This seems to be a variant of the Virtumond virus. I have run scans using

NOD32,
Lavasoft Ad-Aware 2007
Kaspersky Anti-Virus 2007
Spyware S&D

As well as used VundoFix.

However, none of them detected the problem.

Using security task manager, I managed to find the file that was causing the problem as

vturr.dll

Which, when I googled it returned a virtumond virus. However, instead of popping up fake antiviruses, my computer generates popups of random search sites, and sometimes sites which show "This offer is not available in your region, you will be redirected shortly".

However, none of the antiviruses detected vturr.dll as a virus. I will attach the logs in the next post due to space limitations.

Here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:20:57, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
G:\vist\HiJackThis_v2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BE605A1A-9F87-40C2-A241-5A8D41F72BC0} - C:\WINDOWS\system32\vturr.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\WAT_EN\ACCESS~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Microsoft] wuaudit.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet 资源搜索 - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 12547 bytes



Kaspersky Online Scanner doesn't work for me, but the full version did not detect any viruses.

Spyware S&D detected and removed:

Bifrose.LA
-HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
-HKEY_USERS\S-1-5-21-57989841-1336601894-682003330-1007\Software\Bifrost

Win32.Poison.k
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices\Microsoft

CoolWWWSearch.SmartSearch
-explorer.exe

Microsoft.Windows.Security.InternetExplorer
-HKEY_USERS\S-1-5-21-57989841-1336601894-682003330-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1

Thanks.

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

C:\WINDOWS\system32\vturr.dll <<< This is a Vundo file, much of that infection is usually hidden, so I can't say anything about it yet.

O4 - HKLM\..\Run: [Microsoft] wuaudit.exe <<< this one is a real problem, look here:
http://spywarefiles.prevx.com/RRHFFF42563223/WUAUDIT.EXE.html
Installs programs.
Deletes programs.
Creates Run Keys.
Runs other programs.
Communicates with web sites using httpout protocols.
Has outbound communications.
Creates known malware.
Creates copies of itself.

You need to read this information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
One way or another you need to keep this computer offline to deny that trojan access to the web. If you want to clean the computer you need to start like this.

1) Make sure Spybot S&D is totally up to date and fully immunized, then run it again.

2) G:\vist\HiJackThis_v2.exe <<< delete this obsolete copy of HJT and follow these directions:
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks

Hello,

Here is the HJT log you wanted.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:52:14, on 2007-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
G:\vist\hijackthis\HijackThis.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\WAT_EN\ACCESS~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Microsoft] wuaudit.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet 资源搜索 - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games ?Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 11856 bytes


A few minutes after I logged in to the computer, NOD32 detected many trogens. Here is its log.

NOD32 LOG

2007-11-21 16:46:44 http://89.188.16.57/clvraff/hctp.dll?nid=dz&uid=5836102296B111DCA2CBF67908FAFFFF&guid=614FB234AFC5488DB18007D4D5CB2835 Win32/Adware.Virtumonde application connection terminated - quarantined Threat was detected upon access to web by the application: c:\windows\explorer.exe.
2007-11-21 16:46:42 http://82.98.235.78/cook/poiu.exe?uid=5836102296B111DCA2CBF67908FAFFFF&guid=614FB234AFC5488DB18007D4D5CB2835 Win32/TrojanDownloader.Tiny.ID trojan connection terminated - quarantined Threat was detected upon access to web by the application: c:\windows\explorer.exe.
2007-11-21 16:43:47 http://82.98.235.114/ptch.dll?nid=dz&uid=5836102296B111DCA2CBF67908FAFFFF&guid=614FB234AFC5488DB18007D4D5CB2835 a variant of Win32/BHO.G trojan connection terminated - quarantined Threat was detected upon access to web by the application: c:\windows\explorer.exe.
2007-11-21 16:43:43 http://82.98.235.78/netob/pochki20071106.exe?uid=5836102296B111DCA2CBF67908FAFFFF&guid=614FB234AFC5488DB18007D4D5CB2835 Win32/Adware.Ezula application connection terminated - quarantined Threat was detected upon access to web by the application: c:\windows\explorer.exe.
2007-11-21 16:41:42 http://82.98.235.78/upd32_v14.dll?uid=5836102296B111DCA2CBF67908FAFFFF&guid=614FB234AFC5488DB18007D4D5CB2835 Win32/Adware.SecToolbar application connection terminated - quarantined Threat was detected upon access to web by the application: c:\windows\explorer.exe.
2007-11-21 0:24:13 C:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP295\A0102577.dll a variant of Win32/BHO.G trojan cleaned by deleting - quarantined Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe.


