Malware alerts by AVG, but cant get rid of [Archive]

View Full Version : Malware alerts by AVG, but cant get rid of

stevencp77

2008-07-30, 03:44

I have a desktop (running XP) that is connected to a wireless network. All other computers don't have any problems, except this one. I have AVG, which is constantly warning of a trojan, but when I click on Heal, it just keeps coming back. Sometimes the webpages wont load, like its not connected, but a few minutes later, it will come back up. Could you look at this and let me know if you see anything?

Also, when I first boot up and log in, I get this popup...

Error loading C:\WINDOWS\system32\emqblwre.dll

The HJT and Spybot logs:

--- Report generated: 2008-07-27 23:48 ---

Hint of the Day: Click the bar at the right of this to see more information! ()

AdSponsor: [SBI $3113EBD7] Explorer toolbar (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2BC9C452-BB57-4896-A9A2-64611E06C5AA}

WhenU.DAEMONTools.SearchBar: [SBI $D02FC508] Web page (File, fixed)
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome.manifest

WhenU.DAEMONTools.SearchBar: [SBI $CB4796A2] Web page (File, fixed)
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\install.js

WhenU.DAEMONTools.SearchBar: [SBI $2BCC81C5] Web page (File, fixed)
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\install.rdf

WhenU.DAEMONTools.SearchBar: [SBI $5FF721E8] Program directory (Directory, fixed)
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome\

WhenU.DAEMONTools.SearchBar: [SBI $677F2445] Web page (File, fixed)
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\chrome\whenu_ff.jar

WhenU.DAEMONTools.SearchBar: [SBI $AC0C2FE5] Program directory (Directory, fixed)
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\

WhenU.DAEMONTools.SearchBar: [SBI $4FB36046] Web page (File, fixed)
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\Iwhenu_ff.xpt

WhenU.DAEMONTools.SearchBar: [SBI $642B8E1D] Web page (File, fixed)
C:\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll

Zango: [SBI $62B12F59] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\ZangoToolbar

Zango: [SBI $BEB0030D] Application data folder (Directory, fixing failed)
C:\Program Files\ZangoToolbar\

Batty: [SBI $8D3AF552] Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{1B8B502E-455B-4022-BE27-736D9F808A18}

Batty: [SBI $11824C62] Library (File, fixed)
C:\WINDOWS\system32\BattyRun2.dll

BPSSpywareRemover: [SBI $56D821C1] Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{602E2CE0-53F7-11D2-A7F4-00A0C91110C3}

Delf.12.an: [SBI $85FB44D5] Library (File, fixed)
C:\WINDOWS\system32\esen.dll

Deskbar: [SBI $B9F21263] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTB00001.DBTB00001.1

Deskbar: [SBI $B9F21263] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7CC80D4-376C-4586-B023-4F35C2CEB28E}

Deskbar: [SBI $E53E52EB] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTB00001.DeskBar.1

Deskbar: [SBI $9466FADA] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8B28872-3324-4CD2-8AA3-7D555C872D96}

ZenoSearch: [SBI $1C15885E] Data (File, fixed)
C:\WINDOWS\system32\winpfz32.sys

ZenoSearch: [SBI $5BE77FAA] Executable (File, fixed)
C:\WINDOWS\system32\mrdsregr.exe

Deskbar: [SBI $CE04FEFC] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTB00001.DBTB00001

Deskbar: [SBI $8E85FEB0] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTB00001.DeskBar

Deskbar: [SBI $83FD130E] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTB00001.deskbarBHO

Deskbar: [SBI $83FD130E] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8B28872-3324-4CD2-8AA3-7D555C872D96}

Deskbar: [SBI $41C34260] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTB00001.deskbarBHO.1

Deskbar: [SBI $B6E5E4A2] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTB00001.DeskbarEnabler

Deskbar: [SBI $B6E5E4A2] Class ID (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8C2D4B4-EEAF-4EC4-B1F8-9B6ED15D5A38}

