PDA

View Full Version : rundll32.exe 0xC0000005 repeatedly



srcbeck
2008-05-22, 16:26
Hi, approximately a week ago our home laptop has been behaving strangely.
It was receving 2 types of errors:
1) userinit.exe - the application failed to initialise properly (0xC0000005).....
2) rundll32.exe - the application failed to initialise properly (0xC0000005).....

Now when I bootup and enter the user logon password I get the rundll32.exe error repeatedly and when I close the message box the screen is blank and I can't do anything, no sesssion icons at all. I can only go into TaskMgr and start a "explorer" session and that gets me going but then throughout I keep getting the rundll32.exe errors.

I updated our Spybot to latest levels and Symantic Virus levels and ran both. Spybot found problems with:

Virtumonde.dll
Virtumonde
Win32.BHO.df

and Symantic found Trojan.LowZones

I fixed the problems and rebooted and the same problems keep re-occurring. I run the Spybot and AV and keep getting the same problems reappear.

I then see many similar problems reported at this website and so I think I am the point where I need your help.

We are running XP-Home edition (build 2600.xpsp_sp2_gdr.070227-2254: Service Pack 2).

I have downloaded Kaspersky Online Scanner and ran it and here are the results:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 22, 2008 9:09:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/05/2008
Kaspersky Anti-Virus database records: 793417
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 134242
Number of viruses found: 11
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 03:12:37

Infected Object Name / Virus Name / Last Action
C:\Backup from Home Computer 2007-07-21\Nigels on Main on The Beckman Family Computer (Beckmancomputer)\Nigel\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.Dialupass.o skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04F00000.VBN Infected: Trojan.Win32.Buzus.byy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80000.VBN Infected: Trojan.Win32.Buzus.byy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B40000.VBN Infected: Trojan.Win32.Buzus.byy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\071C0000.VBN Infected: Trojan.Win32.Buzus.byy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA00000.VBN Infected: Email-Worm.Win32.Beloy.a skipped
C:\Documents and Settings\All Users\ntuser.dat Object is locked skipped
C:\Documents and Settings\All Users\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\34UZ94Y1\iddqd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.sce skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\G82VJJI0\iddqd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.sby skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\H8HK3KK4\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.sca skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\H8HK3KK4\hctp[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.sca skipped
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\JFDHP11Y\iddqd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.sby skipped
C:\Documents and Settings\Chris\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Karen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Karen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nat\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nat\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nigel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nigel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nigel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nigel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sam\Local Settings\Temp\vvxbuavg.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\SJPFUER5\kb516107[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Program Files\Screensavers.com\SSSInst\bin\screensavers.exe/data0011 Infected: not-a-virus:AdWare.Win32.Comet.bb skipped
C:\Program Files\Screensavers.com\SSSInst\bin\screensavers.exe/data0012 Infected: not-a-virus:AdWare.Win32.Comet.be skipped
C:\Program Files\Screensavers.com\SSSInst\bin\screensavers.exe NSIS: infected - 2 skipped
C:\Program Files\Screensavers.com\SSSInst\bin\sinstaller2.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\Program Files\Screensavers.com\SSSInst\bin\sinstaller2.exe NSIS: infected - 1 skipped
C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A43BDB39-1EFE-46C5-B696-1920AED1CDD0}\RP247\A0074599.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sbz skipped
C:\System Volume Information\_restore{A43BDB39-1EFE-46C5-B696-1920AED1CDD0}\RP247\A0074600.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sca skipped
C:\System Volume Information\_restore{A43BDB39-1EFE-46C5-B696-1920AED1CDD0}\RP249\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\auvaujer.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sce skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\exfrpgiw.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\gybiqdrs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sca skipped
C:\WINDOWS\system32\ikqcixkw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sby skipped
C:\WINDOWS\system32\thksfaie.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\vkneqlvs.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\vyomlirq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sby skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\System Volume Information\_restore{A43BDB39-1EFE-46C5-B696-1920AED1CDD0}\RP249\change.log Object is locked skipped
D:\Tools\s_sinstallerandtoolbar.exe/data0002/data0011 Infected: not-a-virus:AdWare.Win32.Comet.bb skipped
D:\Tools\s_sinstallerandtoolbar.exe/data0002/data0012 Infected: not-a-virus:AdWare.Win32.Comet.be skipped
D:\Tools\s_sinstallerandtoolbar.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.be skipped
D:\Tools\s_sinstallerandtoolbar.exe/data0003/data0002 Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
D:\Tools\s_sinstallerandtoolbar.exe/data0003 Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
D:\Tools\s_sinstallerandtoolbar.exe NSIS: infected - 5 skipped

Scan process completed.
=====================================================

I then started in Safe Mode and ran Spybot-S&D and got same errors above which I fixed and ran SPYBOT again and got same errors. I decided to RESTART in normal mode.

I then ran the HJT tool and am attaching the log report.

======================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:09 PM, on 22/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Nigel\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {444FC7D1-8F08-4377-B39B-4D75AE0E9F70} - C:\WINDOWS\system32\vtUolMcC.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {82283E81-8733-475A-9575-A5DEA5C8A003} - C:\WINDOWS\system32\xxyyaXPI.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {916E3AB7-E3BD-48A5-AA78-746DE1F005F6} - C:\WINDOWS\system32\mlJCVpMF.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [e45eef97] rundll32.exe "C:\WINDOWS\system32\fioaowjx.dll",b
O4 - HKLM\..\Run: [BMe76ddc0b] Rundll32.exe "C:\WINDOWS\system32\qncktruh.dll",s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155351588921
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.bigphoto.com.au/ImageUploader/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00E78B5.dat
O20 - Winlogon Notify: vtUolMcC - C:\WINDOWS\SYSTEM32\vtUolMcC.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10566 bytes

=======================================================

Sure would appreciate your help.

Rorschach112
2008-05-22, 16:37
Hello

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\Program Files\Screensavers.com\SSSInst\bin\screensavers.exe
C:\WINDOWS\system32\auvaujer.dll
C:\WINDOWS\system32\exfrpgiw.dll
C:\WINDOWS\system32\gybiqdrs.dll
C:\WINDOWS\system32\ikqcixkw.dll
C:\WINDOWS\system32\thksfaie.dll
C:\WINDOWS\system32\vkneqlvs.dll
C:\WINDOWS\system32\vyomlirq.dll
D:\Tools\s_sinstallerandtoolbar.exe
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

srcbeck
2008-05-23, 17:30
Hi Rorschach112,

Thanks for your help with this, I followed your steps and got to the point where I had installed ComboFix.exe and Windows XP Recovery Console exe file ok. I then tried drag the recovery console exe and dropped onto ComboFix.exe, it showed ComboFix status bar for about 5 seconds, disappeared and then I got the same run rundll32.exe 0xC0000005 error, followed by cmd.exe with same code and then rundll32.exe again with same code and nothing else happens and it doesn't install the recovery console.

I tried rebooting to see if on the off chance it had completed but alas nothing new appeared. Tried the drag and drop procedure again but again same errors.

Any suggestions?

Rorschach112
2008-05-23, 19:17
Can you run ComboFix.exe ?

srcbeck
2008-05-24, 05:55
Hi, no I cannot run ComboFix.exe. I double click on the icon and it does start by showing the progress bars but then just as it gets to the end of the progress bar I get the message about rundll32.exe (0xC0000005) error. I close the message box and get the same message at least 2-3 times more and then nothing else.

I keep getting this message when I try to run most things like add/remove programs. Seems to be ok with me using Internet Explorer. The system is certainly erratic, seems slow and at times I seem to lose control of the screen.

Would it help if I try running in Safe Mode? I tried things in that mode the other night but didn't seem to help much.