Thanks.

Thanks for returning the correct log and the feedback about the NOD scan. Those items are either: quarantined Threat was detected or an infected System Restore file.

If you want my help, you must follow my directions. You have not installed HJT where the instructions said to install it:

By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
Delete this copy >> G:\vist\hijackthis\HijackThis.exe
Download it again and this time follow the directions I posted. Please do this before you post the next HJT log.

Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks

Ok. Now I have done exactly as said.

here is the SDFix report:


SDFix: Version 1.115

Run by ver on 2007-11-22 星期四 at 06:22

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 06:29:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\NS\x5860\x7fc48R ]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,10,46,00,00,00,00,00,84,b3,cb,6d,20,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NS\x5860\x7fc48R ]
"Inno Setup: Setup Version"="3.0.6"
"Inno Setup: App Path"="C:\Program Files\\x534e\x5b89\x8bc1\x5238"
"Inno Setup: Icon Group"="\x534e\x5b89\x8bc1\x5238"
"Inno Setup: User"="ver"
"DisplayName"="\x534e\x5b89\x8bc1\x5238 3.3"
"UninstallString"=""C:\Program Files\\x534e\x5b89\x8bc1\x5238\unins000.exe""
"Publisher"="\x676d\x5dde\x6052\x751f\x4fe1\x606f\x6280\x672f\x6709\x9650\x516c\x53f8"
"URLInfoAbout"="http://www.Hsinfo.com.cn"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\7971f918-a847-4430-9279-4a52d1efe18d]
"CurrentCacheFile"="C:\WINDOWS\SoftwareDistribution\EventCache\{92E88E72-15FB-4612-9DF3-E0363E82602E}.bin"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Premium\qQ\x7381]
"Order"=hex:08,00,00,00,02,00,00,00,92,00,00,00,01,00,00,00,01,00,00,00,86,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Premium\\x9327wQ]
"Order"=hex:08,00,00,00,02,00,00,00,32,03,00,00,01,00,00,00,06,00,00,00,88,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Premium\Kb\x5b6e]
"Order"=hex:08,00,00,00,02,00,00,00,2a,0a,00,00,01,00,00,00,11,00,00,00,aa,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Premium\\x74ac>e]
"Order"=hex:08,00,00,00,02,00,00,00,10,01,00,00,01,00,00,00,02,00,00,00,80,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Premium\penc]
"Order"=hex:08,00,00,00,02,00,00,00,9c,01,00,00,01,00,00,00,03,00,00,00,84,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Premium\\ah~{]
"Order"=hex:08,00,00,00,02,00,00,00,9a,00,00,00,01,00,00,00,01,00,00,00,8e,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Premium\gqGr\x5b74\x8310\x61b3]
"Order"=hex:08,00,00,00,02,00,00,00,26,02,00,00,01,00,00,00,04,00,00,00,86,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Nero 7 Premium\\x9afc\x61b3]
"Order"=hex:08,00,00,00,02,00,00,00,26,02,00,00,01,00,00,00,04,00,00,00,8a,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\NS\x5860\x7fc48R]
"Order"=hex:08,00,00,00,02,00,00,00,88,01,00,00,01,00,00,00,03,00,00,00,80,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Y\x8002\3\x20ac8]
"Order"=hex:08,00,00,00,02,00,00,00,18,01,00,00,01,00,00,00,02,00,00,00,84,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Y\x8002\3\x20ac8]
"Order"=hex:08,00,00,00,02,00,00,00,18,01,00,00,01,00,00,00,02,00,00,00,84,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\'Y\x8002\3\x20acd!\5&\5&\5&\5&\5&]
"Order"=hex:08,00,00,00,02,00,00,00,00,01,00,00,01,00,00,00,02,00,00,00,82,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\3u\x9c2f\aN\x9f4e^yQe]
"Order"=hex:08,00,00,00,02,00,00,00,82,00,00,00,01,00,00,00,01,00,00,00,76,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\3u\x9c2f\aN\x9f4e^yQe\3u\x9c2f\aN\x9f4e^yQe]
"Order"=hex:08,00,00,00,02,00,00,00,a6,01,00,00,01,00,00,00,03,00,00,00,86,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x8e32'YQ\x8ec2]
"Order"=hex:08,00,00,00,02,00,00,00,7c,00,00,00,01,00,00,00,01,00,00,00,70,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x8e32'YQ\x8ec2\\x8e32'YD]
"Order"=hex:08,00,00,00,02,00,00,00,0e,01,00,00,01,00,00,00,02,00,00,00,80,..

scanning hidden files ...