Deskbar: [SBI $60A8E322] Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DBTB00001.DeskbarEnabler.1

Deskbar: [SBI $F0C8404B] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{8F15B157-40D9-4B20-8D3B-B1F8B475B58D}

Deskbar: [SBI $CFF191EA] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{A0881AA1-68BE-41AC-9C0D-4C8A69C6C72C}

Deskbar: [SBI $9905CAF4] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{E827FFD9-95D1-4B49-BEB3-5D49E688C108}

Deskbar: [SBI $049D752F] Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{A4C8F181-6CDB-4DCC-9FC9-BB9933C81E1F}

Deskbar: [SBI $4452472C] Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DBTB00001.DBTB00001Deskbar

Deskbar: [SBI $6C5F0CD8] Web page (File, fixed)
C:\Program Files\Deskbar\about.html

Deskbar: [SBI $AD818246] Web page (File, fixed)
C:\Program Files\Deskbar\basis.xml

Deskbar: [SBI $AB8BB51D] Data (File, fixed)
C:\Program Files\Deskbar\deskbar.crc

Deskbar: [SBI $054302FB] Library (File, fixed)
C:\Program Files\Deskbar\deskbar.dll

Deskbar: [SBI $8499AA6C] Data (File, fixed)
C:\Program Files\Deskbar\deskbar.inf

Deskbar: [SBI $512A8643] Picture (File, fixed)
C:\Program Files\Deskbar\icons.bmp

Deskbar: [SBI $C2EA749D] Picture (File, fixed)
C:\Program Files\Deskbar\inst.bat

Deskbar: [SBI $8B729757] Picture (File, fixed)
C:\Program Files\Deskbar\mbback.bmp

Deskbar: [SBI $B783E243] Picture (File, fixed)
C:\Program Files\Deskbar\mbbigopen.bmp

Deskbar: [SBI $B5F99307] Picture (File, fixed)
C:\Program Files\Deskbar\mbclose.bmp

Deskbar: [SBI $4F1C281E] Picture (File, fixed)
C:\Program Files\Deskbar\mbfwd.bmp

Deskbar: [SBI $290F2054] Picture (File, fixed)
C:\Program Files\Deskbar\mblogo.bmp

Deskbar: [SBI $45C80BE4] Picture (File, fixed)
C:\Program Files\Deskbar\mbsep.bmp

Deskbar: [SBI $0D5EFF2F] Picture (File, fixed)
C:\Program Files\Deskbar\options.html

Deskbar: [SBI $8B17DAF2] Picture (File, fixed)
C:\Program Files\Deskbar\softomate.gif

Deskbar: [SBI $6DB2F639] Picture (File, fixed)
C:\Program Files\Deskbar\version.txt

Deskbar: [SBI $384B0E7F] Program directory (Directory, fixed)
C:\Program Files\Deskbar\Cache\

Deskbar: [SBI $B0C8C7E7] Program directory (Directory, fixed)
C:\Program Files\Deskbar\

Deskbar: [SBI $EB99F0A0] Executable (File, fixed)
c:\deskbar4.exe

Marketscore.RelevantKnowledge: [SBI $4756FE45] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\rk.exe

Marketscore.RelevantKnowledge: [SBI $D68A3AB4] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\rk.exe

Banker: [SBI $EBFB4022] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}

Banker: [SBI $7F6039C1] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{8CA5ED52-F3FB-4414-A105-2E3491156990}

SearchClickAds: [SBI $96486C8B] Program directory (Directory, fixed)
C:\WINDOWS\zAbstract\

SearchClickAds: [SBI $B9EFF9BB] Data (File, fixed)
C:\WINDOWS\zAbstract\ASI_SPEC.bsx

SearchClickAds: [SBI $B00807F9] Data (File, fixed)
C:\WINDOWS\zAbstract\ASI5AFF.bsx