Thanks.

srcbeck
2008-05-24, 13:23
Hi, I forgot to run the OTmoveit output, at least that ran:

Explorer killed successfully
C:\Program Files\Screensavers.com\SSSInst\bin\screensavers.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\auvaujer.dll
C:\WINDOWS\system32\auvaujer.dll NOT unregistered.
C:\WINDOWS\system32\auvaujer.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\exfrpgiw.dll
C:\WINDOWS\system32\exfrpgiw.dll NOT unregistered.
C:\WINDOWS\system32\exfrpgiw.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gybiqdrs.dll
C:\WINDOWS\system32\gybiqdrs.dll NOT unregistered.
C:\WINDOWS\system32\gybiqdrs.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ikqcixkw.dll
C:\WINDOWS\system32\ikqcixkw.dll NOT unregistered.
C:\WINDOWS\system32\ikqcixkw.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\thksfaie.dll
C:\WINDOWS\system32\thksfaie.dll NOT unregistered.
C:\WINDOWS\system32\thksfaie.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\vkneqlvs.dll
C:\WINDOWS\system32\vkneqlvs.dll NOT unregistered.
C:\WINDOWS\system32\vkneqlvs.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vyomlirq.dll
C:\WINDOWS\system32\vyomlirq.dll NOT unregistered.
C:\WINDOWS\system32\vyomlirq.dll moved successfully.
D:\Tools\s_sinstallerandtoolbar.exe moved successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05232008_191328

Rorschach112
2008-05-24, 15:03
Try run it in Safe Mode

If that fails do this from Normal Mode

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

srcbeck
2008-05-25, 09:30
I installed dss.exe and ran it but it didn't complete successfully. It runs for a while and gets to near the end "Examining Event Logs" and then gets a failure message, "dss.exe has encountered a problem and needs to close". I tried running it multiple problems but each time it got the same failure.

Rorschach112
2008-05-25, 14:33
Can you run DSS from Safe Mode ?

srcbeck
2008-05-26, 02:39
Tried running it in Safe mode, same problem. This thing seems to have everything covered.

Rorschach112
2008-05-26, 02:44
Do this

Download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
Under Additional Scans check the boxes beside Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg Mountpoints2, File - Additional Folder Scans, File - Lop Check, and File - Purity Scan.
Under Drivers change it to Non-Microsoft.
Under Files Created Within and Files Modified Within change it to 90 days.
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

srcbeck
2008-05-26, 12:34
Hi Rorschach112, that ran ok and have attached the notepad file.

Rorschach112
2008-05-26, 15:36
A lot of malware on your PC

Start OTScanIt. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.