C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Messenger\jonathanasdf@Hotmail.com\SharingMetadata\aok951@gmail.com\DFSR\Staging\CS{E4260235-282C-F6B1-EB67-0B77C338850D}\01\62-{E4260235-282C-F6B1-EB67-0B77C338850D}-v1-{0D2529AA-970B-4977-A1B4-6B259DE2FFF1}-v62-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Messenger\jonathanasdf@Hotmail.com\SharingMetadata\chemicalreaction_15@hotmail.com\DFSR\Staging\CS{90E37DF1-28F7-A3BF-CE75-B52B5C660542}\01\80-{90E37DF1-28F7-A3BF-CE75-B52B5C660542}-v1-{0D2529AA-970B-4977-A1B4-6B259DE2FFF1}-v80-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Messenger\jonathanasdf@Hotmail.com\SharingMetadata\chemicalreaction_15@hotmail.com\DFSR\Staging\CS{90E37DF1-28F7-A3BF-CE75-B52B5C660542}\38\39-{5764819E-59F0-4835-A334-37C1DEDB46FC}-v38-{5764819E-59F0-4835-A334-37C1DEDB46FC}-v39-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 104 bytes hidden from API
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Messenger\jonathanasdf@Hotmail.com\SharingMetadata\deathunter_xp@hotmail.com\DFSR\Staging\CS{052B643D-9BAD-3AC8-30B9-2CCEC1B814B4}\01\130-{052B643D-9BAD-3AC8-30B9-2CCEC1B814B4}-v1-{0D2529AA-970B-4977-A1B4-6B259DE2FFF1}-v130-

And it continues on with MSN contacts. I hope you don't mind, i deleted some of them because of space limitations(20000 characters only)

Data\Microsoft\Messenger\jonathanasdf@Hotmail.com\SharingMetadata\spirited_777@hotmail.com\DFSR\Staging\CS{3C091B1B-D20C-EBB1-3901-0A68BB014F0D}\51\51-{0D2529AA-970B-4977-A1B4-6B259DE2FFF1}-v51-{0D2529AA-970B-4977-A1B4-6B259DE2FFF1}-v51-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 176 bytes hidden from API
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Messenger\jonathanasdf@Hotmail.com\SharingMetadata\spirited_777@hotmail.com\DFSR\Staging\CS{3C091B1B-D20C-EBB1-3901-0A68BB014F0D}\53\96-{4E5FA003-6811-42BE-AEDE-E8935D920014}-v553-{0D2529AA-970B-4977-A1B4-6B259DE2FFF1}-v96-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 2550 bytes hidden from API
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Messenger\jonathanasdf@Hotmail.com\SharingMetadata\spirited_777@hotmail.com\DFSR\Staging\CS{3C091B1B-D20C-EBB1-3901-0A68BB014F0D}\53\96-{4E5FA003-6811-42BE-AEDE-E8935D920014}-v553-{0D2529AA-970B-4977-A1B4-6B259DE2FFF1}-v96-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 312 bytes hidden from API
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Messenger\jonathanasdf@Hotmail.com\SharingMetadata\spirited_777@hotmail.com\DFSR\Staging\CS{3C091B1B-D20C-EBB1-3901-0A68BB014F0D}\71\37-{4E5FA003-6811-42BE-AEDE-E8935D920014}-v71-{0D2529AA-970B-4977-A1B4-6B259DE2FFF1}-v37-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 40 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 68


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"J:\\setup.exe"="J:\\setup.exe:*:Enabled:setup.exe"
"C:\\Documents and Settings\\ver\\Desktop\\BitComet.exe"="C:\\Documents and Settings\\ver\\Desktop\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\ver\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\ver\\Desktop\\utorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:μTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\londip\\jd\\JD.exe"="C:\\londip\\jd\\JD.exe:*:Enabled:钱龙软件"
"C:\\londip\\wt\\sw\\QLtrade.exe"="C:\\londip\\wt\\sw\\QLtrade.exe:*:Enabled:QLTrade应用程序"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files:
---------------

File Backups: - C:\sdfix\backups\backups.zip

Files with Hidden Attributes:

Fri 2 Nov 2007 80 ..SHR --- "C:\WINDOWS\system32\D3E0F2A377.dll"

Finished!