SearchClickAds: [SBI $3F3E7A95] Data (File, fixed)
C:\WINDOWS\zAbstract\EECH.bsx

SearchClickAds: [SBI $AE4CED38] Data (File, fixed)
C:\WINDOWS\zAbstract\MYGEEK3.bsx

SearchClickAds: [SBI $F42138AB] Data (File, fixed)
C:\WINDOWS\zAbstract\SPZ5.bsx

TagASaurus: [SBI $0F18797C] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\System

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ymhlurfa.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\spwtvkyg.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ahhrshke.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\xvtnfrvj.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\sxyvimvl.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\sjvvyfew.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\xmtcvibq.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\shmssmfq.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\xaccaqkl.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\bhbrrutu.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\bprlqfhd.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\bvimelbe.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\rqvrnyim.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\wyxffmwf.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ccbsrixe.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ccsonlrp.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\cevsjcqv.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\cfvkirum.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\cgnfueoj.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\wxugxdkc.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\rkmrgimt.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\qxysjemg.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\qubtrqyy.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\qpuxcqcg.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\qmxceidd.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\pwgnfmkw.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ptnjmbge.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\pehgukpq.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\oxgvanjv.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\cqbkllfu.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\tnjldigo.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\olqixcgc.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ojdyxqfc.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\nvdmtqgf.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\toopnred.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ngnfvrcn.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ncrixixy.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\tvdloegp.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\dknmootf.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ucakqbxh.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\uhtqvxli.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ukvxftxh.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\mdopfclb.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\wlthxgpi.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\lwsnxrkh.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\urvibjwo.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\leqkdqhg.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\lbthdkjh.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ebiphapy.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\lbeiakbx.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\eknrihrn.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\emlbwtuh.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\kywsxcuo.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\kcoeaivb.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\kcbkelag.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\jiknenwq.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\jcjutkga.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\ffsrncxr.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\isedsoha.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\vgpojuax.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\vqnqggcx.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\walsnwhq.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\iafaouhi.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\wfemewdp.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\gtsgfpta.exe

Virtumonde.ddc: [SBI $F30C1704] Executable (File, fixed)
C:\WINDOWS\system32\hmpggvos.exe

Virtumonde.dll: [SBI $E0164A95] Library (File, fixed)
C:\WINDOWS\system32\uhabwskg.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\yhyqrrqu.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\xyvtsogs.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\xyhnnsve.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\qrpewfau.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\oyyjgxad.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\bapmoips.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\kulnstkj.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\kfmirwmg.dll

Virtumonde.dll: [SBI $59A629A9] Library (File, fixed)
C:\WINDOWS\system32\ipurqwur.dll

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)

WebTrends live: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-07-27 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-07-15 Includes\Adware.sbi (*)
2008-07-15 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-07-07 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-07-10 Includes\Hijackers.sbi (*)
2008-07-08 Includes\HijackersC.sbi (*)
2008-07-15 Includes\Keyloggers.sbi (*)
2008-07-15 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-07-23 Includes\Malware.sbi (*)
2008-07-23 Includes\MalwareC.sbi (*)
2008-07-15 Includes\PUPS.sbi (*)
2008-07-22 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-07-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-07-11 Includes\Spyware.sbi (*)
2008-07-15 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-07-23 Includes\Trojans.sbi (*)
2008-07-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:40 AM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ymlcn.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {F73015A2-3DB9-40BB-8378-B39FF28F604E} - C:\WINDOWS\system32\esen.dll
O4 - HKLM\..\Run: [sys09341701420] C:\WINDOWS\sys09341701420.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\emqblwre.dll",sitypnow
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: jkkkjih - jkkkjih.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\r0r60a9sed.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 8362 bytes

Shaba

2008-07-31, 10:17

Hi stevencp77

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

stevencp77

2008-08-04, 05:28

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:50 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {F73015A2-3DB9-40BB-8378-B39FF28F604E} - C:\WINDOWS\system32\esen.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) - http://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iWinGamesInstaller - iWin Inc. - C:\Program Files\iWin Games\iWinGamesInstaller.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 8200 bytes