[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> BMe76ddc0b -> %SystemRoot%\system32\wgbqfykx.dll [Rundll32.exe "C:\WINDOWS\system32\wgbqfykx.dll",s]
YY -> e45eef97 -> %SystemRoot%\system32\mtfntssf.dll [rundll32.exe "C:\WINDOWS\system32\mtfntssf.dll",b]
YN -> NWEReboot -> []
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\__c0066644.dat -> %SystemRoot%\system32\__c0066644.dat
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {3F567BD3-529D-43AD-866D-D8C1D657AFAF} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\wvUlMCUM.dll [Reg Error: Value does not exist or could not be read.]
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> {82283E81-8733-475A-9575-A5DEA5C8A003} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\xxyyaXPI.dll [Reg Error: Value does not exist or could not be read.]
YN -> {916E3AB7-E3BD-48A5-AA78-746DE1F005F6} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mlJCVpMF.dll [Reg Error: Value does not exist or could not be read.]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
YN -> &Google Search ->
YN -> Backward Links ->
YN -> Cached Snapshot of Page ->
YN -> Similar Pages ->
YN -> Translate into English ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
[Registry - Additional Scans - All]
< BotCheck > ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\wvUlMCUM -> %SystemRoot%\system32\wvUlMCUM.dll
< BotCheck > ->
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe -> C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe [C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe:*:enabled:BullGuard]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe -> C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe [C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe:*:enabled:BullGuard Update]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe -> C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe [C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe:*:enabled:BullGuard]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe -> C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe [C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe:*:enabled:BullGuard Update]
< MountPoints2 > ->
*~EmptyValue* -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34779710-2965-11db-bbad-806d6172696f}\_Autorun\DefaultIcon\\
YY -> E:\setup.exe -> E:\setup.exe
< MountPoints2 > ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e60e1df4-c864-11db-900f-806d6172696f}\_Autorun\DefaultIcon\\ -> E:\Setup.EXE [E:\Setup.EXE]
[Files/Folders - Created Within 90 days]
NY -> is154323.exe -> %SystemDrive%\is154323.exe
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> ahnawmun.dll -> %SystemRoot%\System32\ahnawmun.dll
NY -> awfepmow.exe -> %SystemRoot%\System32\awfepmow.exe
NY -> bceKkUvw.ini -> %SystemRoot%\System32\bceKkUvw.ini
NY -> buxixguy.dll -> %SystemRoot%\System32\buxixguy.dll
NY -> cefkstcx.dll -> %SystemRoot%\System32\cefkstcx.dll
NY -> dbmcvxke.ini -> %SystemRoot%\System32\dbmcvxke.ini
NY -> eeuqnphu.dll -> %SystemRoot%\System32\eeuqnphu.dll
NY -> erkoxceg.dll -> %SystemRoot%\System32\erkoxceg.dll
NY -> fioaowjx.dll -> %SystemRoot%\System32\fioaowjx.dll
NY -> fjllnuwl.dll -> %SystemRoot%\System32\fjllnuwl.dll
NY -> fkfvipoq.dll -> %SystemRoot%\System32\fkfvipoq.dll
NY -> FMpVCJlm.ini -> %SystemRoot%\System32\FMpVCJlm.ini
NY -> FMpVCJlm.ini2 -> %SystemRoot%\System32\FMpVCJlm.ini2
NY -> frlnqupk.dll -> %SystemRoot%\System32\frlnqupk.dll
NY -> fsstnftm.ini -> %SystemRoot%\System32\fsstnftm.ini
NY -> gojucnel.dll -> %SystemRoot%\System32\gojucnel.dll
NY -> hyhqeedv.dll -> %SystemRoot%\System32\hyhqeedv.dll
NY -> immjygvn.dll -> %SystemRoot%\System32\immjygvn.dll
NY -> IPXayyxx.ini -> %SystemRoot%\System32\IPXayyxx.ini
NY -> IPXayyxx.ini2 -> %SystemRoot%\System32\IPXayyxx.ini2
NY -> jiPsvyay.ini -> %SystemRoot%\System32\jiPsvyay.ini
NY -> jiPsvyay.ini2 -> %SystemRoot%\System32\jiPsvyay.ini2
NY -> jngawune.exe -> %SystemRoot%\System32\jngawune.exe
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> kwrvwdwx.dll -> %SystemRoot%\System32\kwrvwdwx.dll
NY -> lencujog.ini -> %SystemRoot%\System32\lencujog.ini
NY -> loijmifa.dll -> %SystemRoot%\System32\loijmifa.dll
NY -> lsmhjfcs.ini -> %SystemRoot%\System32\lsmhjfcs.ini
NY -> mlJDurrP.dll -> %SystemRoot%\System32\mlJDurrP.dll
NY -> movupigy.ini -> %SystemRoot%\System32\movupigy.ini
NY -> mrlyerho.exe -> %SystemRoot%\System32\mrlyerho.exe
NY -> mtfntssf.dll -> %SystemRoot%\System32\mtfntssf.dll
NY -> MUCMlUvw.ini -> %SystemRoot%\System32\MUCMlUvw.ini
NY -> MUCMlUvw.ini2 -> %SystemRoot%\System32\MUCMlUvw.ini2
NY -> murspirh.dll -> %SystemRoot%\System32\murspirh.dll
NY -> mynacwop.dll -> %SystemRoot%\System32\mynacwop.dll
NY -> njuydnne.ini -> %SystemRoot%\System32\njuydnne.ini
NY -> nlkeowtt.dll -> %SystemRoot%\System32\nlkeowtt.dll
NY -> nnspecis.exe -> %SystemRoot%\System32\nnspecis.exe
NY -> ohjupgdx.dll -> %SystemRoot%\System32\ohjupgdx.dll
NY -> oxkyplge.dll -> %SystemRoot%\System32\oxkyplge.dll
NY -> pextdxrv.exe -> %SystemRoot%\System32\pextdxrv.exe
NY -> pfihwuuj.dll -> %SystemRoot%\System32\pfihwuuj.dll
NY -> pwwdarnu.dll -> %SystemRoot%\System32\pwwdarnu.dll
NY -> qdcardjd.dll -> %SystemRoot%\System32\qdcardjd.dll
NY -> qncktruh.dll -> %SystemRoot%\System32\qncktruh.dll
NY -> rsmkwkgo.dll -> %SystemRoot%\System32\rsmkwkgo.dll
NY -> ruuubfws.dll -> %SystemRoot%\System32\ruuubfws.dll
NY -> scfjhmsl.dll -> %SystemRoot%\System32\scfjhmsl.dll
NY -> srdqibyg.ini -> %SystemRoot%\System32\srdqibyg.ini
NY -> ssqoMeDw.dll -> %SystemRoot%\System32\ssqoMeDw.dll
NY -> swwhcnji.dll -> %SystemRoot%\System32\swwhcnji.dll
NY -> tausqfjj.dll -> %SystemRoot%\System32\tausqfjj.dll
NY -> txfyjpvk.dll -> %SystemRoot%\System32\txfyjpvk.dll
NY -> uenwyumd.exe -> %SystemRoot%\System32\uenwyumd.exe
NY -> vtUlMefg.dll -> %SystemRoot%\System32\vtUlMefg.dll
NY -> vtUolMcC.dll -> %SystemRoot%\System32\vtUolMcC.dll
NY -> wbocqysk.dll -> %SystemRoot%\System32\wbocqysk.dll
NY -> wchodbwb.dll -> %SystemRoot%\System32\wchodbwb.dll
NY -> wgbqfykx.dll -> %SystemRoot%\System32\wgbqfykx.dll
NY -> wlsitwym.dll -> %SystemRoot%\System32\wlsitwym.dll
NY -> wvUlMCUM.dll -> %SystemRoot%\System32\wvUlMCUM.dll
NY -> xcavygwf.exe -> %SystemRoot%\System32\xcavygwf.exe
NY -> xjwoaoif.ini -> %SystemRoot%\System32\xjwoaoif.ini
NY -> yaywvSJA.dll -> %SystemRoot%\System32\yaywvSJA.dll
NY -> ygipuvom.dll -> %SystemRoot%\System32\ygipuvom.dll
NY -> yugxixub.ini -> %SystemRoot%\System32\yugxixub.ini
NY -> yxmgwutn.dll -> %SystemRoot%\System32\yxmgwutn.dll
NY -> __c00495FA.dat -> %SystemRoot%\System32\__c00495FA.dat
NY -> __c006001.dat -> %SystemRoot%\System32\__c006001.dat
NY -> __c0060EB8.dat -> %SystemRoot%\System32\__c0060EB8.dat
NY -> __c0060F37.dat -> %SystemRoot%\System32\__c0060F37.dat
NY -> __c0066644.dat -> %SystemRoot%\System32\__c0066644.dat
NY -> __c009B271.dat -> %SystemRoot%\System32\__c009B271.dat
NY -> __c00E78B5.dat -> %SystemRoot%\System32\__c00E78B5.dat
NY -> BMe76ddc0b.xml -> %SystemRoot%\BMe76ddc0b.xml
NY -> cookies.ini -> %SystemRoot%\cookies.ini
NY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> pskt.ini -> %SystemRoot%\pskt.ini
[Files Created - Additional Folder Scans - All]
NY -> ComboFix.exe -> %UserProfile%\Desktop\ComboFix.exe
NY -> dss.exe -> %UserProfile%\Desktop\dss.exe
NY -> Nigel.exe -> %UserProfile%\Desktop\Nigel.exe
NY -> VundoFix.exe -> %UserProfile%\Desktop\VundoFix.exe
[Files/Folders - Modified Within 90 days]
NY -> is154323.exe -> %SystemDrive%\is154323.exe
NY -> VundoFix Backups -> %SystemDrive%\VundoFix Backups
NY -> ahnawmun.dll -> %SystemRoot%\System32\ahnawmun.dll
NY -> awfepmow.exe -> %SystemRoot%\System32\awfepmow.exe
NY -> bceKkUvw.ini -> %SystemRoot%\System32\bceKkUvw.ini
NY -> bceKkUvw.ini2 -> %SystemRoot%\System32\bceKkUvw.ini2
NY -> buxixguy.dll -> %SystemRoot%\System32\buxixguy.dll
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> cefkstcx.dll -> %SystemRoot%\System32\cefkstcx.dll
NY -> dbmcvxke.ini -> %SystemRoot%\System32\dbmcvxke.ini
NY -> eeuqnphu.dll -> %SystemRoot%\System32\eeuqnphu.dll
NY -> erkoxceg.dll -> %SystemRoot%\System32\erkoxceg.dll
NY -> fioaowjx.dll -> %SystemRoot%\System32\fioaowjx.dll
NY -> fjllnuwl.dll -> %SystemRoot%\System32\fjllnuwl.dll
NY -> fkfvipoq.dll -> %SystemRoot%\System32\fkfvipoq.dll
NY -> FMpVCJlm.ini -> %SystemRoot%\System32\FMpVCJlm.ini
NY -> FMpVCJlm.ini2 -> %SystemRoot%\System32\FMpVCJlm.ini2
NY -> frlnqupk.dll -> %SystemRoot%\System32\frlnqupk.dll
NY -> fsstnftm.ini -> %SystemRoot%\System32\fsstnftm.ini
NY -> FxsTmp -> %SystemRoot%\System32\FxsTmp
NY -> gojucnel.dll -> %SystemRoot%\System32\gojucnel.dll
NY -> hyhqeedv.dll -> %SystemRoot%\System32\hyhqeedv.dll
NY -> immjygvn.dll -> %SystemRoot%\System32\immjygvn.dll
NY -> IPXayyxx.ini -> %SystemRoot%\System32\IPXayyxx.ini
NY -> IPXayyxx.ini2 -> %SystemRoot%\System32\IPXayyxx.ini2
NY -> jiPsvyay.ini -> %SystemRoot%\System32\jiPsvyay.ini
NY -> jiPsvyay.ini2 -> %SystemRoot%\System32\jiPsvyay.ini2
NY -> jngawune.exe -> %SystemRoot%\System32\jngawune.exe
NY -> kwrvwdwx.dll -> %SystemRoot%\System32\kwrvwdwx.dll
NY -> lencujog.ini -> %SystemRoot%\System32\lencujog.ini
NY -> loijmifa.dll -> %SystemRoot%\System32\loijmifa.dll
NY -> lsmhjfcs.ini -> %SystemRoot%\System32\lsmhjfcs.ini
NY -> mlJDurrP.dll -> %SystemRoot%\System32\mlJDurrP.dll
NY -> movupigy.ini -> %SystemRoot%\System32\movupigy.ini
NY -> mrlyerho.exe -> %SystemRoot%\System32\mrlyerho.exe
NY -> mtfntssf.dll -> %SystemRoot%\System32\mtfntssf.dll
NY -> MUCMlUvw.ini -> %SystemRoot%\System32\MUCMlUvw.ini
NY -> MUCMlUvw.ini2 -> %SystemRoot%\System32\MUCMlUvw.ini2
NY -> murspirh.dll -> %SystemRoot%\System32\murspirh.dll
NY -> mynacwop.dll -> %SystemRoot%\System32\mynacwop.dll
NY -> njuydnne.ini -> %SystemRoot%\System32\njuydnne.ini
NY -> nlkeowtt.dll -> %SystemRoot%\System32\nlkeowtt.dll
NY -> nnspecis.exe -> %SystemRoot%\System32\nnspecis.exe
NY -> ohjupgdx.dll -> %SystemRoot%\System32\ohjupgdx.dll
NY -> oxkyplge.dll -> %SystemRoot%\System32\oxkyplge.dll
NY -> pextdxrv.exe -> %SystemRoot%\System32\pextdxrv.exe
NY -> pfihwuuj.dll -> %SystemRoot%\System32\pfihwuuj.dll
NY -> pwwdarnu.dll -> %SystemRoot%\System32\pwwdarnu.dll
NY -> qdcardjd.dll -> %SystemRoot%\System32\qdcardjd.dll
NY -> qncktruh.dll -> %SystemRoot%\System32\qncktruh.dll
NY -> rsmkwkgo.dll -> %SystemRoot%\System32\rsmkwkgo.dll
NY -> ruuubfws.dll -> %SystemRoot%\System32\ruuubfws.dll
NY -> scfjhmsl.dll -> %SystemRoot%\System32\scfjhmsl.dll
NY -> srdqibyg.ini -> %SystemRoot%\System32\srdqibyg.ini
NY -> ssqoMeDw.dll -> %SystemRoot%\System32\ssqoMeDw.dll
NY -> swwhcnji.dll -> %SystemRoot%\System32\swwhcnji.dll
NY -> tausqfjj.dll -> %SystemRoot%\System32\tausqfjj.dll
NY -> txfyjpvk.dll -> %SystemRoot%\System32\txfyjpvk.dll
NY -> uenwyumd.exe -> %SystemRoot%\System32\uenwyumd.exe
NY -> vtUlMefg.dll -> %SystemRoot%\System32\vtUlMefg.dll
NY -> vtUolMcC.dll -> %SystemRoot%\System32\vtUolMcC.dll
NY -> wbocqysk.dll -> %SystemRoot%\System32\wbocqysk.dll
NY -> wchodbwb.dll -> %SystemRoot%\System32\wchodbwb.dll
NY -> wgbqfykx.dll -> %SystemRoot%\System32\wgbqfykx.dll
NY -> wlsitwym.dll -> %SystemRoot%\System32\wlsitwym.dll
NY -> wvUlMCUM.dll -> %SystemRoot%\System32\wvUlMCUM.dll
NY -> xcavygwf.exe -> %SystemRoot%\System32\xcavygwf.exe
NY -> xjwoaoif.ini -> %SystemRoot%\System32\xjwoaoif.ini
NY -> yaywvSJA.dll -> %SystemRoot%\System32\yaywvSJA.dll
NY -> ygipuvom.dll -> %SystemRoot%\System32\ygipuvom.dll
NY -> yugxixub.ini -> %SystemRoot%\System32\yugxixub.ini
NY -> yxmgwutn.dll -> %SystemRoot%\System32\yxmgwutn.dll
NY -> __c00495FA.dat -> %SystemRoot%\System32\__c00495FA.dat
NY -> __c006001.dat -> %SystemRoot%\System32\__c006001.dat
NY -> __c0060EB8.dat -> %SystemRoot%\System32\__c0060EB8.dat
NY -> __c0060F37.dat -> %SystemRoot%\System32\__c0060F37.dat
NY -> __c0066644.dat -> %SystemRoot%\System32\__c0066644.dat
NY -> __c009B271.dat -> %SystemRoot%\System32\__c009B271.dat
NY -> __c00E78B5.dat -> %SystemRoot%\System32\__c00E78B5.dat
NY -> 5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> BMe76ddc0b.xml -> %SystemRoot%\BMe76ddc0b.xml
NY -> pskt.ini -> %SystemRoot%\pskt.ini
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.




Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Then reboot and try this


Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

srcbeck
2008-05-26, 23:27
OTScanIt ran, well sort of, not quite as you described.

It ran for a few minutes after I pasted that info in and then it got a error message box that said:

"OTScanIT.exe - Bad Image - The application or DLL C:\WINDOWS\SYSTEM32\yaywvSJA.dll is not a valid windows image. PLease check this against your installation diskette"

I only had the option to choose ok, which I did. The scan then seemed to keep going and then came back with another message box:

"Machine needs to reboot to remove files. Continue Yes or No."

I chose to reboot. On reboot it then came up with the Notepad output: Here it is

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMe76ddc0b deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wgbqfykx.dll
C:\WINDOWS\system32\wgbqfykx.dll NOT unregistered.
C:\WINDOWS\system32\wgbqfykx.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\e45eef97 deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mtfntssf.dll
C:\WINDOWS\system32\mtfntssf.dll NOT unregistered.
C:\WINDOWS\system32\mtfntssf.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\NWEReboot deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\swg deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:C:\WINDOWS\system32\__c0066644.dat deleted successfully.
File move failed. C:\WINDOWS\system32\__c0066644.dat scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3F567BD3-529D-43AD-866D-D8C1D657AFAF}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F567BD3-529D-43AD-866D-D8C1D657AFAF}\ not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wvUlMCUM.dll
C:\WINDOWS\system32\wvUlMCUM.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\wvUlMCUM.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{82283E81-8733-475A-9575-A5DEA5C8A003}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82283E81-8733-475A-9575-A5DEA5C8A003}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{916E3AB7-E3BD-48A5-AA78-746DE1F005F6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{916E3AB7-E3BD-48A5-AA78-746DE1F005F6}\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Google Search\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Backward Links\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Similar Pages\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Translate into English\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
[Registry - Additional Scans - All]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINDOWS\system32\wvUlMCUM deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wvUlMCUM.dll
C:\WINDOWS\system32\wvUlMCUM.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\wvUlMCUM.dll scheduled to be moved on reboot.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{34779710-2965-11db-bbad-806d6172696f}\_Autorun\DefaultIcon\\:E:\setup.exe deleted successfully.
File E:\setup.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e60e1df4-c864-11db-900f-806d6172696f}\_Autorun\DefaultIcon\\ deleted successfully.
[Files/Folders - Created Within 90 days]
C:\is154323.exe moved successfully.
C:\VundoFix Backups folder moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\ahnawmun.dll
C:\WINDOWS\System32\ahnawmun.dll NOT unregistered.
C:\WINDOWS\System32\ahnawmun.dll moved successfully.
C:\WINDOWS\System32\awfepmow.exe moved successfully.
C:\WINDOWS\System32\bceKkUvw.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\buxixguy.dll
C:\WINDOWS\System32\buxixguy.dll NOT unregistered.
C:\WINDOWS\System32\buxixguy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\cefkstcx.dll
C:\WINDOWS\System32\cefkstcx.dll NOT unregistered.
C:\WINDOWS\System32\cefkstcx.dll moved successfully.
C:\WINDOWS\System32\dbmcvxke.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\eeuqnphu.dll
C:\WINDOWS\System32\eeuqnphu.dll NOT unregistered.
C:\WINDOWS\System32\eeuqnphu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\erkoxceg.dll
C:\WINDOWS\System32\erkoxceg.dll NOT unregistered.
C:\WINDOWS\System32\erkoxceg.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\fioaowjx.dll
C:\WINDOWS\System32\fioaowjx.dll NOT unregistered.
C:\WINDOWS\System32\fioaowjx.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\fjllnuwl.dll
C:\WINDOWS\System32\fjllnuwl.dll NOT unregistered.
C:\WINDOWS\System32\fjllnuwl.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\fkfvipoq.dll
C:\WINDOWS\System32\fkfvipoq.dll NOT unregistered.
C:\WINDOWS\System32\fkfvipoq.dll moved successfully.
C:\WINDOWS\System32\FMpVCJlm.ini moved successfully.
C:\WINDOWS\System32\FMpVCJlm.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\frlnqupk.dll
C:\WINDOWS\System32\frlnqupk.dll NOT unregistered.
C:\WINDOWS\System32\frlnqupk.dll moved successfully.
C:\WINDOWS\System32\fsstnftm.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\gojucnel.dll
C:\WINDOWS\System32\gojucnel.dll NOT unregistered.
C:\WINDOWS\System32\gojucnel.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\hyhqeedv.dll
C:\WINDOWS\System32\hyhqeedv.dll NOT unregistered.
C:\WINDOWS\System32\hyhqeedv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\immjygvn.dll
C:\WINDOWS\System32\immjygvn.dll NOT unregistered.
C:\WINDOWS\System32\immjygvn.dll moved successfully.
C:\WINDOWS\System32\IPXayyxx.ini moved successfully.
C:\WINDOWS\System32\IPXayyxx.ini2 moved successfully.
C:\WINDOWS\System32\jiPsvyay.ini moved successfully.
C:\WINDOWS\System32\jiPsvyay.ini2 moved successfully.
C:\WINDOWS\System32\jngawune.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\kwrvwdwx.dll
C:\WINDOWS\System32\kwrvwdwx.dll NOT unregistered.
C:\WINDOWS\System32\kwrvwdwx.dll moved successfully.
C:\WINDOWS\System32\lencujog.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\loijmifa.dll
C:\WINDOWS\System32\loijmifa.dll NOT unregistered.
C:\WINDOWS\System32\loijmifa.dll moved successfully.
C:\WINDOWS\System32\lsmhjfcs.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\mlJDurrP.dll
C:\WINDOWS\System32\mlJDurrP.dll NOT unregistered.
C:\WINDOWS\System32\mlJDurrP.dll moved successfully.
C:\WINDOWS\System32\movupigy.ini moved successfully.
C:\WINDOWS\System32\mrlyerho.exe moved successfully.
File C:\WINDOWS\System32\mtfntssf.dll not found!
C:\WINDOWS\System32\MUCMlUvw.ini moved successfully.
C:\WINDOWS\System32\MUCMlUvw.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\murspirh.dll
C:\WINDOWS\System32\murspirh.dll NOT unregistered.
C:\WINDOWS\System32\murspirh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\mynacwop.dll
C:\WINDOWS\System32\mynacwop.dll NOT unregistered.
C:\WINDOWS\System32\mynacwop.dll moved successfully.
C:\WINDOWS\System32\njuydnne.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\nlkeowtt.dll
C:\WINDOWS\System32\nlkeowtt.dll NOT unregistered.
C:\WINDOWS\System32\nlkeowtt.dll moved successfully.
C:\WINDOWS\System32\nnspecis.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\ohjupgdx.dll
C:\WINDOWS\System32\ohjupgdx.dll NOT unregistered.
C:\WINDOWS\System32\ohjupgdx.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\oxkyplge.dll
C:\WINDOWS\System32\oxkyplge.dll NOT unregistered.
C:\WINDOWS\System32\oxkyplge.dll moved successfully.
C:\WINDOWS\System32\pextdxrv.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\pfihwuuj.dll
C:\WINDOWS\System32\pfihwuuj.dll NOT unregistered.
C:\WINDOWS\System32\pfihwuuj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\pwwdarnu.dll
C:\WINDOWS\System32\pwwdarnu.dll NOT unregistered.
C:\WINDOWS\System32\pwwdarnu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\qdcardjd.dll
C:\WINDOWS\System32\qdcardjd.dll NOT unregistered.
C:\WINDOWS\System32\qdcardjd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\qncktruh.dll
C:\WINDOWS\System32\qncktruh.dll NOT unregistered.