Thanks.

and here is the HJT log, run from the default folder.


and, here is the HJT log, run from the default folder.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:34, on 2007-11-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\WAT_EN\ACCESS~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet 资源搜索 - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 11753 bytes


Thanks.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:40:34, on 2007-11-22

Your HJT log appears to be clean, how is the computer running?

Are you sure you trust this site enough to allow them in your TZ?
O15 - Trusted Zone: *.stumbleupon.com

Let's have Kaspersky take a look for any remaining issues.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Here is the Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 22, 2007 9:04:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/11/2007
Kaspersky Anti-Virus database records: 464321
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended --- Oops... but isn't it more or less the same as standard? I hope it doesn't matter.
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 128145
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 02:30:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\epfwlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET Smart Security\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1786b7347927ea3ca829602b8ef09c58_58a17b4f-579f-441a-bf06-b07d45a9648e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\526f9768617f76e12e23a7066173ab65_58a17b4f-579f-441a-bf06-b07d45a9648e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b6e355ab8a8d828930a52c645ceba721_58a17b4f-579f-441a-bf06-b07d45a9648e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temp\Free Download Manager\tic5CC.tmp Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\0HM6OIAA\upd32_v14[1] Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\G4KJGO3A\pochki20071106[1] Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ver.MAX-93977C49C21\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP290\A0102001.dll Object is locked skipped
C:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP303\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP303\change.log Object is locked skipped
E:\01103a16e945accd92da\mrt.exe._p Object is locked skipped
E:\01103a16e945accd92da\mrtstub.exe Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP303\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP303\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP303\change.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP292\A0102380.exe/data0005 Infected: not-a-virus:AdWare.Win32.Agent.uj skipped
H:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP292\A0102380.exe/data0006 Infected: not-a-virus:AdWare.Win32.Agent.uj skipped
H:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP292\A0102380.exe NSIS: infected - 2 skipped
H:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP303\change.log Object is locked skipped

Scan process completed.


Thanks, the wuaudit.exe seems to have dissappeared. Still, Security Task Manager detects that vturr.dll is still present, and there are still pop-ups.

Thanks.

Thanks for returning your scan report: KASPERSKY ONLINE SCANNER REPORT
Number of infected objects: 3

H:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP292\A0102380.exe/data0005 Infected: not-a-virus:AdWare.Win32.Agent.uj skipped
H:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP292\A0102380.exe/data0006 Infected: not-a-virus:AdWare.Win32.Agent.uj skipped
H:\System Volume Information\_restore{BBFBFF75-3403-4D35-BB66-877F677F2137}\RP292\A0102380.exe NSIS: infected - 2 skipped

all three are infected System Restore files. I have no idea why you have SR on F:\ G:\ and H:\ drives? We will wait until last to clean those.

Security Task Manager <<< what is this? Is it part of ESET? Can you tell me where it says that item is located: vturr.dll
Tell me where these popups redirect you to. I will say it is unusual for Kaspersky not to see a Vundo file which that appears to be. We may be dealing with a rootkit hiding it from the tools. I need to collect more information, start like this:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Also post information about the location of the file and where the popups direct you.

Thanks

Hello. Combofix is running . I will post the results later.

Security task manager is a software by neuber that moniters all running processes and evaluates them. http://www.neuber.com/taskmanager/

The file vturr.dll is in C:/windows/system32, and according to google it is a virus.

This is a screenshot of security task manager.

http://i207.photobucket.com/albums/bb156/jonathanasdf/untitled-1.jpg

I am compiling a list of the pop-ups.

I have no idea where the system restore files came from.

Thanks for your help, i hope this can be resolved quickly.