ComboFix 08-07-31.06 - Sandra 2008-08-03 20:40:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.249 [GMT -5:00]Running from: C:\Documents and Settings\Sandra\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\guard.tmp
.
---- Previous Run -------
.
C:\Documents and Settings\employee\Application Data\macromedia\Flash Player\#SharedObjects\H5F62STG\interclick.com
C:\Documents and Settings\employee\Application Data\macromedia\Flash Player\#SharedObjects\H5F62STG\interclick.com\ud.sol
C:\Documents and Settings\employee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\employee\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Sandra\Application Data\macromedia\Flash Player\#SharedObjects\6C97PMZH\interclick.com
C:\Documents and Settings\Sandra\Application Data\macromedia\Flash Player\#SharedObjects\6C97PMZH\interclick.com\ud.sol
C:\Documents and Settings\Sandra\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Sandra\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\pasystem
C:\Program Files\pasystem\support.dat
C:\Program Files\pasystem\Uninstall.exe
C:\Program Files\pscloner
C:\Program Files\pscloner\PSCloner.exe
C:\Program Files\pscloner\Uninstall.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\system32\aamutfvn.ini
C:\WINDOWS\system32\amemkytc.ini
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\ceckaort.ini
C:\WINDOWS\system32\cwhrvimn.ini
C:\WINDOWS\system32\erwlbqme.ini
C:\WINDOWS\system32\esidxglx.ini
C:\WINDOWS\system32\exfuqofp.ini
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.tmp
C:\WINDOWS\system32\hdykyako.ini
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\ippetfjd.ini
C:\WINDOWS\system32\khdwkwdb.ini
C:\WINDOWS\system32\kiyqjvtr.ini
C:\WINDOWS\system32\kkocinmr.ini
C:\WINDOWS\system32\ktrhqksc.ini
C:\WINDOWS\system32\lbpusyop.ini
C:\WINDOWS\system32\llkjgcrf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmvvaqay.ini
C:\WINDOWS\system32\novgwuwy.ini
C:\WINDOWS\system32\qkltpojy.ini
C:\WINDOWS\system32\qlgnbbqn.ini
C:\WINDOWS\system32\qpunbyiq.ini
C:\WINDOWS\system32\udrgfekc.ini
C:\WINDOWS\system32\wappiftt.ini
C:\WINDOWS\system32\wfiuotkh.ini
C:\WINDOWS\system32\wfiuotkh.ini2
C:\WINDOWS\system32\wfiuotkh.tmp
C:\WINDOWS\system32\wkvveoad.ini
C:\WINDOWS\system32\wmkibubc.ini
C:\WINDOWS\system32\xhtdcbgv.ini
C:\WINDOWS\system32\xjintnki.ini
C:\WINDOWS\system32\xpmtmlgs.ini
C:\WINDOWS\system32\yeblcrni.ini
C:\WINDOWS\system32\yhkcmxia.ini
C:\WINDOWS\system32\ytjvrtfy.ini
C:\WINDOWS\whxenbfr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS

((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-07-31 06:06 . 2008-07-31 06:06 <DIR> d-------- C:\Documents and Settings\employee\Application Data\PlayFirst
2008-07-31 06:06 . 2008-07-31 06:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-31 05:16 . 2008-07-31 05:16 <DIR> d-------- C:\Documents and Settings\employee\Application Data\iWin
2008-07-30 22:16 . 2008-07-30 22:16 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-07-29 08:49 . 2008-07-29 08:56 <DIR> d-------- C:\Program Files\MonopolySpongeBob_at
2008-07-28 21:09 . 2008-07-29 08:40 <DIR> d-------- C:\Program Files\MonopolyHereNowEdition_at
2008-07-28 20:37 . 2008-07-28 20:44 <DIR> d-------- C:\Program Files\iWin
2008-07-27 18:43 . 2008-07-27 18:43 <DIR> d-------- C:\Documents and Settings\employee\Application Data\iWinArcade
2008-07-27 13:22 . 2008-07-31 05:43 <DIR> d-------- C:\Program Files\iWin.com
2008-07-27 13:22 . 2008-07-27 13:22 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\iWin
2008-07-27 13:22 . 2008-08-03 20:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-27 13:19 . 2008-07-27 13:19 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\iWinArcade
2008-07-27 13:19 . 2008-07-27 13:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iWin Games
2008-07-27 13:18 . 2008-07-27 13:19 <DIR> d-------- C:\Program Files\iWin Games
2008-07-24 21:21 . 2008-07-28 20:37 <DIR> d-------- C:\INSTALL
2008-07-24 21:18 . 2008-07-24 21:18 <DIR> d-------- C:\KAV
2008-07-24 19:59 . 2008-07-24 19:59 <DIR> d-------- C:\Documents and Settings\employee\Application Data\Malwarebytes
2008-07-24 17:05 . 2008-07-24 17:05 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\Malwarebytes
2008-07-24 17:05 . 2008-07-23 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-24 17:05 . 2008-07-23 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 17:04 . 2008-07-24 17:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 17:04 . 2008-07-24 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 16:32 . 2005-08-27 02:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-07-24 16:32 . 2003-11-19 14:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-07-24 16:32 . 2004-05-11 10:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-07-24 16:32 . 2004-02-05 21:53 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX
2008-07-24 16:32 . 2004-01-09 11:54 188,416 --a------ C:\WINDOWS\system32\actsplash.ocx
2008-07-24 16:32 . 2004-03-09 00:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-07-24 16:32 . 2000-07-15 06:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-07-19 21:36 . 2008-07-19 21:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-16 12:28 . 2008-07-16 12:29 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\AdobeUM
2008-07-15 16:10 . 2008-07-15 16:10 <DIR> d-------- C:\Documents and Settings\employee\Application Data\HP
2008-07-10 13:15 . 2008-07-10 13:17 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\HPAppData
2008-07-10 13:02 . 2008-07-10 13:02 <DIR> dr-h----- C:\Documents and Settings\Sandra\Application Data\yahoo!
2008-07-10 12:58 . 2004-09-16 17:20 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\You've Got Pictures Screensaver
2008-07-10 12:58 . 2004-09-16 17:25 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\Symantec
2008-07-10 12:58 . 2004-09-16 17:55 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\CyberLink
2008-07-10 12:58 . 2008-07-10 12:58 <DIR> d-------- C:\Documents and Settings\Sandra\Application Data\AVG7
2008-07-10 12:58 . 2008-07-31 00:15 <DIR> d-------- C:\Documents and Settings\Sandra
2008-07-10 06:06 . 2008-07-10 06:06 <DIR> d-------- C:\Documents and Settings\employee\Application Data\HPAppData
2008-07-09 15:19 . 2008-07-09 15:19 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HP
2008-07-09 15:19 . 2008-07-09 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-07-09 15:17 . 2008-07-09 15:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\HPAppData
2008-07-09 15:17 . 2008-07-09 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-07-09 15:16 . 2008-07-09 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-07-09 15:16 . 2008-07-09 15:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-07-09 15:15 . 2008-07-09 15:15 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-09 15:15 . 2008-07-09 15:15 <DIR> d-------- C:\Program Files\Common Files\HP
2008-07-09 15:14 . 2008-07-09 15:17 <DIR> d-------- C:\Program Files\HP
2008-07-09 15:13 . 2008-07-09 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-07-09 15:13 . 2008-07-09 15:19 137,607 --a------ C:\WINDOWS\HPHins15.dat
2008-07-09 15:13 . 2007-08-28 01:45 2,828 --------- C:\WINDOWS\hphmdl15.dat
2008-07-09 15:12 . 2007-03-30 10:11 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-07-09 15:12 . 2007-03-28 14:01 117,760 --a------ C:\WINDOWS\system32\hpzll5ha.dll
2008-07-09 12:46 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-09 12:46 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-07-09 10:41 . 2001-03-28 23:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-07-09 10:41 . 1999-01-26 19:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-07-08 20:13 . 2008-07-08 20:13 231 --a------ C:\WINDOWS\system32\comrus.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 13:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-31 03:15 --------- d-----w C:\Program Files\Common Files\Real
2008-07-28 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-28 03:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-27 18:19 --------- d-----w C:\Program Files\Google
2008-07-27 13:25 292 ----a-w C:\Documents and Settings\employee\Application Data\wklnhst.dat
2008-07-07 13:10 --------- d-----w C:\Documents and Settings\employee\Application Data\AVG7
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 13:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2006-06-07 17:55 3,753 ----a-w C:\Program Files\Common Files\ryle.html
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-27 16:19 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-05 09:06 411648]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-07-30 22:12 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2008-04-05 09:06 145920]