C:\WINDOWS\System32\qncktruh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\rsmkwkgo.dll
C:\WINDOWS\System32\rsmkwkgo.dll NOT unregistered.
C:\WINDOWS\System32\rsmkwkgo.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\ruuubfws.dll
C:\WINDOWS\System32\ruuubfws.dll NOT unregistered.
C:\WINDOWS\System32\ruuubfws.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\scfjhmsl.dll
C:\WINDOWS\System32\scfjhmsl.dll NOT unregistered.
C:\WINDOWS\System32\scfjhmsl.dll moved successfully.
C:\WINDOWS\System32\srdqibyg.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\ssqoMeDw.dll
C:\WINDOWS\System32\ssqoMeDw.dll NOT unregistered.
C:\WINDOWS\System32\ssqoMeDw.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\swwhcnji.dll
C:\WINDOWS\System32\swwhcnji.dll NOT unregistered.
C:\WINDOWS\System32\swwhcnji.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\tausqfjj.dll
C:\WINDOWS\System32\tausqfjj.dll NOT unregistered.
C:\WINDOWS\System32\tausqfjj.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\txfyjpvk.dll
C:\WINDOWS\System32\txfyjpvk.dll NOT unregistered.
C:\WINDOWS\System32\txfyjpvk.dll moved successfully.
C:\WINDOWS\System32\uenwyumd.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\vtUlMefg.dll
C:\WINDOWS\System32\vtUlMefg.dll NOT unregistered.
C:\WINDOWS\System32\vtUlMefg.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\vtUolMcC.dll
C:\WINDOWS\System32\vtUolMcC.dll NOT unregistered.
C:\WINDOWS\System32\vtUolMcC.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wbocqysk.dll
C:\WINDOWS\System32\wbocqysk.dll NOT unregistered.
C:\WINDOWS\System32\wbocqysk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wchodbwb.dll
C:\WINDOWS\System32\wchodbwb.dll NOT unregistered.
C:\WINDOWS\System32\wchodbwb.dll moved successfully.
File C:\WINDOWS\System32\wgbqfykx.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wlsitwym.dll
C:\WINDOWS\System32\wlsitwym.dll NOT unregistered.
C:\WINDOWS\System32\wlsitwym.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wvUlMCUM.dll
C:\WINDOWS\System32\wvUlMCUM.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\wvUlMCUM.dll scheduled to be moved on reboot.
C:\WINDOWS\System32\xcavygwf.exe moved successfully.
C:\WINDOWS\System32\xjwoaoif.ini moved successfully.
LoadLibrary failed for C:\WINDOWS\System32\yaywvSJA.dll
C:\WINDOWS\System32\yaywvSJA.dll NOT unregistered.
C:\WINDOWS\System32\yaywvSJA.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\ygipuvom.dll
C:\WINDOWS\System32\ygipuvom.dll NOT unregistered.
C:\WINDOWS\System32\ygipuvom.dll moved successfully.
C:\WINDOWS\System32\yugxixub.ini moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\yxmgwutn.dll
C:\WINDOWS\System32\yxmgwutn.dll NOT unregistered.
C:\WINDOWS\System32\yxmgwutn.dll moved successfully.
C:\WINDOWS\System32\__c00495FA.dat moved successfully.
C:\WINDOWS\System32\__c006001.dat moved successfully.
C:\WINDOWS\System32\__c0060EB8.dat moved successfully.
C:\WINDOWS\System32\__c0060F37.dat moved successfully.
File move failed. C:\WINDOWS\System32\__c0066644.dat scheduled to be moved on reboot.
C:\WINDOWS\System32\__c009B271.dat moved successfully.
C:\WINDOWS\System32\__c00E78B5.dat moved successfully.
C:\WINDOWS\BMe76ddc0b.xml moved successfully.
C:\WINDOWS\cookies.ini moved successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
C:\WINDOWS\pskt.ini moved successfully.
[Files Created - Additional Folder Scans - All]
C:\Documents and Settings\Nigel\Desktop\ComboFix.exe moved successfully.
C:\Documents and Settings\Nigel\Desktop\dss.exe moved successfully.
C:\Documents and Settings\Nigel\Desktop\Nigel.exe moved successfully.
C:\Documents and Settings\Nigel\Desktop\VundoFix.exe moved successfully.
[Files/Folders - Modified Within 90 days]
File C:\is154323.exe not found!
File C:\VundoFix Backups not found!
File C:\WINDOWS\System32\ahnawmun.dll not found!
File C:\WINDOWS\System32\awfepmow.exe not found!
File C:\WINDOWS\System32\bceKkUvw.ini not found!
C:\WINDOWS\System32\bceKkUvw.ini2 moved successfully.
File C:\WINDOWS\System32\buxixguy.dll not found!
File C:\WINDOWS\System32\cefkstcx.dll not found!
File C:\WINDOWS\System32\dbmcvxke.ini not found!
File C:\WINDOWS\System32\eeuqnphu.dll not found!
File C:\WINDOWS\System32\erkoxceg.dll not found!
File C:\WINDOWS\System32\fioaowjx.dll not found!
File C:\WINDOWS\System32\fjllnuwl.dll not found!
File C:\WINDOWS\System32\fkfvipoq.dll not found!
File C:\WINDOWS\System32\FMpVCJlm.ini not found!
File C:\WINDOWS\System32\FMpVCJlm.ini2 not found!
File C:\WINDOWS\System32\frlnqupk.dll not found!
File C:\WINDOWS\System32\fsstnftm.ini not found!
C:\WINDOWS\System32\FxsTmp folder moved successfully.
File C:\WINDOWS\System32\gojucnel.dll not found!
File C:\WINDOWS\System32\hyhqeedv.dll not found!
File C:\WINDOWS\System32\immjygvn.dll not found!
File C:\WINDOWS\System32\IPXayyxx.ini not found!
File C:\WINDOWS\System32\IPXayyxx.ini2 not found!
File C:\WINDOWS\System32\jiPsvyay.ini not found!
File C:\WINDOWS\System32\jiPsvyay.ini2 not found!
File C:\WINDOWS\System32\jngawune.exe not found!
File C:\WINDOWS\System32\kwrvwdwx.dll not found!
File C:\WINDOWS\System32\lencujog.ini not found!
File C:\WINDOWS\System32\loijmifa.dll not found!
File C:\WINDOWS\System32\lsmhjfcs.ini not found!
File C:\WINDOWS\System32\mlJDurrP.dll not found!
File C:\WINDOWS\System32\movupigy.ini not found!
File C:\WINDOWS\System32\mrlyerho.exe not found!
File C:\WINDOWS\System32\mtfntssf.dll not found!
File C:\WINDOWS\System32\MUCMlUvw.ini not found!
File C:\WINDOWS\System32\MUCMlUvw.ini2 not found!
File C:\WINDOWS\System32\murspirh.dll not found!
File C:\WINDOWS\System32\mynacwop.dll not found!
File C:\WINDOWS\System32\njuydnne.ini not found!
File C:\WINDOWS\System32\nlkeowtt.dll not found!
File C:\WINDOWS\System32\nnspecis.exe not found!
File C:\WINDOWS\System32\ohjupgdx.dll not found!
File C:\WINDOWS\System32\oxkyplge.dll not found!
File C:\WINDOWS\System32\pextdxrv.exe not found!
File C:\WINDOWS\System32\pfihwuuj.dll not found!
File C:\WINDOWS\System32\pwwdarnu.dll not found!
File C:\WINDOWS\System32\qdcardjd.dll not found!
File C:\WINDOWS\System32\qncktruh.dll not found!
File C:\WINDOWS\System32\rsmkwkgo.dll not found!
File C:\WINDOWS\System32\ruuubfws.dll not found!
File C:\WINDOWS\System32\scfjhmsl.dll not found!
File C:\WINDOWS\System32\srdqibyg.ini not found!
File C:\WINDOWS\System32\ssqoMeDw.dll not found!
File C:\WINDOWS\System32\swwhcnji.dll not found!
File C:\WINDOWS\System32\tausqfjj.dll not found!
File C:\WINDOWS\System32\txfyjpvk.dll not found!
File C:\WINDOWS\System32\uenwyumd.exe not found!
File C:\WINDOWS\System32\vtUlMefg.dll not found!
File C:\WINDOWS\System32\vtUolMcC.dll not found!
File C:\WINDOWS\System32\wbocqysk.dll not found!
File C:\WINDOWS\System32\wchodbwb.dll not found!
File C:\WINDOWS\System32\wgbqfykx.dll not found!
File C:\WINDOWS\System32\wlsitwym.dll not found!
DllUnregisterServer procedure not found in C:\WINDOWS\System32\wvUlMCUM.dll
C:\WINDOWS\System32\wvUlMCUM.dll NOT unregistered.
File move failed. C:\WINDOWS\System32\wvUlMCUM.dll scheduled to be moved on reboot.
File C:\WINDOWS\System32\xcavygwf.exe not found!
File C:\WINDOWS\System32\xjwoaoif.ini not found!
File C:\WINDOWS\System32\yaywvSJA.dll not found!
File C:\WINDOWS\System32\ygipuvom.dll not found!
File C:\WINDOWS\System32\yugxixub.ini not found!
File C:\WINDOWS\System32\yxmgwutn.dll not found!
File C:\WINDOWS\System32\__c00495FA.dat not found!
File C:\WINDOWS\System32\__c006001.dat not found!
File C:\WINDOWS\System32\__c0060EB8.dat not found!
File C:\WINDOWS\System32\__c0060F37.dat not found!
File move failed. C:\WINDOWS\System32\__c0066644.dat scheduled to be moved on reboot.
File C:\WINDOWS\System32\__c009B271.dat not found!
File C:\WINDOWS\System32\__c00E78B5.dat not found!
File C:\WINDOWS\BMe76ddc0b.xml not found!
File C:\WINDOWS\pskt.ini not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.0 fix logfile created on 05272008_061115

