e5,95,b2,4c,21,a6,2c,ec,4a,3c,1c,60,\
ad,80,76,57,75,3d,74,c3,1d,23,47,8d,f3,9b,58,9d,d0,8d,73,d4,a5,6b,04,9a,01,\
12,44,3c,c3,e5,d7,1f,f7,69,5e,f6,24,bd,19,6a,2b,61,ea,6a,76,2b,7a,c9,34,51,\
49,b7,9b,f8,3e,03,f2,26,48,0e,93,1a,81,d4,cc,75,5a,af,f7,38,3f,30,a4,1a,f6,\
ed,ef,0c,9f,ca,4c,8d,b8,0b,d2,17,32,a9,97,f9,8f,cf,d4,18,59,fa,a1,af,3f,38,\
99,6e,e1,6e,56,9e,09,81,36,62,24,d2,5e,2d,f9,0d,bf,73,c4,90,63,0f,35,01,81,\
62,c0,a0,b7,3f,59,6a,8b,ca,42,89,5d,73,33,48,ea,aa,b9,4d,e3,7d,84,62,68,a6,\
73,33,d8,34,7a,77,ab,e9,e6,cb,b1,64,7f,d3,73,e7,6a,50,bd,ed,51,ca,aa,9a,84,\
82,29,a0,3a,c2,e0,27,fb,6f,be,79,1e,dd,df,d8,8c,e3,36,7d,a4,a5,00,52,92,83,\
5a,7d,5d,9e,9f,a4,11,5a,bf,ae,6d,b1,53,a5,51,6b,b4,97,87,3c,50,69,a6,fe,c2,\
49,28,f9,82,1b,33,12,80,47,a5,bc,83,f4,08,4b,a5,be,bf,10,1b,90,1e,8e,8a,54,\
9b,59,d7,3b,06,d4,3d,53,5f,78,ba,f3,10,be,e9,3d,59,4e,57,b4,b2,bb,2e,a1,ca,\
15,0f,68,7c,c3,29,ec,63,23,cf,b1,bf,11,94,b1,69,62,36,e3,7f,e5,da,53,26,fc,\
a6,53,77,4d,66,09,3a,5b,97,c1,12,ba,d1,41,6e,c6,0b,93,e3,44,8d,bc,8a,14,00,\
00,00,e8,77,da,3c,e5,65,ed,dd,77,a3,ab,cf,57,8b,2e,5a,75,bc,05,fe



backup-20070520-223911-238
O20 - Winlogon Notify: winydp32 - winydp32.dll (file missing)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winydp32]
"Asynchronous"=dword:00000001
"DllName"="winydp32.dll"
"Impersonate"=dword:00000000
"Startup"="EvtStartup"
"Shutdown"="EvtShutdown"



backup-20070520-223911-692
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)

backup-20070520-223911-762
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)

backup-20070520-223856-957
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

backup-20070520-223856-924
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

???????????????????????????????????????????4??????????????????????????????????????????????????????????????????????????????????????????????????=??

backup-20070520-223856-648
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

???????????????????????????????????????????4??????????????????????????????????????????????????????????????????????????????????????????????????=??

backup-20070520-223856-245
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe

backup-20070520-223856-310
O2 - BHO: (no name) - {FC1F1603-BD10-4C8A-AF57-4E2E3D7BE277} - (no file)

backup-20070520-223856-753
O2 - BHO: (no name) - {F5C7EFB5-8B32-4FFC-885D-1064D5AF53A2} - C:\WINDOWS\system32\yayya.dll (file missing)

backup-20070520-223856-939
O2 - BHO: (no name) - {842E190B-B115-4A0A-8FCD-1DA013C6CD04} - (no file)

backup-20070520-223856-809
O2 - BHO: (no name) - {66C7F911-37A4-4427-A33C-6FE33C94FDCD} - C:\WINDOWS\system32\gzbfvsbo.dll (file missing)

backup-20070520-223856-295
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - C:\WINDOWS\system32\tpdfsofo.dll (file missing)

backup-20070520-223856-378
O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll (file missing)
********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-23 16:25:46
Windows 5.1.2600 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\NNServ]
"ImagePath"="\"C:\Program Files\NewDotNet\nnrun.exe\" \"C:\Program Files\NewDotNet\nncore.dll\" ServiceStart"

Completion time: 2007-05-23 16:28:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-23 16:28

--- E O F ---

I'll have to put the HJT log in another post...

Here's a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:19 PM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\HJT\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Win32 Configuration Server (NGServer) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again!

Hi,

Let's deal with the rest now...

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Delete next files:

C:\WINDOWS\system32\fhhkj.bak2
C:\WINDOWS\system32\fhhkj.ini2
C:\WINDOWS\system32\fhhkj.bak1

Delete next folders:

C:\VundoFix Backups
C:\DOCUME~1\Brad\APPLIC~1\SmartShopper
C:\WINDOWS\QnJhZCAmIExhdXJpZSBIb2xjb21i
C:\Program Files\RegCleaner <== this so called regcleaner comes with malware.
C:\Program Files\Freeze.com
C:\Program Files\SmartShopper

Next folder is a bit more advanced to remove, not because it won't get removed, but because it may look exactly like a legit folder, so make sure you don't delete the legit one.

C:\Program Files\?icrosoft.NET <== this folder may look like Microsoft.Net. Don't delete any other Microsoft.Net folders anywhere else. To make sure you are deleting the right one, rightclick the folder and choose properties. The bad folder is dated: 2007-05-13 01:30

Then, Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\DOCUME~1\Amy\wn0032.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Here's the results of scanning wn0032.exe :

STATUS: FINISHEDComplete scanning result of "wn0032.exe", received in VirusTotal at 05.24.2007, 13:54:10 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.23.2007 Win-AppCare/Renos.29192
AntiVir 7.4.0.27 05.24.2007 TR/Dldr.Small.cpg.1
Authentium 4.93.8 05.23.2007 could be infected with an unknown virus
Avast 4.7.997.0 05.24.2007 no virus found
AVG 7.5.0.467 05.23.2007 Generic2.MOH
BitDefender 7.2 05.24.2007 Adware.Renos.WY
CAT-QuickHeal 9.00 05.23.2007 Hoax.Renos.gk (Not a Virus)
ClamAV devel-20070416 05.24.2007 Trojan.Downloader.Small-1339
DrWeb 4.33 05.24.2007 Trojan.Fakealert
eSafe 7.0.15.0 05.21.2007 no virus found
eTrust-Vet 30.7.3660 05.24.2007 Win32/Oneraw!generic
Ewido 4.0 05.24.2007 Downloader.Small.cpg
FileAdvisor 1 05.24.2007 Low threat detected
Fortinet 2.85.0.0 05.24.2007 Adware/Spywad
F-Prot 4.3.2.48 05.23.2007 no virus found
F-Secure 6.70.13030.0 05.24.2007 not-virus:Hoax.Win32.Renos.gk
Ikarus T3.1.1.8 05.24.2007 not-a-virus:Hoax.Win32.Renos.gk
Kaspersky 4.0.2.24 05.24.2007 not-virus:Hoax.Win32.Renos.gk
McAfee 5037 05.23.2007 potentially unwanted program Adware-PestTrap
Microsoft 1.2503 05.22.2007 TrojanDownloader:Win32/Renos.gen!A
NOD32v2 2289 05.24.2007 a variant of Win32/Adware.SpySheriff
Norman 5.80.02 05.23.2007 no virus found
Panda 9.0.0.4 05.24.2007 Adware/PestTrap
Prevx1 V2 05.24.2007 no virus found
Sophos 4.17.0 05.23.2007 Troj/Spywad-Gen
Sunbelt 2.2.907.0 05.24.2007 Trojan-Downloader.Winstall
Symantec 10 05.24.2007 SpySheriff
TheHacker 6.1.6.121 05.23.2007 no virus found
VBA32 3.12.0 05.23.2007 Trojan.Fakealert
VirusBuster 4.3.23:9 05.23.2007 Trojan.Renos.CZ
Webwasher-Gateway 6.0.1 05.24.2007 Trojan.Dldr.Small.cpg.1