Nothing seems to happen quickly when Vundo is involved. Have you thought about just deleting that file:
C:\WINDOWS\system32\vturr.dll <<< delete that file
(those should be back slashes)

If you are told it is running, then try this:

How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\system32\vturr.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

Let me know what happens


I have no idea where the system restore files came from.
This is your computer?

I do not need a list of popups, just the general direction. Are they trying to sell you rouge products like Winfixer?

I have no experience with that tool:
http://www.neuber.com/taskmanager/

Have a look at this free tool when you have time:
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

Apparently, TrendMicro HiJackThis 2.02 doesn't support delete file on reboot... When I click that button HiJackThis closes and nothing happens.

The pop-ups are... about everything.

There is ones asking to buy software,
there are search sites,
there are random sites about nothing
there are sites selling.. camping gear..
and there are blank pages,
and other stuff.


anyways, thanks for your help i'll get the combofix log up here soon.

I use that tool all of the time, sure you are reading the directions? Why not boot to safe mode and delete that file there. There may be more junk, combofix should show us.

These popups occuring when you are offline?

Thanks

Thank you. ComboFix seems to have deleted it. It not longer shows up in Security Task Manager. Here is the combofix log.

ComboFix 07-11-19.3 - ver 2007-11-23 15:34:12.3 - NTFSx86
Running from: C:\Documents and Settings\ver.MAX-93977C49C21\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\inst.exe
C:\WINDOWS\system32\_000111_.tmp.dll
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\rrutv.ini2
C:\WINDOWS\system32\vturr.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-23 15:32 124 --a------ C:\WINDOWS\system32\msexcr.ini
2007-11-22 06:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-22 06:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 23:09 <DIR> d-------- C:\Program Files\Sun
2007-11-20 22:46 5,097 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-20 22:10 <DIR> d-------- C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\ESET
2007-11-20 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-11-20 06:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-19 22:47 <DIR> d-------- C:\Program Files\Security Task Manager
2007-11-19 07:16 <DIR> d-------- C:\Program Files\PowerISO
2007-11-07 21:20 <DIR> d-------- C:\Program Files\MSECache
2007-11-06 17:52 <DIR> d-------- C:\WINDOWS\kdefense
2007-11-06 17:52 373,248 --a------ C:\WINDOWS\system32\kdfinj.dll
2007-11-06 17:52 159,744 --a------ C:\WINDOWS\system32\kdfmgr.exe
2007-11-06 17:52 73,728 --a------ C:\WINDOWS\system32\kdfapi.dll
2007-11-06 17:52 61,440 --a------ C:\WINDOWS\system32\kdfmod.dll
2007-11-06 17:52 47,104 --a------ C:\WINDOWS\system32\Kdfhok.dll
2007-11-02 15:42 80 -r-hs---- C:\WINDOWS\system32\D3E0F2A377.dll
2007-11-02 15:40 <DIR> d-------- C:\Program Files\SewerRun
2007-10-27 08:48 <DIR> d-------- C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\vlc
2007-10-25 09:27 53,768 --a------ C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-10-25 09:27 50,696 --a------ C:\WINDOWS\system32\drivers\epfw.sys
2007-10-25 09:27 30,728 --a------ C:\WINDOWS\system32\drivers\epfwndis.sys
2007-10-25 09:25 33,800 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-10-25 09:25 27,144 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-10-23 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-23 18:10 <DIR> d-------- C:\Program Files\Bonjour
2007-10-23 17:54 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-23 17:14 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-10-23 16:59 90,112 --a------ C:\WINDOWS\unvise32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 01:00 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-22 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-21 07:08 --------- d-----w C:\Program Files\Java
2007-11-21 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-20 14:37 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 14:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-20 07:18 --------- d-----w C:\Program Files\华安证券
2007-11-17 04:25 --------- d-----w C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\Free Download Manager
2007-11-14 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-14 04:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 05:48 --------- d-----w C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\dvdcss
2007-11-02 02:03 47,360 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-27 16:44 --------- d-----w C:\Program Files\VideoLAN
2007-10-24 02:10 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 21:56 528,384 ----a-w C:\WINDOWS\system32\NMWizardJP7.exe
2007-10-16 02:16 --------- d-----w C:\Program Files\JRJRefInner
2007-10-15 07:08 --------- d-----w C:\Program Files\JRJRef6VIP
2007-10-15 07:08 --------- d-----w C:\Program Files\JRJL2RefInner
2007-10-12 22:35 249,856 ----a-w C:\WINDOWS\system32\NMJ_Util.exe
2007-10-12 22:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\StumbleUpon
2007-10-10 00:58 --------- d-----w C:\Program Files\DivX
2007-10-03 14:30 77,824 ----a-w C:\WINDOWS\system32\NMUninstJP7.exe
2007-09-29 02:01 229,376 ----a-w C:\WINDOWS\system32\CPGameLauncher.exe
2007-09-27 02:21 --------- d-----w C:\Program Files\BitComet
2007-09-10 22:36 497,160 ----a-w C:\WINDOWS\NMUpdate25_1.exe
2007-08-22 04:09 47,360 ----a-w C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\pcouffin.sys
2007-07-24 15:49 142 ----a-w C:\Documents and Settings\Administrator\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DAB16EA1-D927-4318-B8C1-DD171809F90D}]
C:\WINDOWS\system32\vturr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-09-26 18:30]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2006-10-23 02:48]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-11-19 23:21]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-10-25 09:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 00:56]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56]