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\__c0066644.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\system32\wvUlMCUM.dll scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
=========================

Do you want me to proceed to the Malware install anyway?

Thanks for all your help.

Rorschach112
2008-05-27, 02:52
Yes go on with the next steps

srcbeck
2008-05-27, 14:09
Hi Rorschach112,

well that was all positive. I managed to install Malwarebytes Anti-malware and scanned and removed infected files. Here is the log from that run:

Malwarebytes' Anti-Malware 1.12
Database version: 789

Scan type: Quick Scan
Objects scanned: 50417
Time elapsed: 13 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 7
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wvUlMCUM.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\__c0027240.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e12af61-2dc4-4085-82bc-5712227e1281} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4e12af61-2dc4-4085-82bc-5712227e1281} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1a7793de-2598-4fa8-9ec5-9442cde5e1cc} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1a7793de-2598-4fa8-9ec5-9442cde5e1cc} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2c70f37f-144a-49b4-bc53-3cb658e6d247} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2c70f37f-144a-49b4-bc53-3cb658e6d247} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e45eef97 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMe76ddc0b (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvulmcum -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\__c0027240.dat -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\wvulmcum -> Delete on reboot.

Folders Infected:
C:\Program Files\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\Ready (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\temp (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\Upload (Adware.Comet) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\dnxotnly.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ylntoxnd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxyouccx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xccuoyxg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlMCUM.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\MUCMlUvw.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\MUCMlUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Local Settings\Temporary Internet Files\Content.IE5\CCBC3TOJ\kb516107[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\sinstaller2.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\Wallpaper\swpstart.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qjsdilol.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0027240.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c0066644.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nigel\Desktop\Malwareprob.txt (Rogue.MalwarePro) -> Quarantined and deleted successfully.
====================================================

I then re-installed ComboFix and Windows XP Recovery Console and ran ComboFix successfully. Here is the log from this run:

ComboFix 08-05-26.2 - Nigel 2008-05-27 20:42:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.109 [GMT 10:00]
Running from: C:\Documents and Settings\Nigel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nigel\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMe76ddc0b.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\alwvwmhf.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\phywhtvv.exe
C:\WINDOWS\system32\wvUlMCUM.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 20:07 . 2008-05-27 20:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 20:07 . 2008-05-27 20:07 <DIR> d-------- C:\Documents and Settings\Nigel\Application Data\Malwarebytes
2008-05-27 20:07 . 2008-05-27 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-27 20:07 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-27 20:07 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-27 19:40 . 2008-05-27 19:41 51,200 --a------ C:\WINDOWS\system32\ypyxglij.dll
2008-05-27 06:29 . 2008-05-27 06:29 51,200 --a------ C:\WINDOWS\system32\ohgsmbpi.dll
2008-05-27 06:23 . 2008-05-27 06:23 51,200 --a------ C:\WINDOWS\system32\youjnetb.dll
2008-05-26 19:52 . 2008-05-26 19:52 124,928 --a------ C:\WINDOWS\system32\wydggbkp.dll
2008-05-25 15:55 . 2008-05-25 15:55 <DIR> d-------- C:\Deckard
2008-05-23 19:13 . 2008-05-23 19:13 <DIR> d-------- C:\_OTMoveIt
2008-05-23 19:12 . 2008-05-23 19:12 291,328 --a------ C:\Documents and Settings\LocalService\OTMoveIt2.exe
2008-05-22 14:38 . 2008-05-22 14:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-22 14:38 . 2008-05-22 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-21 23:10 . 2008-05-22 22:45 616 --a------ C:\WINDOWS\wininit.ini
2008-05-21 21:33 . 2008-05-21 20:38 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-21 21:33 . 2008-05-21 21:33 2,546 --a------ C:\WINDOWS\unins000.dat
2008-05-02 16:41 . 2008-05-02 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 16:30 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-05-02 16:30 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-05-02 16:27 . 2008-05-02 16:27 <DIR> d-------- C:\Program Files\Bonjour
2008-05-02 16:17 . 2008-05-02 16:17 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 09:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 14:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-21 11:51 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-17 02:54 --------- d-----w C:\Documents and Settings\Nat\Application Data\Skype
2008-05-02 06:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-10 06:03 --------- d-----w C:\Documents and Settings\Sam\Application Data\Skype
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2007-08-06 01:15 468 ----a-w C:\Documents and Settings\Chris\Application Data\wklnhst.dat
2007-07-21 03:47 210,416 ----a-w C:\Documents and Settings\Nigel\zaSetup_en.exe
2007-05-16 02:28 886 ----a-w C:\Documents and Settings\Nat\Application Data\wklnhst.dat
2007-04-25 14:48 130 ----a-w C:\Documents and Settings\Nigel\Application Data\wklnhst.dat
2006-08-14 10:06 8 --sh--r C:\WINDOWS\system32\5DDEA58DCA.sys
2006-08-14 10:06 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2005-03-03 04:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-09 01:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2006-02-28 22:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-03 04:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-09 01:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-09 01:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll

2005-03-02 10:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 19:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2006-02-28 22:00 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 10:34 2056832 81013f36b21c7f72cf784cc6731e0002 C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 18:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 18:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 18:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

2005-03-02 11:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 19:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2006-02-28 22:00 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 10:59 2179328 4d4cf2c14550a4b7718e94a6e581856e C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 19:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 19:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 19:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-02 04:32 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-27 18:48 7561216]
"nwiz"="nwiz.exe" [2006-04-27 18:48 1519616 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 22:50 88204 C:\WINDOWS\AGRSMMSG.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-09 22:26 794713]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 07:40 155648]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 22:50 71216]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-20 05:17 78960]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-14 18:31 155648]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:43 57344]
"HostManager"="C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe" [2006-09-26 10:52 50736]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-14 18:29 180269]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 09:02 67184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\NetMeeting\\Conf.exe"=
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\\Program Files\\InterVideo\\MediaOne Gallery\\mediaone.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-07 13:49]
R3 W33ND;W89C33 mPCI 802.11 Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\W33ND.SYS [2006-02-22 10:32]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 20:50:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
.
**************************************************************************
.
Completion time: 2008-05-27 20:57:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 10:57:32

Pre-Run: 47,036,878,848 bytes free
Post-Run: 47,144,022,016 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

168 --- E O F --- 2008-05-14 22:32:00

====================================================

I then ran HijackThis successfully and here is the log from this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:05 PM, on 27/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nigel\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155351588921
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.bigphoto.com.au/ImageUploader/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9245 bytes

=======================================================

On reboot the machine actually boots up normal now and I can logon to accounts without the Rundll32.exe messages so on the surface it looks like this may have fixed everything but I will wait for your confirmation of anything else you think I need to do.