Aditional Information
File size: 29184 bytes
MD5: 12135978aa747b4523068006f17b47e9
SHA1: d89436850ffc15e5e6027d1c0fff8b9f832ec732
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=12135978aa747b4523068006f17b47e9

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com

Hi,

Looks like your Antivirus didn't recognise this file while most scanners do - so delete next file manually:

C:\DOCUME~1\Amy\wn0032.exe

Also, from your HijackThislog, I see next legitimate service/file missing:

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)

Did you delete the alg.exe ? Because from your first log, it didn't show as file missing - because when present, it won't even show in your HijackThislog.
This is what alg.exe is: http://www.liutilities.com/products/wintaskspro/processlibrary/alg/

So, use the search function in XP and look if there are other instances of alg.exe present, because you have to copy it again to your system32-folder
Normally, there should be one present in the hidden system folder C:\Windows\system32\dllcache. But the fact that it didn't replace automatically makes me think there's no copy of it in the dllcache.

I also see from your Combofix log you have been deleting WgaLogon.dll. Are there any other legit files you have been deleting? :(
Because you said in the other thread that you solved your problem and dealed with it on your own, but still having some issues with choppy sound and choppy mouse. So this makes me wonder if you deleted any thing else which you were not supposed to delete either.....

I deleted wn0032.exe

I'm guessing my son must have deleted those two files as he spent many hours working on this pc over the weekend. I was able to find alg.exe in the dllcache folder and copied it back into the windows/system32 folder. I believe also that the windows genuine advantage piece (wgalogon.dll) is back in place.

As far as the sound/mouse funkiness, that's been happening for quite some time - we've just lived with it. The sound is "jumpy/crackly" at boot for a minute or two, then it seems to straighten out. The mouse is continually slow to respond - you have to wait for it catch up with you.

Hi,

Good you could restore the missing files. You said that sound is "jumpy" at boot but once Windows is fully loaded everything is ok again? Guess it's mainly because of the programs which are loaded during boot - depending how much ram this computer has etc etc. Not sure what causes the slow mouse though. Could be a problem with the mouse itself, so you may want to try another mouse and look if it's the same problem.

Anyway, it won't hurt to read and perform the steps provided here as well:
Help! My computer is slow! (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)

Also, most important thing..

Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.

Happy Surfing again!

Are you saying my last posted logs look clean? Except for the wn0032.exe, alg.exe and wgalogon.dll issues?

Except for the wn0032.exe, alg.exe and wgalogon.dll issues?We already solved that... You deleted the wn0032.exe and replaced the alg.exe and wgalogon.dll again as I understood from one of your previous post.

Yes, your latest HijackThislog looks clean again. :)

Thank you so much for your help! I really appreciate it!

I have gone through some of your last suggestions (slow pc, etc.) and have tried a few things (turning on dma, eliminating unnecessary startups and so on) but they haven't helped with the overall slowness. Can you recommend another forum where I might get some system-slowness help one-on-one?

Hi,

Did you also defragment your drive? Also keep in mind, older computers do run more slower during the years - I don't know either how much ram this system has - how full your drive is etc..

What people also frequently try is, when their system is slow and they cannot really find the cause, they uninstall their current security software - since Security Software is actually the biggest resource hog - and check if that improves speed. If so, they install another one which runs smoother. Because it is a fact that on some systems, certain Security software may cause a huge slowdown while it works perfectly on other systems.

The best troubleshooting site imho are the pcpitstop tests:
http://www.pcpitstop.com/pcpitstop/
Register there and run the full tests. Then you'll get a page with results and a detailed description + solutions. Also, their forum gives excellent support.

Thanks and have a good weekend! I'll try your suggestions!

Bye!

You're welcome and have a good weekend as well :)