C:\Documents and Settings\ver.MAX-93977C49C21\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.51.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-15 10:41:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 CMB8100;CMB8100;\??\C:\WINDOWS\system32\Drivers\CertClient.dat
R2 CMBProtector;CMBProtector;\??\C:\WINDOWS\system32\Drivers\CMBProtector.dat
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sys
R3 Epfwndis;Eset Personal Firewall;C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 W8335XP;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;C:\WINDOWS\system32\DRIVERS\Mrv8000c.sys
S4 ADBLOCK.DLL;Lavasoft Firewall PlugIn (ADBLOCK.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\ADBLOCK.DLL
S4 ARP.DLL;Lavasoft Firewall PlugIn (ARP.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\ARP.DLL
S4 CONTENT.DLL;Lavasoft Firewall PlugIn (CONTENT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\CONTENT.DLL
S4 DNSCACHE.DLL;Lavasoft Firewall PlugIn (DNSCACHE.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\DNSCACHE.DLL
S4 FTPFILT.DLL;Lavasoft Firewall PlugIn (FTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\FTPFILT.DLL
S4 HTMLFILT.DLL;Lavasoft Firewall PlugIn (HTMLFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\HTMLFILT.DLL
S4 HTTPFILT.DLL;Lavasoft Firewall PlugIn (HTTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\HTTPFILT.DLL
S4 IMAPFILT.DLL;Lavasoft Firewall PlugIn (IMAPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\IMAPFILT.DLL
S4 MAILFILT.DLL;Lavasoft Firewall PlugIn (MAILFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\MAILFILT.DLL
S4 NNTPFILT.DLL;Lavasoft Firewall PlugIn (NNTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\NNTPFILT.DLL
S4 POP3FILT.DLL;Lavasoft Firewall PlugIn (POP3FILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\POP3FILT.DLL
S4 PROTECT.DLL;Lavasoft Firewall PlugIn (PROTECT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\PROTECT.DLL
S4 SECRET.DLL;Lavasoft Firewall PlugIn (SECRET.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\SECRET.DLL
S4 VFILT;Lavasoft Firewall Kernel Driver;\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\FILTNT.SYS


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{21551A31-41DA-E83C-0207-080407040603}]
C:\WINDOWS\system32\explore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D3FD05B7-44A7-109F-BB8A-0EF9868230E4}]
C:\Program Files\Bifrost\---.exe s
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 15:37:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 15:38:29
.
--- E O F ---

No, the pop-ups only come sometimes when I open webpages when I am online. But, now that vturr.dll is gone, it should stop. HJT log is too long to post here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:43:18, on 2007-11-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\WAT_EN\ACCESS~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BitComet 资源搜索 - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - http://www.netmarble.jp/_common/cab/NMJTransX.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8237.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 12672 bytes


thanks.