This is truly wonderful, thanks for your patience.

Nigel.

Rorschach112
2008-05-27, 15:32
Hello


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\ypyxglij.dll
C:\WINDOWS\system32\ohgsmbpi.dll
C:\WINDOWS\system32\youjnetb.dll
C:\WINDOWS\system32\wydggbkp.dll
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
[-HKEY_CLASSES_ROOT\CLSID\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]

Driver::



Save this as CFScript.txt, in the same location as ComboFix.exe


http://i266.photobucket.com/albums/ii277/sUBs_/Combo-Do.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log

srcbeck
2008-05-28, 14:48
Hi,

I tried running the script through ComboFix. Unfortunately part way through my machine died, dead battery, not sure where it got to. I restarted under AC power and tried running it again and it got all way through to after changing clock then Completed upto Stage 30 and then froze for an hour so I killed it and tried again, this time froze at stage 17 for over an hour.

I thought best not to run again and just ran a HJT and here is it's log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43, on 2008-05-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Nigel\Desktop\HiJackThis.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155351588921
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.bigphoto.com.au/ImageUploader/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9116 bytes

I will await your advise.

Rorschach112
2008-05-28, 19:03
Do this

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

srcbeck
2008-05-29, 12:01
Installed and ran dss.exe successfully. Here is the Main.txt:

Deckard's System Scanner v20071014.68
Run by Nigel on 2008-05-29 18:55:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
60: 2008-05-29 08:56:10 UTC - RP258 - Deckard's System Scanner Restore Point
59: 2008-05-28 11:32:45 UTC - RP257 - ComboFix created restore point
58: 2008-05-28 10:57:54 UTC - RP256 - ComboFix created restore point
57: 2008-05-28 10:21:47 UTC - RP255 - ComboFix created restore point
56: 2008-05-28 10:00:35 UTC - RP254 - ComboFix created restore point


-- First Restore Point --
1: 2008-05-16 06:31:41 UTC - RP199 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Nigel.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:57, on 2008-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Nigel\Desktop\dss.exe
C:\DOCUME~1\Nigel\Desktop\Nigel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155351588921
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.bigphoto.com.au/ImageUploader/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9118 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 STHDA (SigmaTel High Definition Audio CODEC) - c:\windows\system32\drivers\sthda.sys <Not Verified; SigmaTel, Inc.; C-Major Audio>
R3 W33ND (W89C33 mPCI 802.11 Wireless LAN Adapter Driver) - c:\windows\system32\drivers\w33nd.sys <Not Verified; Winbond Electronics Corp.; Winbond W89C33 mPCI 802.11 Wireless LAN Adapter>
R3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys <Not Verified; America Online, Inc.; Wan Miniport (ATW)>

S3 catchme - c:\combofix\catchme.sys (file missing)
S3 U81xbus (LGE U8XXX driver (WDM)) - c:\windows\system32\drivers\u81xbus.sys <Not Verified; MCCI; LG Electronics U8110>
S3 U81xmdfl (LGE U8XXX USB WMC Modem Filter) - c:\windows\system32\drivers\u81xmdfl.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem Filter Driver>
S3 U81xmdm (LGE U8XXX USB WMC Modem Driver) - c:\windows\system32\drivers\u81xmdm.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Modem>
S3 U81xmgmt (LGE U8XXX USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\u81xmgmt.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC Device Management>
S3 U81xobex (LGE U8XXX USB WMC OBEX Interface) - c:\windows\system32\drivers\u81xobex.sys <Not Verified; MCCI; LG Electronics U8110 USB WMC OBEX Interface>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-27 20:40:28 0 d-------- C:\cmdcons
2008-05-27 20:38:46 68096 --a------ C:\WINDOWS\zip.exe
2008-05-27 20:38:46 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-27 20:38:46 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-27 20:38:46 98816 --a------ C:\WINDOWS\sed.exe
2008-05-27 20:38:46 80412 --a------ C:\WINDOWS\grep.exe
2008-05-27 20:38:46 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-27 20:38:45 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-27 20:38:45 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-27 20:07:37 0 d-------- C:\Documents and Settings\Nigel\Application Data\Malwarebytes
2008-05-27 20:07:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-27 20:07:15 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 19:12:24 291328 --a------ C:\Documents and Settings\LocalService\OTMoveIt2.exe <Not Verified; OldTimer Tools; OTMoveIt>
2008-05-22 14:38:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-22 14:38:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 21:33:49 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-21 21:33:48 2546 --a------ C:\WINDOWS\unins000.dat
2008-05-02 16:41:51 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 16:27:44 0 d-------- C:\Program Files\Bonjour
2008-05-02 16:17:22 0 d-------- C:\Program Files\Common Files\Macrovision Shared


-- Find3M Report ---------------------------------------------------------------

2008-05-24 00:09:28 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-02 16:27:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-02 16:17:22 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-27 18:48]
"nwiz"="nwiz.exe" [2006-04-27 18:48 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 22:50 C:\WINDOWS\AGRSMMSG.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-09 22:26]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 07:40]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 22:50]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-20 05:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-14 18:31]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:43]
"HostManager"="C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe" [2006-09-26 10:52]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-14 18:29]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 09:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-02 04:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe



-- End of Deckard's System Scanner: finished at 2008-05-29 18:58:24 ------------

========================================================

Here is the extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Turion(tm) 64 Mobile Technology MK-36
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 446.6 MiB / 164.02 MiB
Pagefile Memory (total/avail): 1051.94 MiB / 785.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.39 MiB

C: is Fixed (NTFS) - 64.77 GiB total, 43.94 GiB free.
D: is Fixed (FAT32) - 9.75 GiB total, 4.31 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800VE-00KWT0 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 64.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 9.76 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