C:\Documents and Settings\employee\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-07-27 13:19:13 108032]

C:\Documents and Settings\Sandra\Start Menu\Programs\Startup\
iWin Desktop Alerts.lnk - C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2008-07-27 13:19:13 108032]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 07:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
--a------ 2007-11-07 02:12 196725 C:\WINDOWS\system32\rwinsndq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 05:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]
--a------ 2007-07-29 13:20 62967 C:\Program Files\WinUpdater\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\iWin Games\\iWinGames.exe"=
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 17:43]
S3 EMVSCARD;EMVSCARD;C:\WINDOWS\system32\Drivers\EMVSCARD.sys [2006-09-18 15:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2004-11-18 C:\WINDOWS\Tasks\ISP signup reminder 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 07:00]

2004-11-18 C:\WINDOWS\Tasks\ISP signup reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 07:00]

2008-08-03 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 18:26]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F73015A2-3DB9-40BB-8378-B39FF28F604E} - C:\WINDOWS\system32\esen.dll
HKLM-Run-sys09341701420 - C:\WINDOWS\sys09341701420.exe
Notify-jkkkjih - jkkkjih.dll
MSConfigStartUp-BitTorrent DNA - C:\Program Files\DNA\btdna.exe
MSConfigStartUp-DriveCleaner 2006 Free - c:\program files\drivecleaner 2006 free\udc2006.exe
MSConfigStartUp-pas_check - C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
MSConfigStartUp-SystemOptimizer - C:\WINDOWS\system32\nmivrhwc.dll
MSConfigStartUp-{DF-F3-32-2C-ZN} - C:\windows\system32\mrdsregr.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.emachines.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 20:47:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\volfxvre]
"ImagePath"="system32\drivers\duseroka.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iWin Games\iWinGamesInstaller.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-03 20:59:29 - machine was rebooted [Sandra]
ComboFix-quarantined-files.txt 2008-08-04 01:59:11

Pre-Run: 69,963,825,152 bytes free
Post-Run: 70,080,823,296 bytes free

277 --- E O F --- 2008-07-25 03:18:04

Shaba

2008-08-04, 13:32

Delete this:

C:\Program Files\Common Files\ryle.html

Empty Recycle Bin.

Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.

Right click on gmer.zip and select Extract All....
Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
Click on the Browse button. Click on Desktop. Then click OK.
Click Next. It will start extracting.
Once done, check (tick) the Show extracted files box and click Finish.
Double click on gmer.exe to run it.
Select the Rootkit tab.
On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
Select all drives that are connected to your system to be scanned.
Click on the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into the text editor.
Save the Gmer scan log and post it in your next reply.
Close Gmer.
Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
In Command Prompt, type in net stop gmer. Press Enter.
Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

Shaba

2008-08-09, 12:28

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.