These files are suspicious and installed on the same day. Use one or more of these free scanners and if they scan bad, delete them.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

C:\WINDOWS\system32\msexcr.ini
C:\WINDOWS\system32\kdfinj.dll
C:\WINDOWS\system32\kdfmgr.exe
C:\WINDOWS\system32\kdfapi.dll
C:\WINDOWS\system32\kdfmod.dll
C:\WINDOWS\system32\Kdfhok.dll
C:\WINDOWS\system32\D3E0F2A377.dll

No, the pop-ups only come sometimes when I open webpages when I am online
With Vundo, the popups can happen even offline, orginating because of the trojans. If you need a good popup blocker, try this one:
http://toolbar.google.com/T4/index_pack.html
If you do use it, download it basic, without all the junk they try to get you to accept. Uncheck all but toolbar/blocker.

Let me know how you are running when you finish these instruction. It might be wise to run a new Kaspersky, please don't post it if it is clean. Make sure to delete combofix and the C:\qoobox\quarantine\ folder before you scan.

Thanks...Phil

Hello,

When I used the virus scanners you provided, it did not show any of the files as a virus. However, when I googled kdfmgr.exe it was shown as a virus. So, I followed online steps and created a CFScript with C:\WINDOWS\system32\kdfmgr.exe, and executed ComboFix. Here is the log. I will upload the Kaspersky log soon.


ComboFix 07-11-19.3 - ver 2007-11-23 17:49:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.936.1.1033.18.143 [GMT -8:00]
Running from: C:\Documents and Settings\ver.MAX-93977C49C21\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ver.MAX-93977C49C21\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-23 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-23 17:11 124 --a------ C:\WINDOWS\system32\msexcr.ini
2007-11-22 06:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-22 06:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-20 23:09 <DIR> d-------- C:\Program Files\Sun
2007-11-20 22:46 5,097 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-20 22:10 <DIR> d-------- C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\ESET
2007-11-20 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2007-11-20 06:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-19 22:47 <DIR> d-------- C:\Program Files\Security Task Manager
2007-11-19 07:16 <DIR> d-------- C:\Program Files\PowerISO
2007-11-07 21:20 <DIR> d-------- C:\Program Files\MSECache
2007-11-06 17:52 <DIR> d-------- C:\WINDOWS\kdefense
2007-11-06 17:52 373,248 --a------ C:\WINDOWS\system32\kdfinj.dll
2007-11-06 17:52 159,744 --a------ C:\WINDOWS\system32\kdfmgr.exe
2007-11-06 17:52 73,728 --a------ C:\WINDOWS\system32\kdfapi.dll
2007-11-06 17:52 61,440 --a------ C:\WINDOWS\system32\kdfmod.dll
2007-11-06 17:52 47,104 --a------ C:\WINDOWS\system32\Kdfhok.dll
2007-11-02 15:42 80 -r-hs---- C:\WINDOWS\system32\D3E0F2A377.dll
2007-10-27 08:48 <DIR> d-------- C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\vlc
2007-10-25 09:27 53,768 --a------ C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-10-25 09:27 50,696 --a------ C:\WINDOWS\system32\drivers\epfw.sys
2007-10-25 09:27 30,728 --a------ C:\WINDOWS\system32\drivers\epfwndis.sys
2007-10-25 09:25 33,800 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-10-25 09:25 27,144 --a------ C:\WINDOWS\system32\drivers\easdrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 01:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-11-24 01:35 --------- d-----w C:\Program Files\Google
2007-11-22 01:00 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-21 07:08 --------- d-----w C:\Program Files\Java
2007-11-21 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-20 14:37 --------- d-----w C:\Program Files\Lavasoft
2007-11-20 14:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-20 07:18 --------- d-----w C:\Program Files\华安证券
2007-11-17 04:25 --------- d-----w C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\Free Download Manager
2007-11-14 05:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-14 04:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-02 05:48 --------- d-----w C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\dvdcss
2007-11-02 02:03 47,360 ----a-w C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-10-27 16:44 --------- d-----w C:\Program Files\VideoLAN
2007-10-24 02:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-24 02:10 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-24 02:10 --------- d-----w C:\Program Files\Bonjour
2007-10-24 01:58 --------- d-----w C:\Program Files\PeerGuardian2
2007-10-24 01:54 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-16 21:56 528,384 ----a-w C:\WINDOWS\system32\NMWizardJP7.exe
2007-10-16 02:16 --------- d-----w C:\Program Files\JRJRefInner
2007-10-15 07:08 --------- d-----w C:\Program Files\JRJRef6VIP
2007-10-15 07:08 --------- d-----w C:\Program Files\JRJL2RefInner
2007-10-12 22:35 249,856 ----a-w C:\WINDOWS\system32\NMJ_Util.exe
2007-10-12 22:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\StumbleUpon
2007-10-10 00:58 --------- d-----w C:\Program Files\DivX
2007-10-03 14:30 77,824 ----a-w C:\WINDOWS\system32\NMUninstJP7.exe
2007-09-29 02:01 229,376 ----a-w C:\WINDOWS\system32\CPGameLauncher.exe
2007-09-27 02:21 --------- d-----w C:\Program Files\BitComet
2007-09-10 22:36 497,160 ----a-w C:\WINDOWS\NMUpdate25_1.exe
2007-08-22 04:09 47,360 ----a-w C:\Documents and Settings\ver.MAX-93977C49C21\Application Data\pcouffin.sys
2007-07-24 15:49 142 ----a-w C:\Documents and Settings\Administrator\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-09-26 18:30]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 15:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2006-10-23 02:48]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-11-19 23:21]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-10-25 09:26]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56]