AV: Symantec AntiVirus Corporate Edition v9.0.3.1000 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:enabled:Remote Assistance"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe:*:enabled:AOL 9.0 (Connectivity Service)"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe:*:enabled:AOL 9.0 (Connectivity Service Dialer)"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:enabled:Microsoft Fax"
"C:\\Program Files\\NetMeeting\\Conf.exe"="C:\\Program Files\\NetMeeting\\Conf.exe:*:enabled:NetMeeting"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:enabled:WinDVD 7"
"C:\\Program Files\\InterVideo\\MediaOne Gallery\\mediaone.exe"="C:\\Program Files\\InterVideo\\MediaOne Gallery\\mediaone.exe:*:enabled:MediaOne Gallery"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:enabled:Remote Assistance"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLACSD.exe:*:enabled:AOL 9.0 (Connectivity Service)"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDIAL.exe:*:enabled:AOL 9.0 (Connectivity Service Dialer)"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:enabled:Microsoft Fax"
"C:\\Program Files\\NetMeeting\\Conf.exe"="C:\\Program Files\\NetMeeting\\Conf.exe:*:enabled:NetMeeting"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:enabled:WinDVD 7"
"C:\\Program Files\\InterVideo\\MediaOne Gallery\\mediaone.exe"="C:\\Program Files\\InterVideo\\MediaOne Gallery\\mediaone.exe:*:enabled:MediaOne Gallery"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Nigel\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BECKMANLAPTOP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Nigel
LOGONSERVER=\\BECKMANLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Ulead Systems\MPEG
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 76 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4c02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Nigel\LOCALS~1\Temp
TMP=C:\DOCUME~1\Nigel\LOCALS~1\Temp
USERDOMAIN=BECKMANLAPTOP
USERNAME=Nigel
USERPROFILE=C:\Documents and Settings\Nigel
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Nigel (admin)
Sam (admin)
Karen (admin)
Chris (admin)
Nat (admin)
Tim (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{3AD59E07-5D54-4142-8505-62889FEDFA59}\setup.exe" REMOVEALL
--> "C:\Program Files\InstallShield Installation Information\{F37167DD-4436-4641-90B6-329D60632DDA}\Setup.exe" REMOVEALL --u:{F37167DD-4436-4641-90B6-329D60632DDA}
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA7621DC-7144-4A24-973C-B9BC0E945628}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3Planesoft Screensaver Manager 1.1 --> "C:\Program Files\3Planesoft Screensaver Manager\unins000.exe"
ABBYY FineReader 5.0 Sprint --> MsiExec.exe /X{D1696920-9794-4BBC-8A30-7A88763DE5A2}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash CS3 Professional --> C:\Program Files\Common Files\Adobe\Installers\c3c7fe8b09d497ab2b3fd91c9353390\Setup.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe Setup --> MsiExec.exe /I{FFC1ADE3-944B-4231-894E-3903C37271D2}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Agere Systems HDA Modem --> agrsmdel
AOL Coach Version 1.0(Build:20040229.1 en) --> C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe
AOL Spyware Protection --> C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\INSTALL.LOG
AOL Toolbar --> "C:\Program Files\AOL Toolbar\UNWISE.EXE" /u "C:\Program Files\AOL Toolbar\INSTALL.LOG"
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
AOL You've Got Pictures Screensaver --> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Pro --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Documents and Settings\Nigel\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hypercube version 2 --> C:\Program Files\Valve\Steam\SteamApps\SourceMods\hypercube\Uninstal.exe
Informations about your PC --> MsiExec.exe /I{0AB149EB-2AE0-466C-9BA4-3A718CF06432}
InterVideo MediaOne Gallery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34F0D55F-C386-4195-9A5B-961D3F6ACD46}\setup.exe" REMOVEALL
InterVideo WinDVD 7 --> "C:\Program Files\InstallShield Installation Information\{90885A82-9673-49EA-AB39-AF776639C67C}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lagoon 3D Screensaver 1.0 --> "C:\Program Files\Lagoon 3D Screensaver\unins000.exe"
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lexmark X1100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
LG Phone Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{D130E8E3-C39F-4572-A622-8636BBB09865} /l1033
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Nero 7 Essentials --> MsiExec.exe /I{C06BEA8D-E886-49FF-B772-A9C550741033}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Pure Networks Port Magic --> C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe -Uninstall -ShowUI
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{929408E6-D265-4174-805F-81D1D914E2A4} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek USB 2.0 Card Reader --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC24971E-1946-445D-8A82-CE685433FA7D}\setup.exe" -l0x9 -removeonly
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Skype 3.1 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype add-on for IE --> rundll32 "C:\Program Files\Skype\Phone\IEPlugin\SkypeIEPlugin.dll",FriendlyUnregisterServer 0
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SmartSound Quicktracks Plugin --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Ulead DVD MovieFactory 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{448AB2CB-C94A-47DE-80B8-9D7824DEFA57}\setup.exe" -l0x9
Ulead VideoStudio 9.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EAB2384-C794-40ED-A9DD-3270A0D2BB76}\setup.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Winbond WLAN --> C:\PROGRA~1\winbond\w89c33\UNWISE.EXE C:\PROGRA~1\winbond\w89c33\INSTALL.LOG
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (04/28/2006 1.3.1.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_9EA6D2FA46FEFFB7011ED0B6015B626D07F1EEF7\amdk8.inf
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type10287 / Error
Event Submitted/Written: 05/29/2008 06:57:47 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Event Record #/Type10285 / Error
Event Submitted/Written: 05/28/2008 10:17:32 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x02859350.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type10284 / Error
Event Submitted/Written: 05/28/2008 10:17:27 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x02859350.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type10211 / Error
Event Submitted/Written: 05/27/2008 07:58:53 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x02d29350.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type10210 / Error
Event Submitted/Written: 05/27/2008 07:58:49 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x02d29350.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type39796 / Warning
Event Submitted/Written: 05/29/2008 06:52:03 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0060B34ECE38. The following
error occurred:
%%10038.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type39663 / Warning
Event Submitted/Written: 05/28/2008 07:56:14 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\USER-BECKMAN on the network \Device\NetBT_Tcpip_{CB85A3C5-7451-4845-A26C-F590D64A9D88}.
The data is the error code.

Event Record #/Type39658 / Warning
Event Submitted/Written: 05/28/2008 06:55:51 PM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\USER-BECKMAN on the network \Device\NetBT_Tcpip_{CB85A3C5-7451-4845-A26C-F590D64A9D88}.
The data is the error code.

Event Record #/Type39657 / Warning
Event Submitted/Written: 05/27/2008 09:32:38 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type39467 / Error
Event Submitted/Written: 05/27/2008 06:19:32 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053



-- End of Deckard's System Scanner: finished at 2008-05-29 18:58:24 ------------

Please advise next steps.

Rorschach112
2008-05-29, 15:57
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png





Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.




You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)

* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts. Make sure you are only running one real-time protection program or there will be a conflict.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.


* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)

Thank you for your patience, and performing all of the procedures requested.

Rorschach112
2008-05-29, 20:07
Do this please


Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



[kill explorer]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe
purity
[start explorer]


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]

[-HKEY_CLASSES_ROOT\CLSID\{18B0E5C0-4FCB-11CF-AAX5-004016608512}]




Then double click on the fix.reg file, when it prompts to merge click "Yes".



Reboot and post a new DSS log

srcbeck
2008-05-30, 00:26
Hi Rorschach112,

just wanted to say thanks for all your help. I have spoken to all my friends about how helpful you have been. You guys who support us novice users are fantastic.

One last question, you gave me a list of things to do to clean up which is great and I will cetainly do but then you added one more post about running OTMoveIt and doing something with problems in my registry. Did you mean that for me and my problems or was that meant to be posted for someone elses problems?

Rorschach112
2008-05-30, 03:25
No that is for you, one infection respawned, we need to remove it

Wont take long

srcbeck
2008-05-30, 15:59
Here is the OTMoveIt log:

Explorer killed successfully
File/Folder C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1113\iuhi32.exe not found.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05302008_223303

Here is the DSS Main.txt log:

Deckard's System Scanner v20071014.68
Run by Nigel on 2008-05-30 22:41:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Nigel.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42, on 2008-05-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Nigel\Desktop\dss.exe
C:\DOCUME~1\Nigel\Desktop\Nigel.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155351588921
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - https://www.bigphoto.com.au/ImageUploader/ImageUploader4.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9146 bytes

-- Files created between 2008-04-30 and 2008-05-30 -----------------------------

2008-05-27 20:40:28 0 d-------- C:\cmdcons
2008-05-27 20:38:46 68096 --a------ C:\WINDOWS\zip.exe
2008-05-27 20:38:46 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-27 20:38:46 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-27 20:38:46 98816 --a------ C:\WINDOWS\sed.exe
2008-05-27 20:38:46 80412 --a------ C:\WINDOWS\grep.exe
2008-05-27 20:38:46 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-27 20:38:45 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-27 20:38:45 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-27 20:07:37 0 d-------- C:\Documents and Settings\Nigel\Application Data\Malwarebytes
2008-05-27 20:07:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-27 20:07:15 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 19:12:24 291328 --a------ C:\Documents and Settings\LocalService\OTMoveIt2.exe <OTMOVE~1.EXE> <Not Verified; OldTimer Tools; OTMoveIt>
2008-05-22 14:38:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-22 14:38:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 21:33:49 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-21 21:33:48 2546 --a------ C:\WINDOWS\unins000.dat
2008-05-02 16:41:51 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 16:27:44 0 d-------- C:\Program Files\Bonjour
2008-05-02 16:17:22 0 d-------- C:\Program Files\Common Files\Macrovision Shared


-- Find3M Report ---------------------------------------------------------------

2008-05-24 00:09:28 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-02 16:27:39 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-02 16:17:22 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-27 18:48]
"nwiz"="nwiz.exe" [2006-04-27 18:48 C:\WINDOWS\system32\nwiz.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 22:50 C:\WINDOWS\AGRSMMSG.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-09 22:26]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 07:40]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 22:50]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-20 05:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-14 18:31]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 00:43]
"HostManager"="C:\Program Files\Common Files\AOL\1177019576\ee\AOLSoftware.exe" [2006-09-26 10:52]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-14 18:29]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-11 09:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-02 04:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"




-- End of Deckard's System Scanner: finished at 2008-05-30 22:42:50 ------------

Rorschach112
2008-05-30, 20:08
Perfect


Make sure you have an Internet Connection.
Double-click OTMoveIt2.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.




Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Then we are all done :)

srcbeck
2008-05-31, 02:06
Many thanks yet again. You help has been fantastic and my family very much appreciate having a healthy computer again. Take care.

Rorschach112
2008-05-31, 02:38
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.