C:\Documents and Settings\ver.MAX-93977C49C21\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-23 17:34:03]
Wireless Configuration Utility HW.51.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe [2004-12-15 10:41:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll C:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R2 CMB8100;CMB8100;\??\C:\WINDOWS\system32\Drivers\CertClient.dat
R2 CMBProtector;CMBProtector;\??\C:\WINDOWS\system32\Drivers\CMBProtector.dat
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sys
R3 Epfwndis;Eset Personal Firewall;C:\WINDOWS\system32\DRIVERS\Epfwndis.sys
R3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 W8335XP;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;C:\WINDOWS\system32\DRIVERS\Mrv8000c.sys
S4 ADBLOCK.DLL;Lavasoft Firewall PlugIn (ADBLOCK.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\ADBLOCK.DLL
S4 ARP.DLL;Lavasoft Firewall PlugIn (ARP.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\ARP.DLL
S4 CONTENT.DLL;Lavasoft Firewall PlugIn (CONTENT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\CONTENT.DLL
S4 DNSCACHE.DLL;Lavasoft Firewall PlugIn (DNSCACHE.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\DNSCACHE.DLL
S4 FTPFILT.DLL;Lavasoft Firewall PlugIn (FTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\FTPFILT.DLL
S4 HTMLFILT.DLL;Lavasoft Firewall PlugIn (HTMLFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\HTMLFILT.DLL
S4 HTTPFILT.DLL;Lavasoft Firewall PlugIn (HTTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\HTTPFILT.DLL
S4 IMAPFILT.DLL;Lavasoft Firewall PlugIn (IMAPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\IMAPFILT.DLL
S4 MAILFILT.DLL;Lavasoft Firewall PlugIn (MAILFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\MAILFILT.DLL
S4 NNTPFILT.DLL;Lavasoft Firewall PlugIn (NNTPFILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\NNTPFILT.DLL
S4 POP3FILT.DLL;Lavasoft Firewall PlugIn (POP3FILT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\POP3FILT.DLL
S4 PROTECT.DLL;Lavasoft Firewall PlugIn (PROTECT.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\PROTECT.DLL
S4 SECRET.DLL;Lavasoft Firewall PlugIn (SECRET.DLL);\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\SECRET.DLL
S4 VFILT;Lavasoft Firewall Kernel Driver;\??\C:\Program Files\Lavasoft\Personal Firewall\kernel\FILTNT.SYS

*Newly Created Service* - GUSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{21551A31-41DA-E83C-0207-080407040603}]
C:\WINDOWS\system32\explore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D3FD05B7-44A7-109F-BB8A-0EF9868230E4}]
C:\Program Files\Bifrost\---.exe s
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 17:52:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 17:53:42
C:\ComboFix2.txt ... 2007-11-23 15:38
.
--- E O F ---


thanks.

Hello again.

Kaspersky didn't pick up anything else. Is there anything left for me to do? Which programs should I delete? Thanks.

Delete all tools we downloaded for this cleanup, they do not update and must be downloaded fresh if ever needed again.

Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

Safe surfing:bigthumb:

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Thank you. I would donate for your generous help, but I don't have a credit card yet :S

My parents don't support me donating.. :sad:

Anyways, thank you for solving my problems. :bigthumb: