PDA

View Full Version : virtumonde help



lizardlize
2008-09-27, 06:10
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:37 PM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\windows\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\windows\system32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: (no name) - {00F51FCC-F7C6-465A-8269-C76504C291F1} - (no file)
O2 - BHO: (no name) - {01E96A3D-6B63-49DF-BBBF-EEB3F84E1CBa} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {634F0B47-2F41-4429-BE86-83321CE674E6} - C:\windows\system32\vtUlJyAT.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9548C5B1-FBCA-49CF-816B-53A7765859EC} - (no file)
O2 - BHO: (no name) - {CF867B3F-CF9B-4CF8-81AE-295FA59C02B3} - C:\windows\system32\xxyxVOIX.dll (file missing)
O2 - BHO: (no name) - {E538488B-36AB-42FF-8498-271810C9C599} - C:\windows\system32\ssqNHwTm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [AOLAspSunset] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BM57247bb3] Rundll32.exe "C:\windows\system32\vrsbnfdq.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3615] command /c del "C:\WINDOWS\system32\ssqNHwTm.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC255] cmd /c del "C:\WINDOWS\system32\ssqNHwTm.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219595746261&h=23fbbd6d3b2219a0beb62d862fdf3c28/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O20 - AppInit_DLLs: pahqhe.dll iacgms.dll
O20 - Winlogon Notify: ssqNHwTm - C:\windows\SYSTEM32\ssqNHwTm.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9944 bytes

pskelley
2008-09-27, 15:38
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

This is a really nasty infection and there is not even an antivirus program in Running Processes?

C:\Program Files\ewido anti-spyware 4.0\guard.exe <<< this is obsolete

I am not about to waste my time and yours cleaning a computer not running an antivirus. I see McAfee in the bottom of the log and services, but something is wrong if it is not showing in Running processes.

Suppose you tell me what is going on here, with more information I may take another look.

Thanks

lizardlize
2008-09-27, 19:18
I have mirco trend as my antivirus.

My computer started running slow. Microtrend found something in McAfee. It deleted it. I will still having problems with IE and Opera. It would not open any pages in IE, and the only ones in Opera were the ones that were in my history. I updated the spybot I had and it found virtmonde, Astakiller, and win32.Agent.bm, along with a few others that I deleted. Virtumonde will not disapear from spybot.

pskelley
2008-09-27, 19:46
You are infected and I am willing to help you if you will slow down and communicate with me, you said:


I have mirco trend as my antivirus. <<< what is that "mirco trend" if you are trying to say "Trend Micro" where is that program in the HJT log? This:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Has nothing to do with the antivirus program, that is simply a folder created to store HJT in.

You said this:
Microtrend found something in McAfee

Are you saying you no longer use McAfee? If so, uninstall the program in Add Remove Programs. If you can not uninstall it, use the tool from McAfee:
McAfee Consumer Products Removal tool
http://www.majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

Once that is done, I would like to see what is installed on this computer, show me like this:

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg


Once you post the uninstall list and any information I reqested, then do this.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

Thanks

lizardlize
2008-09-27, 21:05
<<< what is that "mirco trend" if you are trying to say "Trend Micro" where is that program in the HJT log? This:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Has nothing to do with the antivirus program, that is simply a folder created to store HJT in.

I don't know where it is in the hijack this. I am using "world-class anti-virus & anti-spyware protection from Trend Micro" or so the box says. Windows Security center also says my virus protection is on. "Avanquest Virus Scanner Pro is up to date and the virus scanning is on."



Are you saying you no longer use McAfee? If so, uninstall the program in Add Remove Programs. If you can not uninstall it, use the tool from McAfee:
McAfee Consumer Products Removal tool
http://www.majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html
I was no longer using McAfee. I was able to remove it using the url.

Once that is done, I would like to see what is installed on this computer, show me like this:


Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
This is where I do not know what I am doing wrong. When I Click the "Save List..." Button, the program just closes and it don't save. I search my computer for it too and couldnt find a log. Then I unistalled it and redownloaded it and then tried again. It produced the same result.

I did run a new hijack this log. Will this help?

Then I will disable TeaTimer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:34 AM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\windows\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\windows\system32\Rundll32.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\windows\system32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Opera\opera.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [AOLAspSunset] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BM57247bb3] Rundll32.exe "C:\windows\system32\tmgaebio.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219595746261&h=23fbbd6d3b2219a0beb62d862fdf3c28/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O20 - AppInit_DLLs: pahqhe.dll iacgms.dll jahxmi.dll rcuiue.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8427 bytes

pskelley
2008-09-27, 21:27
1) C:\Program Files\ewido anti-spyware 4.0\ <<< this program is obsolete, uninstall it in Add Remove programs.

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks

lizardlize
2008-09-28, 04:02
ComboFix 08-09-26.06 - Owner 2008-09-27 12:06:54.1 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\WinBudget
C:\windows\BM57247bb3.txt
C:\windows\BM57247bb3.xml
C:\windows\cookies.ini
C:\windows\pskt.ini
C:\windows\system32\components
C:\windows\system32\dao350.dll
C:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-27 11:53 . 2008-09-27 11:52 46,080 --a------ C:\WINDOWS\system32\rqRIxuTM.dll
2008-09-27 11:52 . 2008-09-27 11:52 46,080 --a------ C:\WINDOWS\system32\rqRhIBSk.dll
2008-09-27 11:24 . 2008-09-27 11:24 46,080 --a------ C:\WINDOWS\system32\nnnkJAsP.dll
2008-09-27 11:24 . 2008-09-27 11:24 46,080 --a------ C:\WINDOWS\system32\khfDTNEt.dll
2008-09-27 09:48 . 2008-09-27 09:48 46,080 --a------ C:\WINDOWS\system32\nnnoPgHA.dll
2008-09-27 09:48 . 2008-09-27 09:48 46,080 --a------ C:\WINDOWS\system32\nnnoLEWo.dll
2008-09-27 09:17 . 2008-09-27 09:17 155,648 --a------ C:\WINDOWS\system32\gcfkfrvj.dll
2008-09-27 09:14 . 2008-09-27 09:14 112,640 --a------ C:\WINDOWS\system32\tehogmas.dll
2008-09-27 09:14 . 2008-09-27 09:14 112,640 --a------ C:\WINDOWS\system32\rcuiue.dll
2008-09-27 09:11 . 2008-09-27 09:11 107,008 --a------ C:\WINDOWS\system32\tmgaebio.dll
2008-09-27 09:11 . 2008-09-27 12:07 919 --ahs---- C:\WINDOWS\system32\xIiijmSs.ini2
2008-09-27 09:11 . 2008-09-27 12:07 919 --ahs---- C:\WINDOWS\system32\xIiijmSs.ini
2008-09-27 09:10 . 2008-09-27 09:10 253,440 --a------ C:\WINDOWS\system32\sSmjiiIx.dll
2008-09-27 09:10 . 2008-09-27 09:10 46,080 --a------ C:\WINDOWS\system32\iiFUmMfd.dll
2008-09-27 09:10 . 2008-09-27 09:10 46,080 --a------ C:\WINDOWS\system32\hggeBsPj.dll
2008-09-26 23:10 . 2008-09-26 23:10 112,640 --a------ C:\WINDOWS\system32\jahxmi.dll
2008-09-26 23:10 . 2008-09-26 23:10 112,640 --a------ C:\WINDOWS\system32\hpepyvtt.dll
2008-09-26 23:07 . 2008-09-27 09:01 875,539 --ahs---- C:\WINDOWS\system32\ddLUvyay.ini
2008-09-26 23:07 . 2008-09-27 08:59 875,488 --ahs---- C:\WINDOWS\system32\ddLUvyay.ini2
2008-09-26 18:02 . 2008-09-26 18:02 113,152 --a------ C:\WINDOWS\system32\swlhpwhw.dll
2008-09-26 18:02 . 2008-09-26 18:02 113,152 --a------ C:\WINDOWS\system32\iacgms.dll
2008-09-26 17:59 . 2008-09-26 17:59 988,183 --ahs---- C:\WINDOWS\system32\ytmwjacr.ini
2008-09-26 17:59 . 2008-09-26 17:59 77,312 --a------ C:\WINDOWS\system32\rcajwmty.dll
2008-09-26 17:58 . 2008-09-27 10:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-26 17:47 . 2008-09-26 18:41 876,450 --ahs---- C:\WINDOWS\system32\XIOVxyxx.ini2
2008-09-26 17:47 . 2008-09-26 18:47 876,103 --ahs---- C:\WINDOWS\system32\XIOVxyxx.ini
2008-09-26 10:28 . 2008-09-27 08:57 427 --a------ C:\WINDOWS\wininit.ini
2008-09-26 09:59 . 2008-09-26 09:59 113,152 --a------ C:\WINDOWS\system32\pahqhe.dll
2008-09-26 09:59 . 2008-09-26 09:59 113,152 --a------ C:\WINDOWS\system32\nghlvivg.dll
2008-09-26 09:56 . 2008-09-26 09:56 985,753 --ahs---- C:\WINDOWS\system32\srqginiw.ini
2008-09-26 09:56 . 2008-09-26 09:56 77,312 --a------ C:\WINDOWS\system32\winigqrs.dll
2008-09-26 07:19 . 2008-09-26 07:19 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-25 17:42 . 2008-09-26 09:50 951,033 --ahs---- C:\WINDOWS\system32\iiqnshct.ini
2008-09-25 17:42 . 2008-09-25 17:42 88,576 --a------ C:\WINDOWS\system32\tchsnqii.dll
2008-09-25 17:39 . 2008-09-25 17:39 112,128 --a------ C:\WINDOWS\system32\hohqil.dll
2008-09-25 17:39 . 2008-09-25 17:39 112,128 --a------ C:\WINDOWS\system32\gsybahph.dll
2008-09-25 17:39 . 2008-09-25 17:39 98,816 --a------ C:\WINDOWS\system32\blqsdmbn.dll
2008-09-25 16:26 . 2008-09-25 17:37 950,724 --ahs---- C:\WINDOWS\system32\xtcbmxkr.ini
2008-09-25 16:26 . 2008-09-25 16:26 112,128 --a------ C:\WINDOWS\system32\ujyjlj.dll
2008-09-25 16:26 . 2008-09-25 16:26 112,128 --a------ C:\WINDOWS\system32\rgkjuxjs.dll
2008-09-25 16:26 . 2008-09-25 16:26 98,816 --a------ C:\WINDOWS\system32\njslkici.dll
2008-09-25 15:50 . 2008-09-25 15:50 112,128 --a------ C:\WINDOWS\system32\nnicsm.dll
2008-09-25 15:49 . 2008-09-25 15:50 112,128 --a------ C:\WINDOWS\system32\xcbwtqed.dll
2008-09-25 15:47 . 2008-09-25 16:23 950,544 --ahs---- C:\WINDOWS\system32\swgatpcp.ini
2008-09-25 15:44 . 2008-09-25 15:44 98,816 --a------ C:\WINDOWS\system32\xjbmwcgl.dll
2008-09-25 15:21 . 2008-09-25 15:41 950,424 --ahs---- C:\WINDOWS\system32\hyuxwaak.ini
2008-09-25 15:21 . 2008-09-25 15:21 112,128 --a------ C:\WINDOWS\system32\hfbpzu.dll
2008-09-25 15:21 . 2008-09-25 15:21 112,128 --a------ C:\WINDOWS\system32\eqlrtjwc.dll
2008-09-25 15:18 . 2008-09-25 15:18 98,816 --a------ C:\WINDOWS\system32\mdygoxfe.dll
2008-09-25 14:55 . 2008-09-25 15:15 950,304 --ahs---- C:\WINDOWS\system32\qpityipw.ini
2008-09-25 14:52 . 2008-09-25 14:52 112,128 --a------ C:\WINDOWS\system32\ffmlux.dll
2008-09-25 14:52 . 2008-09-25 14:52 112,128 --a------ C:\WINDOWS\system32\dowdrmdm.dll
2008-09-25 14:49 . 2008-09-25 14:49 98,816 --a------ C:\WINDOWS\system32\frjdpkfp.dll
2008-09-25 14:37 . 2008-09-25 14:48 950,184 --ahs---- C:\WINDOWS\system32\scckgugp.ini
2008-09-25 14:34 . 2008-09-25 14:34 112,128 --a------ C:\WINDOWS\system32\vhypgmdj.dll
2008-09-25 14:34 . 2008-09-25 14:34 112,128 --a------ C:\WINDOWS\system32\kugnlc.dll
2008-09-25 14:31 . 2008-09-25 14:31 98,816 --a------ C:\WINDOWS\system32\jflphxuo.dll
2008-09-25 14:08 . 2008-09-25 14:29 950,064 --ahs---- C:\WINDOWS\system32\niesnuco.ini
2008-09-25 14:05 . 2008-09-25 14:05 112,128 --a------ C:\WINDOWS\system32\leulfi.dll
2008-09-25 14:05 . 2008-09-25 14:05 112,128 --a------ C:\WINDOWS\system32\htyoltvx.dll
2008-09-25 14:02 . 2008-09-25 14:02 98,816 --a------ C:\WINDOWS\system32\oikednnm.dll
2008-09-25 14:00 . 2008-09-25 14:00 112,128 --a------ C:\WINDOWS\system32\xacykm.dll
2008-09-25 14:00 . 2008-09-25 14:00 112,128 --a------ C:\WINDOWS\system32\dldjdgpb.dll
2008-09-25 13:58 . 2008-09-25 14:05 949,944 --ahs---- C:\WINDOWS\system32\xtvdjaij.ini
2008-09-25 13:58 . 2008-09-25 13:58 98,816 --a------ C:\WINDOWS\system32\sxksoonm.dll
2008-09-25 13:46 . 2007-08-13 18:45 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2008-09-25 13:25 . 2008-09-25 13:25 98,816 --a------ C:\WINDOWS\system32\mcuiivho.dll
2008-09-25 13:23 . 2008-09-25 13:23 112,128 --a------ C:\WINDOWS\system32\yvwepumr.dll
2008-09-25 13:23 . 2008-09-25 13:23 112,128 --a------ C:\WINDOWS\system32\qkiizc.dll
2008-09-25 13:21 . 2008-09-25 13:56 949,652 --ahs---- C:\WINDOWS\system32\bskxlmrh.ini
2008-09-25 13:21 . 2008-09-25 13:21 98,816 --a------ C:\WINDOWS\system32\mdldtxkb.dll
2008-09-25 13:03 . 2008-09-25 13:03 112,128 --a------ C:\WINDOWS\system32\vfexxy.dll
2008-09-25 13:03 . 2008-09-25 13:03 112,128 --a------ C:\WINDOWS\system32\btedxycx.dll
2008-09-25 13:00 . 2008-09-25 13:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-25 13:00 . 2008-09-25 13:19 949,352 --ahs---- C:\WINDOWS\system32\fiqhlfgs.ini
2008-09-25 12:58 . 2008-09-25 12:58 98,816 --a------ C:\WINDOWS\system32\kyikvrpi.dll
2008-09-25 12:19 . 2008-09-25 12:19 98,816 --a------ C:\WINDOWS\system32\jihrwqmq.dll
2008-09-25 11:42 . 2008-09-25 12:57 949,232 --ahs---- C:\WINDOWS\system32\omcyibwl.ini
2008-09-25 11:42 . 2008-09-25 11:42 112,128 --a------ C:\WINDOWS\system32\phmkln.dll
2008-09-25 11:42 . 2008-09-25 11:42 112,128 --a------ C:\WINDOWS\system32\kxkgphkq.dll
2008-09-25 11:41 . 2008-09-25 11:41 98,816 --a------ C:\WINDOWS\system32\jdsyhtrr.dll
2008-09-24 22:18 . 2008-09-24 22:18 116,224 --a------ C:\WINDOWS\system32\ntcxws.dll
2008-09-24 22:18 . 2008-09-24 22:18 116,224 --a------ C:\WINDOWS\system32\gogtflpg.dll
2008-09-24 22:15 . 2008-09-25 11:36 939,533 --ahs---- C:\WINDOWS\system32\ydpoidih.ini
2008-09-24 22:12 . 2008-09-24 22:12 97,280 --a------ C:\WINDOWS\system32\vsalhfng.dll
2008-09-24 21:18 . 2008-09-24 22:09 939,353 --ahs---- C:\WINDOWS\system32\gndewlnl.ini
2008-09-24 21:15 . 2008-09-24 21:15 116,224 --a------ C:\WINDOWS\system32\vobkrdoi.dll
2008-09-24 21:15 . 2008-09-24 21:15 116,224 --a------ C:\WINDOWS\system32\nmemoh.dll
2008-09-24 21:12 . 2008-09-24 21:12 97,280 --a------ C:\WINDOWS\system32\epttasrt.dll
2008-09-24 18:51 . 2008-09-24 21:09 939,233 --ahs---- C:\WINDOWS\system32\icpwhfeh.ini
2008-09-24 18:48 . 2008-09-24 18:48 116,224 --a------ C:\WINDOWS\system32\knvknwjd.dll
2008-09-24 18:48 . 2008-09-24 18:48 116,224 --a------ C:\WINDOWS\system32\akcskd.dll
2008-09-24 18:47 . 2008-09-24 18:47 97,280 --a------ C:\WINDOWS\system32\kesxfccs.dll
2008-09-24 17:13 . 2008-09-24 17:13 116,224 --a------ C:\WINDOWS\system32\mskqmb.dll
2008-09-24 17:13 . 2008-09-24 17:13 116,224 --a------ C:\WINDOWS\system32\hjrcmntv.dll
2008-09-24 17:10 . 2008-09-24 18:39 939,439 --ahs---- C:\WINDOWS\system32\wokfjqqd.ini
2008-09-24 17:08 . 2008-09-24 17:08 97,280 --a------ C:\WINDOWS\system32\pwhepwsr.dll
2008-09-24 17:06 . 2008-09-24 17:06 97,280 --a------ C:\WINDOWS\system32\bwfytjkn.dll
2008-09-24 08:16 . 2008-09-24 17:07 937,333 --ahs---- C:\WINDOWS\system32\tcgqauvy.ini
2008-09-24 08:14 . 2008-09-24 08:14 116,224 --a------ C:\WINDOWS\system32\vppgnbit.dll
2008-09-24 08:14 . 2008-09-24 08:14 116,224 --a------ C:\WINDOWS\system32\hijyqy.dll
2008-09-24 08:14 . 2008-09-24 08:14 97,280 --a------ C:\WINDOWS\system32\sdxhrljf.dll
2008-09-24 00:09 . 2008-09-24 00:09 116,224 --a------ C:\WINDOWS\system32\zewzrl.dll
2008-09-24 00:09 . 2008-09-24 00:09 116,224 --a------ C:\WINDOWS\system32\hejwhasx.dll
2008-09-24 00:03 . 2008-09-24 08:07 921,425 --ahs---- C:\WINDOWS\system32\aqkrohsi.ini
2008-09-24 00:02 . 2008-09-24 00:02 97,280 --a------ C:\WINDOWS\system32\mcsfqram.dll
2008-09-23 21:45 . 2008-09-23 23:55 921,305 --ahs---- C:\WINDOWS\system32\cfioldln.ini
2008-09-23 21:42 . 2008-09-23 21:42 111,616 --a------ C:\WINDOWS\system32\qlnbcmqq.dll
2008-09-23 21:42 . 2008-09-23 21:42 111,616 --a------ C:\WINDOWS\system32\onlbgw.dll
2008-09-23 21:41 . 2008-09-23 21:41 97,280 --a------ C:\WINDOWS\system32\eysijgoc.dll
2008-09-23 21:27 . 2008-09-23 21:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-09-23 21:26 . 2008-09-23 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-23 21:21 . 2008-09-23 21:21 <DIR> dr-hs---- C:\_Backup.RC
2008-09-23 21:21 . 2008-09-24 00:20 <DIR> d--h----- C:\_Backup
2008-09-23 21:19 . 2008-09-23 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Avanquest
2008-09-23 21:14 . 2008-09-23 21:14 <DIR> d-------- C:\Program Files\Avanquest
2008-09-23 21:10 . 2008-09-23 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 20:45 . 2008-09-23 21:31 921,125 --ahs---- C:\WINDOWS\system32\lcisicjc.ini
2008-09-23 20:45 . 2008-09-23 20:44 111,616 --a------ C:\WINDOWS\system32\hxwaap.dll
2008-09-23 20:44 . 2008-09-23 20:44 111,616 --a------ C:\WINDOWS\system32\nrvprgka.dll
2008-09-23 20:41 . 2008-09-23 20:41 97,280 --a------ C:\WINDOWS\system32\qtpfopgn.dll
2008-09-23 20:27 . 2008-09-23 20:27 97,280 --a------ C:\WINDOWS\system32\jbksnxhl.dll
2008-09-23 08:42 . 2008-09-23 08:42 97,280 --a------ C:\WINDOWS\system32\pbbwacnk.dll
2008-09-22 20:31 . 2008-09-22 20:31 113,152 --a------ C:\WINDOWS\system32\hucofkti.dll
2008-09-22 20:31 . 2008-09-22 20:31 113,152 --a------ C:\WINDOWS\system32\cdezcp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 18:38 --------- d-----w C:\Program Files\ewido anti-spyware 4.0
2008-09-27 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-09-27 01:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-26 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-25 22:30 --------- d-----w C:\Program Files\xxx.xxx
2008-09-25 19:47 --------- d-----w C:\Program Files\Opera
2008-09-24 02:55 --------- d-----w C:\Program Files\Symantec
2008-09-24 02:28 --------- d-----w C:\Program Files\Photo Manager
2008-09-24 02:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 00:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-08-24 16:43 --------- d-----w C:\Program Files\Sun
2008-08-24 16:42 --------- d-----w C:\Program Files\Java
2008-08-22 18:00 29,600 ----a-w C:\windows\system32\mxntdfg.exe
2008-08-06 00:55 265,720 ----a-w C:\windows\system32\msdbg2.dll
2008-07-19 05:10 94,920 ----a-w C:\windows\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\windows\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\windows\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\windows\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\windows\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\windows\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\windows\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\windows\system32\wuaueng.dll
2008-07-09 00:10 129,784 ----a-w C:\windows\system32\pxafs.dll
2008-07-09 00:09 118,520 ----a-w C:\windows\system32\pxinsi64.exe
2008-07-09 00:09 116,472 ----a-w C:\windows\system32\pxcpyi64.exe
2008-07-07 20:32 253,952 ----a-w C:\windows\system32\es.dll
2008-03-26 15:20 228,336 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-09 01:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-12-18 18:20 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2002-07-26 22:02 153,088 -c--a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 63,712 2007-03-09 15:09:58 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe

----a-w 40,048 2007-05-11 07:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 40,048 2007-05-11 10:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w 1,450,096 2004-09-13 16:51:06 C:\Program Files\Ahead\InCD\bak\InCD.exe

----a-w 1,945,600 2004-11-30 17:36:56 C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe

----a-w 196,608 2004-05-12 20:04:54 C:\Program Files\Ahead\Nero PhotoShow\data\Xtras\bak\mssysmgr.exe

----a-w 50,688 2003-06-07 10:32:32 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

----a-w 180,269 2006-08-19 17:20:33 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 32,768 2003-11-01 02:42:40 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 135,168 2004-03-11 22:18:54 C:\Program Files\Digital Media Reader\bak\shwiconem.exe

----a-w 49,152 2005-02-17 03:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2004-05-12 19:18:56 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 324 2007-10-30 19:32:45 C:\Program Files\HP\hpcoretech\bak\data\EvntData-1047924175.xml

----a-w 278,528 2006-06-14 20:24:14 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 83,608 2007-03-14 07:43:44 C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe

----a-w 118,784 2004-01-26 14:46:48 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 49,152 2004-02-03 19:13:18 C:\Program Files\Pinnacle\PPE\bak\PPE.EXE

----a-w 192,512 2004-04-23 16:00:36 C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe

----a-w 99,480 2004-06-30 17:49:30 C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe

----a-w 282,624 2006-07-31 00:48:00 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 3,756,102 2007-05-04 20:52:43 C:\Program Files\Zinio\bak\ZinioReader.exe

----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

-c--a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

-c--a-w 406,016 2004-03-10 21:26:10 C:\WINDOWS\system32\bak\PSDrvCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00F51FCC-F7C6-465A-8269-C76504C291F1}]
2008-09-27 09:17 155648 --a------ C:\windows\system32\gcfkfrvj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A66A3C7-3E78-43E6-95F7-DE6A8BF9AC3D}]
2008-09-27 09:10 253440 --a------ C:\windows\system32\sSmjiiIx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E538488B-36AB-42FF-8498-271810C9C599}]
2008-09-22 14:10 43008 --a------ C:\windows\system32\ssqNHwTm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\windows\system32\dumprep 0 -u" [X]
"AOLAspSunset"="C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe" [N/A]
"HostManager"="C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe" [2006-09-25 50736]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"LVCOMSX"="C:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2008-08-26 173312]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"BM57247bb3"="C:\windows\system32\tmgaebio.dll" [2008-09-27 107008]
"ShowWnd"="ShowWnd.exe" [2003-09-19 C:\WINDOWS\ShowWnd.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NT Printing Services6"="dllhosts.exe" [2008-09-21 C:\WINDOWS\system32\dllhosts.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E538488B-36AB-42FF-8498-271810C9C599}"= "C:\windows\system32\ssqNHwTm.dll" [2008-09-22 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNHwTm]
2008-09-22 14:10 43008 C:\WINDOWS\system32\ssqNHwTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 LStone;Pinnacle Systems Studio AV/DV Overlay;C:\windows\system32\DRIVERS\lstone2k.sys [2002-12-10 11:20]
R3 I97DRIVER;I97DRIVER;C:\PROGRA~1\AVANQU~1\Fix-It\dgs.sys [2007-08-31 11:18]
S1 MemAlloc;MemAlloc;C:\windows\system32\DRIVERS\memalloc.sys [2002-08-26 04:51]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 14:46]
S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 09:20]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17147075-1ead-11d9-bea6-806d6172696f}]
\Shell\AutoRun\command - F:\cdplayer.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{01E96A3D-6B63-49DF-BBBF-EEB3F84E1CBa} - (no file)
BHO-{216E95D7-B7A3-4D60-8883-07A37E2EE1C2} - (no file)
BHO-{634F0B47-2F41-4429-BE86-83321CE674E6} - C:\windows\system32\vtUlJyAT.dll
BHO-{80D48F93-A5A9-4A99-B180-0DD7A1A5F199} - (no file)
BHO-{9548C5B1-FBCA-49CF-816B-53A7765859EC} - (no file)
BHO-{C04826B7-53BE-4EBA-8ED5-55593DC28E67} - C:\windows\system32\yayvULdd.dll
BHO-{CF867B3F-CF9B-4CF8-81AE-295FA59C02B3} - C:\windows\system32\xxyxVOIX.dll
WebBrowser-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

O16 -: {A7EA8AD2-287F-11D3-B120-006008C39542}
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 12:22:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\windows\BM57247bb3.txt 74 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\windows\system32\winlogon.exe
-> C:\windows\system32\ssqNHwTm.dll

PROCESS: C:\windows\explorer.exe
-> C:\windows\system32\tmgaebio.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-27 12:36:04 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-27 19:35:45

Pre-Run: 117,595,660,288 bytes free
Post-Run: 117,498,556,416 bytes free

312 --- E O F --- 2008-09-10 10:01:09

lizardlize
2008-09-28, 04:06
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:50 PM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\windows\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\windows\system32\Rundll32.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\system32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\wuauclt.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: (no name) - {00F51FCC-F7C6-465A-8269-C76504C291F1} - C:\windows\system32\gcfkfrvj.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {9A66A3C7-3E78-43E6-95F7-DE6A8BF9AC3D} - C:\windows\system32\sSmjiiIx.dll
O2 - BHO: (no name) - {E538488B-36AB-42FF-8498-271810C9C599} - C:\windows\system32\ssqNHwTm.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [AOLAspSunset] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BM57247bb3] Rundll32.exe "C:\windows\system32\tmgaebio.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219595746261&h=23fbbd6d3b2219a0beb62d862fdf3c28/&filename=jinstall-6u7-windows-i586-jc.cab
O20 - Winlogon Notify: ssqNHwTm - C:\windows\SYSTEM32\ssqNHwTm.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8276 bytes

pskelley
2008-09-28, 13:00
Thanks for returning your information and the feedback. You have a very, badly infected computer and this cleanup is going to be tough. Not only do you have many Vundo files that need to be removed manually but you also have another bad file infecting trojan called AWF (Downloader-AWF), read about it here:
http://vil.nai.com/vil/content/v_139503.htm
http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Agent.AWF&threatid=134083nextfirst
combo fix will usually remove the infection but if not there is a complex manual proceedure. You do have the option to reformat the computer, let me know if you would prefer to do that.
I will post the next step in the cleanup process later in the morning.
I am suggesting the computer be kept offline at all times unless your are troubleshooting this issue, and that there be no computer activity that does not relate directly to the cleanup. This infection will continue to grow.

pskelley
2008-09-28, 14:05
I have posted instructions for TeaTimer to be disabled:
In this HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:05:50 PM, on 9/27/2008
it is still running:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

When you have followed the directions post a new HJT log.

lizardlize
2008-09-28, 18:41
Hello again, I went to disable teatimmer and when i uncheck it thier are no prompts for anything, does this sound right?

lizardlize
2008-09-28, 18:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:13 AM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\windows\system32\Rundll32.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\windows\system32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [AOLAspSunset] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [BM57247bb3] Rundll32.exe "C:\windows\system32\wfmfoavm.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219595746261&h=23fbbd6d3b2219a0beb62d862fdf3c28/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7179 bytes

lizardlize
2008-09-28, 19:07
Looks like I disabled it, I would like to fix it if possible unless you feel it is pointless.

pskelley
2008-09-28, 19:21
http://forums.spybot.info/showthread.php?t=282 <<< see this

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
LimeWire <<< uninstall all p2p programs on the computer

This is a lot for combofix "CFScript" to remove at once and it may take a while. It is very important that you read and do what you are told. There will be a lot of information in the codebox, you must make sure you copy/paste it all into the notepad for CFScript. Please read the directions a couple of time before starting to be sure you understand. If has to be done as it is posted to work.

Open notepad and copy/paste the text in the codebox below into it:


AWF::
C:\Program Files\Pinnacle\PPE\bak\PPE.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Zinio\bak\ZinioReader.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\NeroCheck.exe
C:\WINDOWS\system32\bak\PSDrvCheck.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Ahead\InCD\bak\InCD.exe
C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe
C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe
C:\Program Files\Digital Media Reader\bak\shwiconem.exe
C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
C:\Program Files\Ahead\Nero PhotoShow\data\Xtras\bak\mssysmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe
C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\bak\data\EvntData-1047924175.xml
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\bak\USBTip.exe
C:\Program Files\Pure Networks\Port Magic\bak\PortAOL.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe

File::
C:\windows\BM57247bb3.txt
C:\WINDOWS\system32\rqRIxuTM.dll
C:\WINDOWS\system32\rqRhIBSk.dll
C:\WINDOWS\system32\nnnkJAsP.dll
C:\WINDOWS\system32\khfDTNEt.dll
C:\WINDOWS\system32\nnnoPgHA.dll
C:\WINDOWS\system32\nnnoLEWo.dll
C:\WINDOWS\system32\gcfkfrvj.dll
C:\WINDOWS\system32\tehogmas.dll
C:\WINDOWS\system32\rcuiue.dll
C:\WINDOWS\system32\tmgaebio.dll
C:\WINDOWS\system32\xIiijmSs.ini2
C:\WINDOWS\system32\xIiijmSs.ini
C:\WINDOWS\system32\sSmjiiIx.dll
C:\WINDOWS\system32\iiFUmMfd.dll
C:\WINDOWS\system32\hggeBsPj.dll
C:\WINDOWS\system32\jahxmi.dll
C:\WINDOWS\system32\hpepyvtt.dll
C:\WINDOWS\system32\ddLUvyay.ini
C:\WINDOWS\system32\ddLUvyay.ini2
C:\WINDOWS\system32\swlhpwhw.dll
C:\WINDOWS\system32\iacgms.dll
C:\WINDOWS\system32\ytmwjacr.ini
C:\WINDOWS\system32\rcajwmty.dll
C:\WINDOWS\system32\XIOVxyxx.ini2
C:\WINDOWS\system32\XIOVxyxx.ini
C:\WINDOWS\system32\pahqhe.dll
C:\WINDOWS\system32\nghlvivg.dll
C:\WINDOWS\system32\srqginiw.ini
C:\WINDOWS\system32\winigqrs.dll
C:\WINDOWS\system32\iiqnshct.ini
C:\WINDOWS\system32\tchsnqii.dll
C:\WINDOWS\system32\hohqil.dll
C:\WINDOWS\system32\gsybahph.dll
C:\WINDOWS\system32\blqsdmbn.dll
C:\WINDOWS\system32\xtcbmxkr.ini
C:\WINDOWS\system32\ujyjlj.dll
C:\WINDOWS\system32\rgkjuxjs.dll
C:\WINDOWS\system32\njslkici.dll
C:\WINDOWS\system32\nnicsm.dll
C:\WINDOWS\system32\xcbwtqed.dll
C:\WINDOWS\system32\swgatpcp.ini
C:\WINDOWS\system32\xjbmwcgl.dll
C:\WINDOWS\system32\hyuxwaak.ini
C:\WINDOWS\system32\hfbpzu.dll
C:\WINDOWS\system32\eqlrtjwc.dll
C:\WINDOWS\system32\mdygoxfe.dll
C:\WINDOWS\system32\qpityipw.ini
C:\WINDOWS\system32\ffmlux.dll
C:\WINDOWS\system32\dowdrmdm.dll
C:\WINDOWS\system32\frjdpkfp.dll
C:\WINDOWS\system32\scckgugp.ini
C:\WINDOWS\system32\vhypgmdj.dll
C:\WINDOWS\system32\kugnlc.dll
C:\WINDOWS\system32\jflphxuo.dll
C:\WINDOWS\system32\niesnuco.ini
C:\WINDOWS\system32\leulfi.dll
C:\WINDOWS\system32\htyoltvx.dll
C:\WINDOWS\system32\oikednnm.dll
C:\WINDOWS\system32\xacykm.dll
C:\WINDOWS\system32\dldjdgpb.dll
C:\WINDOWS\system32\xtvdjaij.ini
C:\WINDOWS\system32\sxksoonm.dll
C:\WINDOWS\system32\ieencode.dll
C:\WINDOWS\system32\mcuiivho.dll
C:\WINDOWS\system32\yvwepumr.dll
C:\WINDOWS\system32\qkiizc.dll
C:\WINDOWS\system32\bskxlmrh.ini
C:\WINDOWS\system32\mdldtxkb.dll
C:\WINDOWS\system32\vfexxy.dll
C:\WINDOWS\system32\btedxycx.dll
C:\WINDOWS\system32\fiqhlfgs.ini
C:\WINDOWS\system32\kyikvrpi.dll
C:\WINDOWS\system32\jihrwqmq.dll
C:\WINDOWS\system32\omcyibwl.ini
C:\WINDOWS\system32\phmkln.dll
C:\WINDOWS\system32\kxkgphkq.dll
C:\WINDOWS\system32\jdsyhtrr.dll
C:\WINDOWS\system32\ntcxws.dll
C:\WINDOWS\system32\gogtflpg.dll
C:\WINDOWS\system32\ydpoidih.ini
C:\WINDOWS\system32\vsalhfng.dll
C:\WINDOWS\system32\gndewlnl.ini
C:\WINDOWS\system32\vobkrdoi.dll
C:\WINDOWS\system32\nmemoh.dll
C:\WINDOWS\system32\epttasrt.dll
C:\WINDOWS\system32\icpwhfeh.ini
C:\WINDOWS\system32\knvknwjd.dll
C:\WINDOWS\system32\akcskd.dll
C:\WINDOWS\system32\kesxfccs.dll
C:\WINDOWS\system32\mskqmb.dll
C:\WINDOWS\system32\hjrcmntv.dll
C:\WINDOWS\system32\wokfjqqd.ini
C:\WINDOWS\system32\pwhepwsr.dll
C:\WINDOWS\system32\bwfytjkn.dll
C:\WINDOWS\system32\tcgqauvy.ini
C:\WINDOWS\system32\vppgnbit.dll
C:\WINDOWS\system32\hijyqy.dll
C:\WINDOWS\system32\sdxhrljf.dll
C:\WINDOWS\system32\zewzrl.dll
C:\WINDOWS\system32\hejwhasx.dll
C:\WINDOWS\system32\aqkrohsi.ini
C:\WINDOWS\system32\mcsfqram.dll
C:\WINDOWS\system32\cfioldln.ini
C:\WINDOWS\system32\qlnbcmqq.dll
C:\WINDOWS\system32\onlbgw.dll
C:\WINDOWS\system32\eysijgoc.dll
C:\WINDOWS\system32\lcisicjc.ini
C:\WINDOWS\system32\hxwaap.dll
C:\WINDOWS\system32\nrvprgka.dll
C:\WINDOWS\system32\qtpfopgn.dll
C:\WINDOWS\system32\jbksnxhl.dll
C:\WINDOWS\system32\pbbwacnk.dll
C:\WINDOWS\system32\hucofkti.dll
C:\WINDOWS\system32\cdezcp.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00F51FCC-F7C6-465A-8269-C76504C291F1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A66A3C7-3E78-43E6-95F7-DE6A8BF9AC3D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E538488B-36AB-42FF-8498-271810C9C599}]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E538488B-36AB-42FF-8498-271810C9C599}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNHwTm]

Folder::
C:\Program Files\ewido anti-spyware 4.0

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

lizardlize
2008-09-28, 19:49
Hello, i ran combo fix and at the end it said it was rebooting, then a blue screen came up and said " if this is the first time seeing this restart if not do following steps" I watied and it stayed in that screen so i hit the power button and restarted. Combo fix did not produce a log?

lizardlize
2008-09-28, 20:21
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20, on 2008-09-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\BigFix\BigFix.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\windows\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system32\rundll32.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Opera\opera.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [AOLAspSunset] C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM57247bb3] Rundll32.exe "C:\windows\system32\euvcndwv.dll",s
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\windows\system32\lubrmqjd.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [NT Printing Services6] dllhosts.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219595746261&h=23fbbd6d3b2219a0beb62d862fdf3c28/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7396 bytes

lizardlize
2008-09-28, 20:23
i found it at c:\combofix.txt


ComboFix 08-09-26.06 - Owner 2008-09-28 9:31:12.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\windows\BM57247bb3.txt
C:\WINDOWS\system32\akcskd.dll
C:\WINDOWS\system32\aqkrohsi.ini
C:\WINDOWS\system32\blqsdmbn.dll
C:\WINDOWS\system32\bskxlmrh.ini
C:\WINDOWS\system32\btedxycx.dll
C:\WINDOWS\system32\bwfytjkn.dll
C:\WINDOWS\system32\cdezcp.dll
C:\WINDOWS\system32\cfioldln.ini
C:\WINDOWS\system32\ddLUvyay.ini
C:\WINDOWS\system32\ddLUvyay.ini2
C:\WINDOWS\system32\dldjdgpb.dll
C:\WINDOWS\system32\dowdrmdm.dll
C:\WINDOWS\system32\epttasrt.dll
C:\WINDOWS\system32\eqlrtjwc.dll
C:\WINDOWS\system32\eysijgoc.dll
C:\WINDOWS\system32\ffmlux.dll
C:\WINDOWS\system32\fiqhlfgs.ini
C:\WINDOWS\system32\frjdpkfp.dll
C:\WINDOWS\system32\gcfkfrvj.dll
C:\WINDOWS\system32\gndewlnl.ini
C:\WINDOWS\system32\gogtflpg.dll
C:\WINDOWS\system32\gsybahph.dll
C:\WINDOWS\system32\hejwhasx.dll
C:\WINDOWS\system32\hfbpzu.dll
C:\WINDOWS\system32\hggeBsPj.dll
C:\WINDOWS\system32\hijyqy.dll
C:\WINDOWS\system32\hjrcmntv.dll
C:\WINDOWS\system32\hohqil.dll
C:\WINDOWS\system32\hpepyvtt.dll
C:\WINDOWS\system32\htyoltvx.dll
C:\WINDOWS\system32\hucofkti.dll
C:\WINDOWS\system32\hxwaap.dll
C:\WINDOWS\system32\hyuxwaak.ini
C:\WINDOWS\system32\iacgms.dll
C:\WINDOWS\system32\icpwhfeh.ini
C:\WINDOWS\system32\ieencode.dll
C:\WINDOWS\system32\iiFUmMfd.dll
C:\WINDOWS\system32\iiqnshct.ini
C:\WINDOWS\system32\jahxmi.dll
C:\WINDOWS\system32\jbksnxhl.dll
C:\WINDOWS\system32\jdsyhtrr.dll
C:\WINDOWS\system32\jflphxuo.dll
C:\WINDOWS\system32\jihrwqmq.dll
C:\WINDOWS\system32\kesxfccs.dll
C:\WINDOWS\system32\khfDTNEt.dll
C:\WINDOWS\system32\knvknwjd.dll
C:\WINDOWS\system32\kugnlc.dll
C:\WINDOWS\system32\kxkgphkq.dll
C:\WINDOWS\system32\kyikvrpi.dll
C:\WINDOWS\system32\lcisicjc.ini
C:\WINDOWS\system32\leulfi.dll
C:\WINDOWS\system32\mcsfqram.dll
C:\WINDOWS\system32\mcuiivho.dll
C:\WINDOWS\system32\mdldtxkb.dll
C:\WINDOWS\system32\mdygoxfe.dll
C:\WINDOWS\system32\mskqmb.dll
C:\WINDOWS\system32\nghlvivg.dll
C:\WINDOWS\system32\niesnuco.ini
C:\WINDOWS\system32\njslkici.dll
C:\WINDOWS\system32\nmemoh.dll
C:\WINDOWS\system32\nnicsm.dll
C:\WINDOWS\system32\nnnkJAsP.dll
C:\WINDOWS\system32\nnnoLEWo.dll
C:\WINDOWS\system32\nnnoPgHA.dll
C:\WINDOWS\system32\nrvprgka.dll
C:\WINDOWS\system32\ntcxws.dll
C:\WINDOWS\system32\oikednnm.dll
C:\WINDOWS\system32\omcyibwl.ini
C:\WINDOWS\system32\onlbgw.dll
C:\WINDOWS\system32\pahqhe.dll
C:\WINDOWS\system32\pbbwacnk.dll
C:\WINDOWS\system32\phmkln.dll
C:\WINDOWS\system32\pwhepwsr.dll
C:\WINDOWS\system32\qkiizc.dll
C:\WINDOWS\system32\qlnbcmqq.dll
C:\WINDOWS\system32\qpityipw.ini
C:\WINDOWS\system32\qtpfopgn.dll
C:\WINDOWS\system32\rcajwmty.dll
C:\WINDOWS\system32\rcuiue.dll
C:\WINDOWS\system32\rgkjuxjs.dll
C:\WINDOWS\system32\rqRhIBSk.dll
C:\WINDOWS\system32\rqRIxuTM.dll
C:\WINDOWS\system32\scckgugp.ini
C:\WINDOWS\system32\sdxhrljf.dll
C:\WINDOWS\system32\srqginiw.ini
C:\WINDOWS\system32\sSmjiiIx.dll
C:\WINDOWS\system32\swgatpcp.ini
C:\WINDOWS\system32\swlhpwhw.dll
C:\WINDOWS\system32\sxksoonm.dll
C:\WINDOWS\system32\tcgqauvy.ini
C:\WINDOWS\system32\tchsnqii.dll
C:\WINDOWS\system32\tehogmas.dll
C:\WINDOWS\system32\tmgaebio.dll
C:\WINDOWS\system32\ujyjlj.dll
C:\WINDOWS\system32\vfexxy.dll
C:\WINDOWS\system32\vhypgmdj.dll
C:\WINDOWS\system32\vobkrdoi.dll
C:\WINDOWS\system32\vppgnbit.dll
C:\WINDOWS\system32\vsalhfng.dll
C:\WINDOWS\system32\winigqrs.dll
C:\WINDOWS\system32\wokfjqqd.ini
C:\WINDOWS\system32\xacykm.dll
C:\WINDOWS\system32\xcbwtqed.dll
C:\WINDOWS\system32\xIiijmSs.ini
C:\WINDOWS\system32\xIiijmSs.ini2
C:\WINDOWS\system32\XIOVxyxx.ini
C:\WINDOWS\system32\XIOVxyxx.ini2
C:\WINDOWS\system32\xjbmwcgl.dll
C:\WINDOWS\system32\xtcbmxkr.ini
C:\WINDOWS\system32\xtvdjaij.ini
C:\WINDOWS\system32\ydpoidih.ini
C:\WINDOWS\system32\ytmwjacr.ini
C:\WINDOWS\system32\yvwepumr.dll
C:\WINDOWS\system32\zewzrl.dll
.

pskelley
2008-09-28, 20:25
I need to see the complete report, that is only a small part of it.

lizardlize
2008-09-28, 20:30
thats all that in the folder did it not complete? what should i do now, I cant find anything but what i sent.

pskelley
2008-09-28, 20:34
Try those instructions again or start looking here:
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

This computer is badly infected and has been allowed to operate in that state for a while.

lizardlize
2008-09-28, 21:08
It worked this time here is both logs

ComboFix 08-09-26.06 - Owner 2008-09-28 10:46:21.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\windows\BM57247bb3.txt
C:\WINDOWS\system32\akcskd.dll
C:\WINDOWS\system32\aqkrohsi.ini
C:\WINDOWS\system32\blqsdmbn.dll
C:\WINDOWS\system32\bskxlmrh.ini
C:\WINDOWS\system32\btedxycx.dll
C:\WINDOWS\system32\bwfytjkn.dll
C:\WINDOWS\system32\cdezcp.dll
C:\WINDOWS\system32\cfioldln.ini
C:\WINDOWS\system32\ddLUvyay.ini
C:\WINDOWS\system32\ddLUvyay.ini2
C:\WINDOWS\system32\dldjdgpb.dll
C:\WINDOWS\system32\dowdrmdm.dll
C:\WINDOWS\system32\epttasrt.dll
C:\WINDOWS\system32\eqlrtjwc.dll
C:\WINDOWS\system32\eysijgoc.dll
C:\WINDOWS\system32\ffmlux.dll
C:\WINDOWS\system32\fiqhlfgs.ini
C:\WINDOWS\system32\frjdpkfp.dll
C:\WINDOWS\system32\gcfkfrvj.dll
C:\WINDOWS\system32\gndewlnl.ini
C:\WINDOWS\system32\gogtflpg.dll
C:\WINDOWS\system32\gsybahph.dll
C:\WINDOWS\system32\hejwhasx.dll
C:\WINDOWS\system32\hfbpzu.dll
C:\WINDOWS\system32\hggeBsPj.dll
C:\WINDOWS\system32\hijyqy.dll
C:\WINDOWS\system32\hjrcmntv.dll
C:\WINDOWS\system32\hohqil.dll
C:\WINDOWS\system32\hpepyvtt.dll
C:\WINDOWS\system32\htyoltvx.dll
C:\WINDOWS\system32\hucofkti.dll
C:\WINDOWS\system32\hxwaap.dll
C:\WINDOWS\system32\hyuxwaak.ini
C:\WINDOWS\system32\iacgms.dll
C:\WINDOWS\system32\icpwhfeh.ini
C:\WINDOWS\system32\ieencode.dll
C:\WINDOWS\system32\iiFUmMfd.dll
C:\WINDOWS\system32\iiqnshct.ini
C:\WINDOWS\system32\jahxmi.dll
C:\WINDOWS\system32\jbksnxhl.dll
C:\WINDOWS\system32\jdsyhtrr.dll
C:\WINDOWS\system32\jflphxuo.dll
C:\WINDOWS\system32\jihrwqmq.dll
C:\WINDOWS\system32\kesxfccs.dll
C:\WINDOWS\system32\khfDTNEt.dll
C:\WINDOWS\system32\knvknwjd.dll
C:\WINDOWS\system32\kugnlc.dll
C:\WINDOWS\system32\kxkgphkq.dll
C:\WINDOWS\system32\kyikvrpi.dll
C:\WINDOWS\system32\lcisicjc.ini
C:\WINDOWS\system32\leulfi.dll
C:\WINDOWS\system32\mcsfqram.dll
C:\WINDOWS\system32\mcuiivho.dll
C:\WINDOWS\system32\mdldtxkb.dll
C:\WINDOWS\system32\mdygoxfe.dll
C:\WINDOWS\system32\mskqmb.dll
C:\WINDOWS\system32\nghlvivg.dll
C:\WINDOWS\system32\niesnuco.ini
C:\WINDOWS\system32\njslkici.dll
C:\WINDOWS\system32\nmemoh.dll
C:\WINDOWS\system32\nnicsm.dll
C:\WINDOWS\system32\nnnkJAsP.dll
C:\WINDOWS\system32\nnnoLEWo.dll
C:\WINDOWS\system32\nnnoPgHA.dll
C:\WINDOWS\system32\nrvprgka.dll
C:\WINDOWS\system32\ntcxws.dll
C:\WINDOWS\system32\oikednnm.dll
C:\WINDOWS\system32\omcyibwl.ini
C:\WINDOWS\system32\onlbgw.dll
C:\WINDOWS\system32\pahqhe.dll
C:\WINDOWS\system32\pbbwacnk.dll
C:\WINDOWS\system32\phmkln.dll
C:\WINDOWS\system32\pwhepwsr.dll
C:\WINDOWS\system32\qkiizc.dll
C:\WINDOWS\system32\qlnbcmqq.dll
C:\WINDOWS\system32\qpityipw.ini
C:\WINDOWS\system32\qtpfopgn.dll
C:\WINDOWS\system32\rcajwmty.dll
C:\WINDOWS\system32\rcuiue.dll
C:\WINDOWS\system32\rgkjuxjs.dll
C:\WINDOWS\system32\rqRhIBSk.dll
C:\WINDOWS\system32\rqRIxuTM.dll
C:\WINDOWS\system32\scckgugp.ini
C:\WINDOWS\system32\sdxhrljf.dll
C:\WINDOWS\system32\srqginiw.ini
C:\WINDOWS\system32\sSmjiiIx.dll
C:\WINDOWS\system32\swgatpcp.ini
C:\WINDOWS\system32\swlhpwhw.dll
C:\WINDOWS\system32\sxksoonm.dll
C:\WINDOWS\system32\tcgqauvy.ini
C:\WINDOWS\system32\tchsnqii.dll
C:\WINDOWS\system32\tehogmas.dll
C:\WINDOWS\system32\tmgaebio.dll
C:\WINDOWS\system32\ujyjlj.dll
C:\WINDOWS\system32\vfexxy.dll
C:\WINDOWS\system32\vhypgmdj.dll
C:\WINDOWS\system32\vobkrdoi.dll
C:\WINDOWS\system32\vppgnbit.dll
C:\WINDOWS\system32\vsalhfng.dll
C:\WINDOWS\system32\winigqrs.dll
C:\WINDOWS\system32\wokfjqqd.ini
C:\WINDOWS\system32\xacykm.dll
C:\WINDOWS\system32\xcbwtqed.dll
C:\WINDOWS\system32\xIiijmSs.ini
C:\WINDOWS\system32\xIiijmSs.ini2
C:\WINDOWS\system32\XIOVxyxx.ini
C:\WINDOWS\system32\XIOVxyxx.ini2
C:\WINDOWS\system32\xjbmwcgl.dll
C:\WINDOWS\system32\xtcbmxkr.ini
C:\WINDOWS\system32\xtvdjaij.ini
C:\WINDOWS\system32\ydpoidih.ini
C:\WINDOWS\system32\ytmwjacr.ini
C:\WINDOWS\system32\yvwepumr.dll
C:\WINDOWS\system32\zewzrl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\BM57247bb3.txt
C:\windows\BM57247bb3.xml
C:\windows\pskt.ini
C:\WINDOWS\system32\ieencode.dll
.
---- Previous Run -------
.
C:\Program Files\ewido anti-spyware 4.0
C:\Program Files\ewido anti-spyware 4.0\updater.ewidolog
C:\windows\BM57247bb3.txt
C:\windows\pskt.ini
C:\WINDOWS\system32\akcskd.dll
C:\WINDOWS\system32\aqkrohsi.ini
C:\WINDOWS\system32\blqsdmbn.dll
C:\WINDOWS\system32\bskxlmrh.ini
C:\WINDOWS\system32\btedxycx.dll
C:\WINDOWS\system32\bwfytjkn.dll
C:\WINDOWS\system32\cdezcp.dll
C:\WINDOWS\system32\cfioldln.ini
C:\WINDOWS\system32\ddLUvyay.ini
C:\WINDOWS\system32\ddLUvyay.ini2
C:\WINDOWS\system32\dldjdgpb.dll
C:\WINDOWS\system32\dowdrmdm.dll
C:\WINDOWS\system32\epttasrt.dll
C:\WINDOWS\system32\eqlrtjwc.dll
C:\WINDOWS\system32\eysijgoc.dll
C:\WINDOWS\system32\ffmlux.dll
C:\WINDOWS\system32\fiqhlfgs.ini
C:\WINDOWS\system32\frjdpkfp.dll
C:\WINDOWS\system32\gcfkfrvj.dll
C:\WINDOWS\system32\gndewlnl.ini
C:\WINDOWS\system32\gogtflpg.dll
C:\WINDOWS\system32\gsybahph.dll
C:\WINDOWS\system32\hejwhasx.dll
C:\WINDOWS\system32\hfbpzu.dll
C:\WINDOWS\system32\hggeBsPj.dll
C:\WINDOWS\system32\hijyqy.dll
C:\WINDOWS\system32\hjrcmntv.dll
C:\WINDOWS\system32\hohqil.dll
C:\WINDOWS\system32\hpepyvtt.dll
C:\WINDOWS\system32\htyoltvx.dll
C:\WINDOWS\system32\hucofkti.dll
C:\WINDOWS\system32\hxwaap.dll
C:\WINDOWS\system32\hyuxwaak.ini
C:\WINDOWS\system32\iacgms.dll
C:\WINDOWS\system32\icpwhfeh.ini
C:\WINDOWS\system32\ieencode.dll
C:\WINDOWS\system32\iiFUmMfd.dll
C:\WINDOWS\system32\iiqnshct.ini
C:\WINDOWS\system32\jahxmi.dll
C:\WINDOWS\system32\jbksnxhl.dll
C:\WINDOWS\system32\jdsyhtrr.dll
C:\WINDOWS\system32\jflphxuo.dll
C:\WINDOWS\system32\jihrwqmq.dll
C:\WINDOWS\system32\kesxfccs.dll
C:\WINDOWS\system32\khfDTNEt.dll
C:\WINDOWS\system32\knvknwjd.dll
C:\WINDOWS\system32\kugnlc.dll
C:\WINDOWS\system32\kxkgphkq.dll
C:\WINDOWS\system32\kyikvrpi.dll
C:\WINDOWS\system32\lcisicjc.ini
C:\WINDOWS\system32\leulfi.dll
C:\WINDOWS\system32\mcsfqram.dll
C:\WINDOWS\system32\mcuiivho.dll
C:\WINDOWS\system32\mdldtxkb.dll
C:\WINDOWS\system32\mdygoxfe.dll
C:\WINDOWS\system32\mskqmb.dll
C:\WINDOWS\system32\nghlvivg.dll
C:\WINDOWS\system32\niesnuco.ini
C:\WINDOWS\system32\njslkici.dll
C:\WINDOWS\system32\nmemoh.dll
C:\WINDOWS\system32\nnicsm.dll
C:\WINDOWS\system32\nnnkJAsP.dll
C:\WINDOWS\system32\nnnoLEWo.dll
C:\WINDOWS\system32\nnnoPgHA.dll
C:\WINDOWS\system32\nrvprgka.dll
C:\WINDOWS\system32\ntcxws.dll
C:\WINDOWS\system32\oikednnm.dll
C:\WINDOWS\system32\omcyibwl.ini
C:\WINDOWS\system32\onlbgw.dll
C:\WINDOWS\system32\pahqhe.dll
C:\WINDOWS\system32\pbbwacnk.dll
C:\WINDOWS\system32\phmkln.dll
C:\WINDOWS\system32\pwhepwsr.dll
C:\WINDOWS\system32\qkiizc.dll
C:\WINDOWS\system32\qlnbcmqq.dll
C:\WINDOWS\system32\qpityipw.ini
C:\WINDOWS\system32\qtpfopgn.dll
C:\WINDOWS\system32\rcajwmty.dll
C:\WINDOWS\system32\rcuiue.dll
C:\WINDOWS\system32\rgkjuxjs.dll
C:\WINDOWS\system32\rqRhIBSk.dll
C:\WINDOWS\system32\rqRIxuTM.dll
C:\WINDOWS\system32\scckgugp.ini
C:\WINDOWS\system32\sdxhrljf.dll
C:\WINDOWS\system32\srqginiw.ini
C:\WINDOWS\system32\sSmjiiIx.dll
C:\WINDOWS\system32\swgatpcp.ini
C:\WINDOWS\system32\swlhpwhw.dll
C:\WINDOWS\system32\sxksoonm.dll
C:\WINDOWS\system32\tcgqauvy.ini
C:\WINDOWS\system32\tchsnqii.dll
C:\WINDOWS\system32\tehogmas.dll
C:\WINDOWS\system32\tmgaebio.dll
C:\WINDOWS\system32\ujyjlj.dll
C:\WINDOWS\system32\vfexxy.dll
C:\WINDOWS\system32\vhypgmdj.dll
C:\WINDOWS\system32\vobkrdoi.dll
C:\WINDOWS\system32\vppgnbit.dll
C:\WINDOWS\system32\vsalhfng.dll
C:\WINDOWS\system32\winigqrs.dll
C:\WINDOWS\system32\wokfjqqd.ini
C:\WINDOWS\system32\xacykm.dll
C:\WINDOWS\system32\xcbwtqed.dll
C:\WINDOWS\system32\xIiijmSs.ini
C:\WINDOWS\system32\xIiijmSs.ini2
C:\WINDOWS\system32\XIOVxyxx.ini
C:\WINDOWS\system32\XIOVxyxx.ini2
C:\WINDOWS\system32\xjbmwcgl.dll
C:\WINDOWS\system32\xtcbmxkr.ini
C:\WINDOWS\system32\xtvdjaij.ini
C:\WINDOWS\system32\ydpoidih.ini
C:\WINDOWS\system32\ytmwjacr.ini
C:\WINDOWS\system32\yvwepumr.dll
C:\WINDOWS\system32\zewzrl.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-28 10:21 . 2008-09-28 10:21 42,496 --a------ C:\WINDOWS\system32\wvUljHAt.dll
2008-09-28 10:21 . 2008-09-28 10:21 42,496 --a------ C:\WINDOWS\system32\tuvWnoMf.dll
2008-09-28 09:47 . 2008-09-28 09:47 988,183 ---hs---- C:\WINDOWS\system32\djqmrbul.ini
2008-09-28 09:47 . 2008-09-28 09:47 78,848 --a------ C:\WINDOWS\system32\lubrmqjd.dll
2008-09-28 09:44 . 2008-09-28 09:44 111,616 --a------ C:\WINDOWS\system32\epktljnl.dll
2008-09-28 09:44 . 2008-09-28 09:44 111,616 --a------ C:\WINDOWS\system32\agdryk.dll
2008-09-28 09:43 . 2008-09-28 09:43 105,984 --a------ C:\WINDOWS\system32\euvcndwv.dll
2008-09-28 08:37 . 2008-09-28 08:37 42,496 --a------ C:\WINDOWS\system32\urqQhhIc.dll
2008-09-28 08:37 . 2008-09-28 08:37 42,496 --a------ C:\WINDOWS\system32\urqNDvsQ.dll
2008-09-27 19:00 . 2008-09-27 19:00 46,080 --a------ C:\WINDOWS\system32\xxyxWNGX.dll
2008-09-27 19:00 . 2008-09-27 19:00 46,080 --a------ C:\WINDOWS\system32\fccARHyy.dll
2008-09-27 18:27 . 2008-09-27 18:27 46,080 --a------ C:\WINDOWS\system32\xxyxusTl.dll
2008-09-27 18:27 . 2008-09-27 18:27 46,080 --a------ C:\WINDOWS\system32\awtsSlmL.dll
2008-09-27 18:26 . 2008-09-27 18:26 155,648 --a------ C:\WINDOWS\system32\qayfrxfo.dll
2008-09-27 18:09 . 2008-09-27 18:09 155,648 --a------ C:\WINDOWS\system32\ubtnypty.dll
2008-09-27 18:09 . 2008-09-27 18:09 107,008 --a------ C:\WINDOWS\system32\wfmfoavm.dll
2008-09-27 18:08 . 2008-09-27 18:08 155,648 --a------ C:\WINDOWS\system32\tklhyjjf.dll
2008-09-27 18:06 . 2008-09-27 18:06 107,008 --a------ C:\WINDOWS\system32\dmvjlulc.dll
2008-09-27 18:05 . 2008-09-28 10:46 875,566 --ahs---- C:\WINDOWS\system32\FeKmWvut.ini2
2008-09-27 18:05 . 2008-09-28 10:46 875,566 --ahs---- C:\WINDOWS\system32\FeKmWvut.ini
2008-09-27 18:05 . 2008-09-27 18:05 253,440 --a------ C:\WINDOWS\system32\tuvWmKeF.dll
2008-09-26 17:58 . 2008-09-27 10:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-26 10:28 . 2008-09-27 08:57 427 --a------ C:\WINDOWS\wininit.ini
2008-09-26 07:19 . 2008-09-26 07:19 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-25 13:46 . 2007-08-13 18:45 78,336 --a--c--- C:\WINDOWS\system32\dllcache\ieencode.dll
2008-09-25 13:00 . 2008-09-25 13:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-23 21:27 . 2008-09-23 21:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-09-23 21:26 . 2008-09-23 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-23 21:21 . 2008-09-23 21:21 <DIR> dr-hs---- C:\_Backup.RC
2008-09-23 21:21 . 2008-09-24 00:20 <DIR> d--h----- C:\_Backup
2008-09-23 21:19 . 2008-09-23 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Avanquest
2008-09-23 21:14 . 2008-09-23 21:14 <DIR> d-------- C:\Program Files\Avanquest
2008-09-23 21:10 . 2008-09-23 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-22 20:28 . 2008-09-23 20:36 921,005 --ahs---- C:\WINDOWS\system32\fcmlcxix.ini
2008-09-22 20:25 . 2008-09-22 20:25 99,328 --a------ C:\WINDOWS\system32\elbyvebf.dll
2008-09-22 14:28 . 2008-09-22 14:28 879,630 --ahs---- C:\WINDOWS\system32\ifvyfbwc.ini
2008-09-22 14:25 . 2008-09-22 14:25 113,152 --a------ C:\WINDOWS\system32\pgnvgrox.dll
2008-09-22 14:25 . 2008-09-22 14:25 113,152 --a------ C:\WINDOWS\system32\cguzet.dll
2008-09-22 14:23 . 2008-09-22 14:23 99,328 --a------ C:\WINDOWS\system32\ylxxhiob.dll
2008-09-22 14:19 . 2008-09-22 14:22 879,570 --ahs---- C:\WINDOWS\system32\gbkfunct.ini
2008-09-22 14:16 . 2008-09-26 10:33 876,630 --ahs---- C:\WINDOWS\system32\TAyJlUtv.ini2
2008-09-22 14:16 . 2008-09-26 10:34 876,630 --ahs---- C:\WINDOWS\system32\TAyJlUtv.ini
2008-09-22 14:16 . 2008-09-22 14:16 99,328 --a------ C:\WINDOWS\system32\baieqfob.dll
2008-09-22 14:10 . 2008-09-22 14:10 43,008 --a------ C:\WINDOWS\system32\ssqNHwTm.dll
2008-09-21 17:23 . 2004-08-30 21:00 365,568 --a------ C:\WINDOWS\system32\doskeys.exe
2008-09-21 17:23 . 2008-09-21 17:23 51,712 --a------ C:\WINDOWS\system32\dllhosts.exe
2008-09-21 17:23 . 2008-09-28 10:37 215 --a------ C:\WINDOWS\system32\Monitored2.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 17:53 --------- d-----w C:\Program Files\QuickTime
2008-09-28 16:31 --------- d-----w C:\Program Files\Zinio
2008-09-28 16:31 --------- d-----w C:\Program Files\iTunes
2008-09-28 16:31 --------- d-----w C:\Program Files\Digital Media Reader
2008-09-27 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-09-27 01:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-26 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-25 22:30 --------- d-----w C:\Program Files\xxx.xxx
2008-09-25 19:47 --------- d-----w C:\Program Files\Opera
2008-09-24 02:55 --------- d-----w C:\Program Files\Symantec
2008-09-24 02:28 --------- d-----w C:\Program Files\Photo Manager
2008-09-24 02:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 00:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-08-24 16:43 --------- d-----w C:\Program Files\Sun
2008-08-24 16:42 --------- d-----w C:\Program Files\Java
2008-03-26 15:20 228,336 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-09 01:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-12-18 18:20 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2002-07-26 22:02 153,088 -c--a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-09-27_12.33.38.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-09 15:50:42 155,648 -c--a-w C:\windows\system32\NeroCheck.exe
+ 2004-03-10 21:26:10 406,016 -c--a-w C:\windows\system32\PSDrvCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00BA82ED-AF2F-40BD-995C-320BBD6A509e}]
2008-09-27 18:26 155648 --a------ C:\windows\system32\qayfrxfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca3a2052-0769-4c60-a246-99628fb3eb7c}]
2008-09-28 09:44 111616 --a------ C:\windows\system32\agdryk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAA91B0C-B261-4328-B3C1-07F4E5D8F3E9}]
2008-09-27 18:05 253440 --a------ C:\windows\system32\tuvWmKeF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E538488B-36AB-42FF-8498-271810C9C599}]
2008-09-22 14:10 43008 --a------ C:\windows\system32\ssqNHwTm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\windows\system32\dumprep 0 -u" [X]
"HostManager"="C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe" [2006-09-25 50736]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"LVCOMSX"="C:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2008-08-26 173312]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"5417482f"="C:\windows\system32\lubrmqjd.dll" [2008-09-28 78848]
"BM57247bb3"="C:\windows\system32\euvcndwv.dll" [2008-09-28 105984]
"ShowWnd"="ShowWnd.exe" [2003-09-19 C:\WINDOWS\ShowWnd.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NT Printing Services6"="dllhosts.exe" [2008-09-21 C:\WINDOWS\system32\dllhosts.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E538488B-36AB-42FF-8498-271810C9C599}"= "C:\windows\system32\ssqNHwTm.dll" [2008-09-22 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNHwTm]
2008-09-22 14:10 43008 C:\WINDOWS\system32\ssqNHwTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 LStone;Pinnacle Systems Studio AV/DV Overlay;C:\windows\system32\DRIVERS\lstone2k.sys [2002-12-10 11:20]
R3 I97DRIVER;I97DRIVER;C:\PROGRA~1\AVANQU~1\Fix-It\dgs.sys [2007-08-31 11:18]
S1 MemAlloc;MemAlloc;C:\windows\system32\DRIVERS\memalloc.sys [2002-08-26 04:51]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 14:46]
S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 09:20]
S3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2008-08-26 14:14]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17147075-1ead-11d9-bea6-806d6172696f}]
\Shell\AutoRun\command - F:\cdplayer.exe

*Newly Created Service* - MAILSCAN
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AOLAspSunset - C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 10:54:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\windows\system32\winlogon.exe
-> C:\windows\system32\ssqNHwTm.dll

PROCESS: C:\windows\explorer.exe
-> C:\windows\system32\lubrmqjd.dll
-> C:\windows\system32\euvcndwv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-28 11:05:04 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-28 18:04:55
ComboFix2.txt 2008-09-27 19:36:10

Pre-Run: 117,386,391,552 bytes free
Post-Run: 117,369,040,896 bytes free

422 --- E O F --- 2008-09-10 10:01:09


ComboFix 08-09-26.06 - Owner 2008-09-28 10:46:21.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\windows\BM57247bb3.txt
C:\WINDOWS\system32\akcskd.dll
C:\WINDOWS\system32\aqkrohsi.ini
C:\WINDOWS\system32\blqsdmbn.dll
C:\WINDOWS\system32\bskxlmrh.ini
C:\WINDOWS\system32\btedxycx.dll
C:\WINDOWS\system32\bwfytjkn.dll
C:\WINDOWS\system32\cdezcp.dll
C:\WINDOWS\system32\cfioldln.ini
C:\WINDOWS\system32\ddLUvyay.ini
C:\WINDOWS\system32\ddLUvyay.ini2
C:\WINDOWS\system32\dldjdgpb.dll
C:\WINDOWS\system32\dowdrmdm.dll
C:\WINDOWS\system32\epttasrt.dll
C:\WINDOWS\system32\eqlrtjwc.dll
C:\WINDOWS\system32\eysijgoc.dll
C:\WINDOWS\system32\ffmlux.dll
C:\WINDOWS\system32\fiqhlfgs.ini
C:\WINDOWS\system32\frjdpkfp.dll
C:\WINDOWS\system32\gcfkfrvj.dll
C:\WINDOWS\system32\gndewlnl.ini
C:\WINDOWS\system32\gogtflpg.dll
C:\WINDOWS\system32\gsybahph.dll
C:\WINDOWS\system32\hejwhasx.dll
C:\WINDOWS\system32\hfbpzu.dll
C:\WINDOWS\system32\hggeBsPj.dll
C:\WINDOWS\system32\hijyqy.dll
C:\WINDOWS\system32\hjrcmntv.dll
C:\WINDOWS\system32\hohqil.dll
C:\WINDOWS\system32\hpepyvtt.dll
C:\WINDOWS\system32\htyoltvx.dll
C:\WINDOWS\system32\hucofkti.dll
C:\WINDOWS\system32\hxwaap.dll
C:\WINDOWS\system32\hyuxwaak.ini
C:\WINDOWS\system32\iacgms.dll
C:\WINDOWS\system32\icpwhfeh.ini
C:\WINDOWS\system32\ieencode.dll
C:\WINDOWS\system32\iiFUmMfd.dll
C:\WINDOWS\system32\iiqnshct.ini
C:\WINDOWS\system32\jahxmi.dll
C:\WINDOWS\system32\jbksnxhl.dll
C:\WINDOWS\system32\jdsyhtrr.dll
C:\WINDOWS\system32\jflphxuo.dll
C:\WINDOWS\system32\jihrwqmq.dll
C:\WINDOWS\system32\kesxfccs.dll
C:\WINDOWS\system32\khfDTNEt.dll
C:\WINDOWS\system32\knvknwjd.dll
C:\WINDOWS\system32\kugnlc.dll
C:\WINDOWS\system32\kxkgphkq.dll
C:\WINDOWS\system32\kyikvrpi.dll
C:\WINDOWS\system32\lcisicjc.ini
C:\WINDOWS\system32\leulfi.dll
C:\WINDOWS\system32\mcsfqram.dll
C:\WINDOWS\system32\mcuiivho.dll
C:\WINDOWS\system32\mdldtxkb.dll
C:\WINDOWS\system32\mdygoxfe.dll
C:\WINDOWS\system32\mskqmb.dll
C:\WINDOWS\system32\nghlvivg.dll
C:\WINDOWS\system32\niesnuco.ini
C:\WINDOWS\system32\njslkici.dll
C:\WINDOWS\system32\nmemoh.dll
C:\WINDOWS\system32\nnicsm.dll
C:\WINDOWS\system32\nnnkJAsP.dll
C:\WINDOWS\system32\nnnoLEWo.dll
C:\WINDOWS\system32\nnnoPgHA.dll
C:\WINDOWS\system32\nrvprgka.dll
C:\WINDOWS\system32\ntcxws.dll
C:\WINDOWS\system32\oikednnm.dll
C:\WINDOWS\system32\omcyibwl.ini
C:\WINDOWS\system32\onlbgw.dll
C:\WINDOWS\system32\pahqhe.dll
C:\WINDOWS\system32\pbbwacnk.dll
C:\WINDOWS\system32\phmkln.dll
C:\WINDOWS\system32\pwhepwsr.dll
C:\WINDOWS\system32\qkiizc.dll
C:\WINDOWS\system32\qlnbcmqq.dll
C:\WINDOWS\system32\qpityipw.ini
C:\WINDOWS\system32\qtpfopgn.dll
C:\WINDOWS\system32\rcajwmty.dll
C:\WINDOWS\system32\rcuiue.dll
C:\WINDOWS\system32\rgkjuxjs.dll
C:\WINDOWS\system32\rqRhIBSk.dll
C:\WINDOWS\system32\rqRIxuTM.dll
C:\WINDOWS\system32\scckgugp.ini
C:\WINDOWS\system32\sdxhrljf.dll
C:\WINDOWS\system32\srqginiw.ini
C:\WINDOWS\system32\sSmjiiIx.dll
C:\WINDOWS\system32\swgatpcp.ini
C:\WINDOWS\system32\swlhpwhw.dll
C:\WINDOWS\system32\sxksoonm.dll
C:\WINDOWS\system32\tcgqauvy.ini
C:\WINDOWS\system32\tchsnqii.dll
C:\WINDOWS\system32\tehogmas.dll
C:\WINDOWS\system32\tmgaebio.dll
C:\WINDOWS\system32\ujyjlj.dll
C:\WINDOWS\system32\vfexxy.dll
C:\WINDOWS\system32\vhypgmdj.dll
C:\WINDOWS\system32\vobkrdoi.dll
C:\WINDOWS\system32\vppgnbit.dll
C:\WINDOWS\system32\vsalhfng.dll
C:\WINDOWS\system32\winigqrs.dll
C:\WINDOWS\system32\wokfjqqd.ini
C:\WINDOWS\system32\xacykm.dll
C:\WINDOWS\system32\xcbwtqed.dll
C:\WINDOWS\system32\xIiijmSs.ini
C:\WINDOWS\system32\xIiijmSs.ini2
C:\WINDOWS\system32\XIOVxyxx.ini
C:\WINDOWS\system32\XIOVxyxx.ini2
C:\WINDOWS\system32\xjbmwcgl.dll
C:\WINDOWS\system32\xtcbmxkr.ini
C:\WINDOWS\system32\xtvdjaij.ini
C:\WINDOWS\system32\ydpoidih.ini
C:\WINDOWS\system32\ytmwjacr.ini
C:\WINDOWS\system32\yvwepumr.dll
C:\WINDOWS\system32\zewzrl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\BM57247bb3.txt
C:\windows\BM57247bb3.xml
C:\windows\pskt.ini
C:\WINDOWS\system32\ieencode.dll
.
---- Previous Run -------
.
C:\Program Files\ewido anti-spyware 4.0
C:\Program Files\ewido anti-spyware 4.0\updater.ewidolog
C:\windows\BM57247bb3.txt
C:\windows\pskt.ini
C:\WINDOWS\system32\akcskd.dll
C:\WINDOWS\system32\aqkrohsi.ini
C:\WINDOWS\system32\blqsdmbn.dll
C:\WINDOWS\system32\bskxlmrh.ini
C:\WINDOWS\system32\btedxycx.dll
C:\WINDOWS\system32\bwfytjkn.dll
C:\WINDOWS\system32\cdezcp.dll
C:\WINDOWS\system32\cfioldln.ini
C:\WINDOWS\system32\ddLUvyay.ini
C:\WINDOWS\system32\ddLUvyay.ini2
C:\WINDOWS\system32\dldjdgpb.dll
C:\WINDOWS\system32\dowdrmdm.dll
C:\WINDOWS\system32\epttasrt.dll
C:\WINDOWS\system32\eqlrtjwc.dll
C:\WINDOWS\system32\eysijgoc.dll
C:\WINDOWS\system32\ffmlux.dll
C:\WINDOWS\system32\fiqhlfgs.ini
C:\WINDOWS\system32\frjdpkfp.dll
C:\WINDOWS\system32\gcfkfrvj.dll
C:\WINDOWS\system32\gndewlnl.ini
C:\WINDOWS\system32\gogtflpg.dll
C:\WINDOWS\system32\gsybahph.dll
C:\WINDOWS\system32\hejwhasx.dll
C:\WINDOWS\system32\hfbpzu.dll
C:\WINDOWS\system32\hggeBsPj.dll
C:\WINDOWS\system32\hijyqy.dll
C:\WINDOWS\system32\hjrcmntv.dll
C:\WINDOWS\system32\hohqil.dll
C:\WINDOWS\system32\hpepyvtt.dll
C:\WINDOWS\system32\htyoltvx.dll
C:\WINDOWS\system32\hucofkti.dll
C:\WINDOWS\system32\hxwaap.dll
C:\WINDOWS\system32\hyuxwaak.ini
C:\WINDOWS\system32\iacgms.dll
C:\WINDOWS\system32\icpwhfeh.ini
C:\WINDOWS\system32\ieencode.dll
C:\WINDOWS\system32\iiFUmMfd.dll
C:\WINDOWS\system32\iiqnshct.ini
C:\WINDOWS\system32\jahxmi.dll
C:\WINDOWS\system32\jbksnxhl.dll
C:\WINDOWS\system32\jdsyhtrr.dll
C:\WINDOWS\system32\jflphxuo.dll
C:\WINDOWS\system32\jihrwqmq.dll
C:\WINDOWS\system32\kesxfccs.dll
C:\WINDOWS\system32\khfDTNEt.dll
C:\WINDOWS\system32\knvknwjd.dll
C:\WINDOWS\system32\kugnlc.dll
C:\WINDOWS\system32\kxkgphkq.dll
C:\WINDOWS\system32\kyikvrpi.dll
C:\WINDOWS\system32\lcisicjc.ini
C:\WINDOWS\system32\leulfi.dll
C:\WINDOWS\system32\mcsfqram.dll
C:\WINDOWS\system32\mcuiivho.dll
C:\WINDOWS\system32\mdldtxkb.dll
C:\WINDOWS\system32\mdygoxfe.dll
C:\WINDOWS\system32\mskqmb.dll
C:\WINDOWS\system32\nghlvivg.dll
C:\WINDOWS\system32\niesnuco.ini
C:\WINDOWS\system32\njslkici.dll
C:\WINDOWS\system32\nmemoh.dll
C:\WINDOWS\system32\nnicsm.dll
C:\WINDOWS\system32\nnnkJAsP.dll
C:\WINDOWS\system32\nnnoLEWo.dll
C:\WINDOWS\system32\nnnoPgHA.dll
C:\WINDOWS\system32\nrvprgka.dll
C:\WINDOWS\system32\ntcxws.dll
C:\WINDOWS\system32\oikednnm.dll
C:\WINDOWS\system32\omcyibwl.ini
C:\WINDOWS\system32\onlbgw.dll
C:\WINDOWS\system32\pahqhe.dll
C:\WINDOWS\system32\pbbwacnk.dll
C:\WINDOWS\system32\phmkln.dll
C:\WINDOWS\system32\pwhepwsr.dll
C:\WINDOWS\system32\qkiizc.dll
C:\WINDOWS\system32\qlnbcmqq.dll
C:\WINDOWS\system32\qpityipw.ini
C:\WINDOWS\system32\qtpfopgn.dll
C:\WINDOWS\system32\rcajwmty.dll
C:\WINDOWS\system32\rcuiue.dll
C:\WINDOWS\system32\rgkjuxjs.dll
C:\WINDOWS\system32\rqRhIBSk.dll
C:\WINDOWS\system32\rqRIxuTM.dll
C:\WINDOWS\system32\scckgugp.ini
C:\WINDOWS\system32\sdxhrljf.dll
C:\WINDOWS\system32\srqginiw.ini
C:\WINDOWS\system32\sSmjiiIx.dll
C:\WINDOWS\system32\swgatpcp.ini
C:\WINDOWS\system32\swlhpwhw.dll
C:\WINDOWS\system32\sxksoonm.dll
C:\WINDOWS\system32\tcgqauvy.ini
C:\WINDOWS\system32\tchsnqii.dll
C:\WINDOWS\system32\tehogmas.dll
C:\WINDOWS\system32\tmgaebio.dll
C:\WINDOWS\system32\ujyjlj.dll
C:\WINDOWS\system32\vfexxy.dll
C:\WINDOWS\system32\vhypgmdj.dll
C:\WINDOWS\system32\vobkrdoi.dll
C:\WINDOWS\system32\vppgnbit.dll
C:\WINDOWS\system32\vsalhfng.dll
C:\WINDOWS\system32\winigqrs.dll
C:\WINDOWS\system32\wokfjqqd.ini
C:\WINDOWS\system32\xacykm.dll
C:\WINDOWS\system32\xcbwtqed.dll
C:\WINDOWS\system32\xIiijmSs.ini
C:\WINDOWS\system32\xIiijmSs.ini2
C:\WINDOWS\system32\XIOVxyxx.ini
C:\WINDOWS\system32\XIOVxyxx.ini2
C:\WINDOWS\system32\xjbmwcgl.dll
C:\WINDOWS\system32\xtcbmxkr.ini
C:\WINDOWS\system32\xtvdjaij.ini
C:\WINDOWS\system32\ydpoidih.ini
C:\WINDOWS\system32\ytmwjacr.ini
C:\WINDOWS\system32\yvwepumr.dll
C:\WINDOWS\system32\zewzrl.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-28 10:21 . 2008-09-28 10:21 42,496 --a------ C:\WINDOWS\system32\wvUljHAt.dll
2008-09-28 10:21 . 2008-09-28 10:21 42,496 --a------ C:\WINDOWS\system32\tuvWnoMf.dll
2008-09-28 09:47 . 2008-09-28 09:47 988,183 ---hs---- C:\WINDOWS\system32\djqmrbul.ini
2008-09-28 09:47 . 2008-09-28 09:47 78,848 --a------ C:\WINDOWS\system32\lubrmqjd.dll
2008-09-28 09:44 . 2008-09-28 09:44 111,616 --a------ C:\WINDOWS\system32\epktljnl.dll
2008-09-28 09:44 . 2008-09-28 09:44 111,616 --a------ C:\WINDOWS\system32\agdryk.dll
2008-09-28 09:43 . 2008-09-28 09:43 105,984 --a------ C:\WINDOWS\system32\euvcndwv.dll
2008-09-28 08:37 . 2008-09-28 08:37 42,496 --a------ C:\WINDOWS\system32\urqQhhIc.dll
2008-09-28 08:37 . 2008-09-28 08:37 42,496 --a------ C:\WINDOWS\system32\urqNDvsQ.dll
2008-09-27 19:00 . 2008-09-27 19:00 46,080 --a------ C:\WINDOWS\system32\xxyxWNGX.dll
2008-09-27 19:00 . 2008-09-27 19:00 46,080 --a------ C:\WINDOWS\system32\fccARHyy.dll
2008-09-27 18:27 . 2008-09-27 18:27 46,080 --a------ C:\WINDOWS\system32\xxyxusTl.dll
2008-09-27 18:27 . 2008-09-27 18:27 46,080 --a------ C:\WINDOWS\system32\awtsSlmL.dll
2008-09-27 18:26 . 2008-09-27 18:26 155,648 --a------ C:\WINDOWS\system32\qayfrxfo.dll
2008-09-27 18:09 . 2008-09-27 18:09 155,648 --a------ C:\WINDOWS\system32\ubtnypty.dll
2008-09-27 18:09 . 2008-09-27 18:09 107,008 --a------ C:\WINDOWS\system32\wfmfoavm.dll
2008-09-27 18:08 . 2008-09-27 18:08 155,648 --a------ C:\WINDOWS\system32\tklhyjjf.dll
2008-09-27 18:06 . 2008-09-27 18:06 107,008 --a------ C:\WINDOWS\system32\dmvjlulc.dll
2008-09-27 18:05 . 2008-09-28 10:46 875,566 --ahs---- C:\WINDOWS\system32\FeKmWvut.ini2
2008-09-27 18:05 . 2008-09-28 10:46 875,566 --ahs---- C:\WINDOWS\system32\FeKmWvut.ini
2008-09-27 18:05 . 2008-09-27 18:05 253,440 --a------ C:\WINDOWS\system32\tuvWmKeF.dll
2008-09-26 17:58 . 2008-09-27 10:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-26 10:28 . 2008-09-27 08:57 427 --a------ C:\WINDOWS\wininit.ini
2008-09-26 07:19 . 2008-09-26 07:19 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-25 13:46 . 2007-08-13 18:45 78,336 --a--c--- C:\WINDOWS\system32\dllcache\ieencode.dll
2008-09-25 13:00 . 2008-09-25 13:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-23 21:27 . 2008-09-23 21:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-09-23 21:26 . 2008-09-23 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-23 21:21 . 2008-09-23 21:21 <DIR> dr-hs---- C:\_Backup.RC
2008-09-23 21:21 . 2008-09-24 00:20 <DIR> d--h----- C:\_Backup
2008-09-23 21:19 . 2008-09-23 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Avanquest
2008-09-23 21:14 . 2008-09-23 21:14 <DIR> d-------- C:\Program Files\Avanquest
2008-09-23 21:10 . 2008-09-23 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-22 20:28 . 2008-09-23 20:36 921,005 --ahs---- C:\WINDOWS\system32\fcmlcxix.ini
2008-09-22 20:25 . 2008-09-22 20:25 99,328 --a------ C:\WINDOWS\system32\elbyvebf.dll
2008-09-22 14:28 . 2008-09-22 14:28 879,630 --ahs---- C:\WINDOWS\system32\ifvyfbwc.ini
2008-09-22 14:25 . 2008-09-22 14:25 113,152 --a------ C:\WINDOWS\system32\pgnvgrox.dll
2008-09-22 14:25 . 2008-09-22 14:25 113,152 --a------ C:\WINDOWS\system32\cguzet.dll
2008-09-22 14:23 . 2008-09-22 14:23 99,328 --a------ C:\WINDOWS\system32\ylxxhiob.dll
2008-09-22 14:19 . 2008-09-22 14:22 879,570 --ahs---- C:\WINDOWS\system32\gbkfunct.ini
2008-09-22 14:16 . 2008-09-26 10:33 876,630 --ahs---- C:\WINDOWS\system32\TAyJlUtv.ini2
2008-09-22 14:16 . 2008-09-26 10:34 876,630 --ahs---- C:\WINDOWS\system32\TAyJlUtv.ini
2008-09-22 14:16 . 2008-09-22 14:16 99,328 --a------ C:\WINDOWS\system32\baieqfob.dll
2008-09-22 14:10 . 2008-09-22 14:10 43,008 --a------ C:\WINDOWS\system32\ssqNHwTm.dll
2008-09-21 17:23 . 2004-08-30 21:00 365,568 --a------ C:\WINDOWS\system32\doskeys.exe
2008-09-21 17:23 . 2008-09-21 17:23 51,712 --a------ C:\WINDOWS\system32\dllhosts.exe
2008-09-21 17:23 . 2008-09-28 10:37 215 --a------ C:\WINDOWS\system32\Monitored2.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 17:53 --------- d-----w C:\Program Files\QuickTime
2008-09-28 16:31 --------- d-----w C:\Program Files\Zinio
2008-09-28 16:31 --------- d-----w C:\Program Files\iTunes
2008-09-28 16:31 --------- d-----w C:\Program Files\Digital Media Reader
2008-09-27 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-09-27 01:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-26 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-25 22:30 --------- d-----w C:\Program Files\xxx.xxx
2008-09-25 19:47 --------- d-----w C:\Program Files\Opera
2008-09-24 02:55 --------- d-----w C:\Program Files\Symantec
2008-09-24 02:28 --------- d-----w C:\Program Files\Photo Manager
2008-09-24 02:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 00:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-08-24 16:43 --------- d-----w C:\Program Files\Sun
2008-08-24 16:42 --------- d-----w C:\Program Files\Java
2008-03-26 15:20 228,336 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-09 01:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-12-18 18:20 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2002-07-26 22:02 153,088 -c--a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-09-27_12.33.38.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-09 15:50:42 155,648 -c--a-w C:\windows\system32\NeroCheck.exe
+ 2004-03-10 21:26:10 406,016 -c--a-w C:\windows\system32\PSDrvCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00BA82ED-AF2F-40BD-995C-320BBD6A509e}]
2008-09-27 18:26 155648 --a------ C:\windows\system32\qayfrxfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca3a2052-0769-4c60-a246-99628fb3eb7c}]
2008-09-28 09:44 111616 --a------ C:\windows\system32\agdryk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAA91B0C-B261-4328-B3C1-07F4E5D8F3E9}]
2008-09-27 18:05 253440 --a------ C:\windows\system32\tuvWmKeF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E538488B-36AB-42FF-8498-271810C9C599}]
2008-09-22 14:10 43008 --a------ C:\windows\system32\ssqNHwTm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\windows\system32\dumprep 0 -u" [X]
"HostManager"="C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe" [2006-09-25 50736]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"LVCOMSX"="C:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2008-08-26 173312]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"5417482f"="C:\windows\system32\lubrmqjd.dll" [2008-09-28 78848]
"BM57247bb3"="C:\windows\system32\euvcndwv.dll" [2008-09-28 105984]
"ShowWnd"="ShowWnd.exe" [2003-09-19 C:\WINDOWS\ShowWnd.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NT Printing Services6"="dllhosts.exe" [2008-09-21 C:\WINDOWS\system32\dllhosts.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E538488B-36AB-42FF-8498-271810C9C599}"= "C:\windows\system32\ssqNHwTm.dll" [2008-09-22 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqNHwTm]
2008-09-22 14:10 43008 C:\WINDOWS\system32\ssqNHwTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 LStone;Pinnacle Systems Studio AV/DV Overlay;C:\windows\system32\DRIVERS\lstone2k.sys [2002-12-10 11:20]
R3 I97DRIVER;I97DRIVER;C:\PROGRA~1\AVANQU~1\Fix-It\dgs.sys [2007-08-31 11:18]
S1 MemAlloc;MemAlloc;C:\windows\system32\DRIVERS\memalloc.sys [2002-08-26 04:51]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 14:46]
S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 09:20]
S3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2008-08-26 14:14]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17147075-1ead-11d9-bea6-806d6172696f}]
\Shell\AutoRun\command - F:\cdplayer.exe

*Newly Created Service* - MAILSCAN
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AOLAspSunset - C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp\sunsetAsp.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 10:54:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\windows\system32\winlogon.exe
-> C:\windows\system32\ssqNHwTm.dll

PROCESS: C:\windows\explorer.exe
-> C:\windows\system32\lubrmqjd.dll
-> C:\windows\system32\euvcndwv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-28 11:05:04 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-09-28 18:04:55
ComboFix2.txt 2008-09-27 19:36:10

Pre-Run: 117,386,391,552 bytes free
Post-Run: 117,369,040,896 bytes free

422 --- E O F --- 2008-09-10 10:01:09

pskelley
2008-09-28, 21:50
What happens is this junk has the ability to morph and recreate itself and you had such a massive infection, it has done just that. The good news is it looks like AWF was removed.

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\wvUljHAt.dll
C:\WINDOWS\system32\tuvWnoMf.dll
C:\WINDOWS\system32\djqmrbul.ini
C:\WINDOWS\system32\lubrmqjd.dll
C:\WINDOWS\system32\epktljnl.dll
C:\WINDOWS\system32\agdryk.dll
C:\WINDOWS\system32\euvcndwv.dll
C:\WINDOWS\system32\urqQhhIc.dll
C:\WINDOWS\system32\urqNDvsQ.dll
C:\WINDOWS\system32\xxyxWNGX.dll
C:\WINDOWS\system32\fccARHyy.dll
C:\WINDOWS\system32\xxyxusTl.dll
C:\WINDOWS\system32\awtsSlmL.dll
C:\WINDOWS\system32\qayfrxfo.dll
C:\WINDOWS\system32\ubtnypty.dll
C:\WINDOWS\system32\wfmfoavm.dll
C:\WINDOWS\system32\tklhyjjf.dll
C:\WINDOWS\system32\dmvjlulc.dll
C:\WINDOWS\system32\FeKmWvut.ini2
C:\WINDOWS\system32\FeKmWvut.ini
C:\WINDOWS\system32\tuvWmKeF.dll
C:\WINDOWS\system32\fcmlcxix.ini
C:\WINDOWS\system32\elbyvebf.dll
C:\WINDOWS\system32\ifvyfbwc.ini
C:\WINDOWS\system32\pgnvgrox.dll
C:\WINDOWS\system32\cguzet.dll
C:\WINDOWS\system32\ylxxhiob.dll
C:\WINDOWS\system32\gbkfunct.ini
C:\WINDOWS\system32\TAyJlUtv.ini2
C:\WINDOWS\system32\TAyJlUtv.ini
C:\WINDOWS\system32\baieqfob.dll
C:\WINDOWS\system32\ssqNHwTm.dll
C:\WINDOWS\system32\doskeys.exe
C:\WINDOWS\system32\dllhosts.exe
C:\WINDOWS\system32\Monitored2.dat

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00BA82ED-AF2F-40BD-995C-320BBD6A509e}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca3a2052-0769-4c60-a246-99628fb3eb7c}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAA91B0C-B261-4328-B3C1-07F4E5D8F3E9}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E538488B-36AB-42FF-8498-271810C9C599}]

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Thanks

lizardlize
2008-09-28, 23:41
ComboFix 08-09-26.06 - Owner 2008-09-28 11:58:52.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\agdryk.dll
C:\WINDOWS\system32\awtsSlmL.dll
C:\WINDOWS\system32\baieqfob.dll
C:\WINDOWS\system32\cguzet.dll
C:\WINDOWS\system32\djqmrbul.ini
C:\WINDOWS\system32\dllhosts.exe
C:\WINDOWS\system32\dmvjlulc.dll
C:\WINDOWS\system32\doskeys.exe
C:\WINDOWS\system32\elbyvebf.dll
C:\WINDOWS\system32\epktljnl.dll
C:\WINDOWS\system32\euvcndwv.dll
C:\WINDOWS\system32\fccARHyy.dll
C:\WINDOWS\system32\fcmlcxix.ini
C:\WINDOWS\system32\FeKmWvut.ini
C:\WINDOWS\system32\FeKmWvut.ini2
C:\WINDOWS\system32\gbkfunct.ini
C:\WINDOWS\system32\ifvyfbwc.ini
C:\WINDOWS\system32\lubrmqjd.dll
C:\WINDOWS\system32\Monitored2.dat
C:\WINDOWS\system32\pgnvgrox.dll
C:\WINDOWS\system32\qayfrxfo.dll
C:\WINDOWS\system32\ssqNHwTm.dll
C:\WINDOWS\system32\TAyJlUtv.ini
C:\WINDOWS\system32\TAyJlUtv.ini2
C:\WINDOWS\system32\tklhyjjf.dll
C:\WINDOWS\system32\tuvWmKeF.dll
C:\WINDOWS\system32\tuvWnoMf.dll
C:\WINDOWS\system32\ubtnypty.dll
C:\WINDOWS\system32\urqNDvsQ.dll
C:\WINDOWS\system32\urqQhhIc.dll
C:\WINDOWS\system32\wfmfoavm.dll
C:\WINDOWS\system32\wvUljHAt.dll
C:\WINDOWS\system32\xxyxusTl.dll
C:\WINDOWS\system32\xxyxWNGX.dll
C:\WINDOWS\system32\ylxxhiob.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\windows\BM57247bb3.txt
C:\windows\pskt.ini
C:\WINDOWS\system32\agdryk.dll
C:\WINDOWS\system32\awtsSlmL.dll
C:\WINDOWS\system32\baieqfob.dll
C:\WINDOWS\system32\cguzet.dll
C:\WINDOWS\system32\djqmrbul.ini
C:\WINDOWS\system32\dllhosts.exe
C:\WINDOWS\system32\dmvjlulc.dll
C:\WINDOWS\system32\doskeys.exe
C:\WINDOWS\system32\elbyvebf.dll
C:\WINDOWS\system32\epktljnl.dll
C:\WINDOWS\system32\euvcndwv.dll
C:\WINDOWS\system32\fccARHyy.dll
C:\WINDOWS\system32\fcmlcxix.ini
C:\WINDOWS\system32\FeKmWvut.ini
C:\WINDOWS\system32\FeKmWvut.ini2
C:\WINDOWS\system32\gbkfunct.ini
C:\WINDOWS\system32\ifvyfbwc.ini
C:\WINDOWS\system32\lubrmqjd.dll
C:\WINDOWS\system32\Monitored2.dat
C:\WINDOWS\system32\pgnvgrox.dll
C:\WINDOWS\system32\qayfrxfo.dll
C:\WINDOWS\system32\ssqNHwTm.dll
C:\WINDOWS\system32\TAyJlUtv.ini
C:\WINDOWS\system32\TAyJlUtv.ini2
C:\WINDOWS\system32\tklhyjjf.dll
C:\WINDOWS\system32\tuvWmKeF.dll
C:\WINDOWS\system32\tuvWnoMf.dll
C:\WINDOWS\system32\ubtnypty.dll
C:\WINDOWS\system32\urqNDvsQ.dll
C:\WINDOWS\system32\urqQhhIc.dll
C:\WINDOWS\system32\wfmfoavm.dll
C:\WINDOWS\system32\wvUljHAt.dll
C:\WINDOWS\system32\xxyxusTl.dll
C:\WINDOWS\system32\xxyxWNGX.dll
C:\WINDOWS\system32\ylxxhiob.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-28 11:52 . 2008-09-28 11:52 42,496 --a------ C:\WINDOWS\system32\pmnkIAsT.dll
2008-09-28 11:52 . 2008-09-28 11:52 42,496 --a------ C:\WINDOWS\system32\mlJBRKBT.dll
2008-09-28 11:34 . 2008-09-28 11:34 42,496 --a------ C:\WINDOWS\system32\ssqNebbC.dll
2008-09-28 11:34 . 2008-09-28 11:34 42,496 --a------ C:\WINDOWS\system32\jkkLCTMd.dll
2008-09-28 11:20 . 2008-09-28 11:20 988,183 --ahs---- C:\WINDOWS\system32\ugdolddn.ini
2008-09-28 11:20 . 2008-09-28 11:20 78,848 --a------ C:\WINDOWS\system32\nddlodgu.dll
2008-09-28 11:17 . 2008-09-28 11:17 111,616 --a------ C:\WINDOWS\system32\wcroxkgf.dll
2008-09-28 11:17 . 2008-09-28 11:17 111,616 --a------ C:\WINDOWS\system32\kpselq.dll
2008-09-28 11:15 . 2008-09-28 11:15 105,984 --a------ C:\WINDOWS\system32\ovdymmck.dll
2008-09-28 11:14 . 2008-09-28 11:14 155,648 --a------ C:\WINDOWS\system32\fpressbt.dll
2008-09-28 11:12 . 2008-09-28 11:12 105,984 --a------ C:\WINDOWS\system32\jryqscdn.dll
2008-09-28 11:11 . 2008-09-28 11:59 875,392 --ahs---- C:\WINDOWS\system32\FPXaayay.ini2
2008-09-28 11:11 . 2008-09-28 11:11 254,464 --a------ C:\WINDOWS\system32\yayaaXPF.dll
2008-09-28 11:11 . 2008-09-28 11:59 533 --ahs---- C:\WINDOWS\system32\FPXaayay.ini
2008-09-28 11:05 . 2008-09-28 11:05 0 --a------ C:\WINDOWS\BM57247bb3.xml
2008-09-26 17:58 . 2008-09-27 10:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-26 10:28 . 2008-09-27 08:57 427 --a------ C:\WINDOWS\wininit.ini
2008-09-26 07:19 . 2008-09-26 07:19 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-25 13:46 . 2007-08-13 18:45 78,336 --a--c--- C:\WINDOWS\system32\dllcache\ieencode.dll
2008-09-25 13:00 . 2008-09-25 13:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-23 21:27 . 2008-09-23 21:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-09-23 21:26 . 2008-09-23 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-23 21:21 . 2008-09-23 21:21 <DIR> dr-hs---- C:\_Backup.RC
2008-09-23 21:21 . 2008-09-24 00:20 <DIR> d--h----- C:\_Backup
2008-09-23 21:19 . 2008-09-23 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Avanquest
2008-09-23 21:14 . 2008-09-23 21:14 <DIR> d-------- C:\Program Files\Avanquest
2008-09-23 21:10 . 2008-09-23 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 17:53 --------- d-----w C:\Program Files\Zinio
2008-09-28 17:53 --------- d-----w C:\Program Files\QuickTime
2008-09-28 17:53 --------- d-----w C:\Program Files\iTunes
2008-09-28 17:53 --------- d-----w C:\Program Files\Digital Media Reader
2008-09-27 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-09-27 01:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-26 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-25 22:30 --------- d-----w C:\Program Files\xxx.xxx
2008-09-25 19:47 --------- d-----w C:\Program Files\Opera
2008-09-24 02:55 --------- d-----w C:\Program Files\Symantec
2008-09-24 02:28 --------- d-----w C:\Program Files\Photo Manager
2008-09-24 02:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 00:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-08-24 16:43 --------- d-----w C:\Program Files\Sun
2008-08-24 16:42 --------- d-----w C:\Program Files\Java
2008-08-22 18:00 29,600 ----a-w C:\windows\system32\mxntdfg.exe
2008-08-06 00:55 265,720 ----a-w C:\windows\system32\msdbg2.dll
2008-07-19 05:10 94,920 ----a-w C:\windows\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\windows\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\windows\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\windows\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\windows\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\windows\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\windows\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\windows\system32\wuaueng.dll
2008-07-09 00:10 129,784 ----a-w C:\windows\system32\pxafs.dll
2008-07-09 00:09 118,520 ----a-w C:\windows\system32\pxinsi64.exe
2008-07-09 00:09 116,472 ----a-w C:\windows\system32\pxcpyi64.exe
2008-07-07 20:32 253,952 ----a-w C:\windows\system32\es.dll
2008-03-26 15:20 228,336 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-09 01:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-12-18 18:20 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2002-07-26 22:02 153,088 -c--a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2008-09-27_12.33.38.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-07-09 15:50:42 155,648 -c--a-w C:\windows\system32\NeroCheck.exe
+ 2004-03-10 21:26:10 406,016 -c--a-w C:\windows\system32\PSDrvCheck.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0079011D-F981-4249-9D8D-1F6E65FC597b}]
2008-09-28 11:14 155648 --a------ C:\windows\system32\fpressbt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30BCFB77-4347-4781-B2DD-36FE0B085402}]
2008-09-28 11:11 254464 --a------ C:\windows\system32\yayaaXPF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ba9c449-51be-4b95-9cd4-f2c66085e149}]
2008-09-28 11:17 111616 --a------ C:\windows\system32\kpselq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\windows\system32\dumprep 0 -u" [X]
"HostManager"="C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe" [2006-09-25 50736]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"LVCOMSX"="C:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2008-08-26 173312]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"5417482f"="C:\windows\system32\nddlodgu.dll" [2008-09-28 78848]
"BM57247bb3"="C:\windows\system32\ovdymmck.dll" [2008-09-28 105984]
"ShowWnd"="ShowWnd.exe" [2003-09-19 C:\WINDOWS\ShowWnd.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kpselq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 LStone;Pinnacle Systems Studio AV/DV Overlay;C:\windows\system32\DRIVERS\lstone2k.sys [2002-12-10 11:20]
R3 I97DRIVER;I97DRIVER;C:\PROGRA~1\AVANQU~1\Fix-It\dgs.sys [2007-08-31 11:18]
S1 MemAlloc;MemAlloc;C:\windows\system32\DRIVERS\memalloc.sys [2002-08-26 04:51]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 14:46]
S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 09:20]
S3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2008-08-26 14:14]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17147075-1ead-11d9-bea6-806d6172696f}]
\Shell\AutoRun\command - F:\cdplayer.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Explorer_Run-NT Printing Services6 - dllhosts.exe
Notify-ssqNHwTm - ssqNHwTm.dll



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 12:09:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\windows\explorer.exe
-> C:\windows\system32\nddlodgu.dll
-> C:\windows\system32\ovdymmck.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-28 12:17:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-28 19:17:49
ComboFix2.txt 2008-09-28 18:05:06
ComboFix3.txt 2008-09-27 19:36:10

Pre-Run: 117,438,722,048 bytes free
Post-Run: 117,410,906,112 bytes free

241 --- E O F --- 2008-09-10 10:01:09

lizardlize
2008-09-28, 23:42
Malwarebytes' Anti-Malware 1.28
Database version: 1221
Windows 5.1.2600 Service Pack 2

9/28/2008 1:36:47 PM
mbam-log-2008-09-28 (13-36-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 147993
Time elapsed: 55 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 199

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nddlodgu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ovdymmck.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kpselq.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30bcfb77-4347-4781-b2dd-36fe0b085402} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{30bcfb77-4347-4781-b2dd-36fe0b085402} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ba9c449-51be-4b95-9cd4-f2c66085e149} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7ba9c449-51be-4b95-9cd4-f2c66085e149} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0079011d-f981-4249-9d8d-1f6e65fc597b} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0079011d-f981-4249-9d8d-1f6e65fc597b} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5417482f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm57247bb3 (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yayaaXPF.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FPXaayay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FPXaayay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kpselq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nddlodgu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ugdolddn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fpressbt.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ovdymmck.dll (Trojan.Vundo) -> Delete on reboot.
C:\QooBox\Quarantine\C\WINDOWS\system32\agdryk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\akcskd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\baieqfob.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\blqsdmbn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\btedxycx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bwfytjkn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cdezcp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cguzet.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dldjdgpb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dmvjlulc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\dowdrmdm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\frjdpkfp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gcfkfrvj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gogtflpg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gsybahph.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hejwhasx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hfbpzu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hijyqy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hjrcmntv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hohqil.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hpepyvtt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\htyoltvx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hucofkti.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hxwaap.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\iacgms.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jahxmi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jbksnxhl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jdsyhtrr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jflphxuo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\jihrwqmq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kesxfccs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\knvknwjd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kugnlc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kxkgphkq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\kyikvrpi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\leulfi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\lubrmqjd.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mcsfqram.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mcuiivho.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mdldtxkb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mdygoxfe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mskqmb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nghlvivg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\njslkici.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nmemoh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nnicsm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\nrvprgka.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ntcxws.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\oikednnm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\onlbgw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pahqhe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pbbwacnk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pgnvgrox.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\phmkln.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pwhepwsr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qayfrxfo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qkiizc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qlnbcmqq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qtpfopgn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rcajwmty.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rcuiue.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rgkjuxjs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sdxhrljf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\swlhpwhw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sxksoonm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tchsnqii.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tehogmas.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tklhyjjf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\tmgaebio.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ubtnypty.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ujyjlj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vfexxy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vhypgmdj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vobkrdoi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vppgnbit.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vsalhfng.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wfmfoavm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\winigqrs.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xacykm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xcbwtqed.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xjbmwcgl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ylxxhiob.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yvwepumr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\zewzrl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\elbyvebf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\epktljnl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\epttasrt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\eqlrtjwc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\euvcndwv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\eysijgoc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ffmlux.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000213.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000215.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000217.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000218.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000219.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000223.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000224.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000225.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000226.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000227.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000229.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000230.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000232.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000233.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000234.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000235.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000237.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000238.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000239.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000241.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000242.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000243.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000245.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000250.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000251.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000252.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000253.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000254.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000255.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000257.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000259.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000260.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000264.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000265.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000266.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000267.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000268.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000269.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000270.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000272.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000273.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000274.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000278.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000279.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000280.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000282.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000283.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000284.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000285.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000286.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000287.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000288.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000290.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000291.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000292.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000293.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000297.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000301.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000302.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000304.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000305.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000306.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000307.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000308.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000309.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000310.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000311.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000258.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000312.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000313.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000315.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000316.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000319.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000324.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP4\A0000325.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001305.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001307.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001308.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001311.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001313.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001314.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001315.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001321.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001322.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001323.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001326.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001329.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001332.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\A0001336.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wcroxkgf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jryqscdn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkLCTMd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnkIAsT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJBRKBT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqNebbC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM57247bb3.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM57247bb3.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

lizardlize
2008-09-28, 23:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:51 PM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Opera\opera.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219595746261&h=23fbbd6d3b2219a0beb62d862fdf3c28/&filename=jinstall-6u7-windows-i586-jc.cab
O20 - AppInit_DLLs: kpselq.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7464 bytes

pskelley
2008-09-29, 00:00
Too much junk for me to look at, look here in the combofix log you just posted:
Files Created from 2008-08-28 to 2008-09-28, See when these files were created
2008-09-28 11:52 . 2008-09-28 11:52 42,496 --a------ C:\WINDOWS\system32\pmnkIAsT.dll
2008-09-28 11:52 . 2008-09-28 11:52 42,496 --a------ C:\WINDOWS\system32\mlJBRKBT.dll
2008-09-28 11:34 . 2008-09-28 11:34 42,496 --a------ C:\WINDOWS\system32\ssqNebbC.dll
2008-09-28 11:34 . 2008-09-28 11:34 42,496 --a------ C:\WINDOWS\system32\jkkLCTMd.dll
There is more I am only showing you four so you can see the time and date so you know what we are up against.

I will give this a try:

1) Delete the version of combofix you have on the computer for now.

2) C:\QooBox\Quarantine\ <<< make sure you delete the Qoobox which contains the quarantine folder will all of the bad files combofix has removed so far.

3) Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

4) Update MBAM to make sure you have the very latest database.

5) Boot the computer into safe mode:
http://spyware-free.us/tutorials/safemode/
Scan while in safe mode with MBAM: Start MBAM > Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

tell me how the computer is running.

Thanks

lizardlize
2008-09-29, 05:42
There was nothing found by Malwarebytes in safe mode. So I have no log, I guess? It ran for over 4 hrs. The computer seems to be running faster. I dont use IE, so I don't know if it is working or has those stupid popups.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:41 PM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system32\wuauclt.exe
C:\windows\system32\wscntfy.exe
C:\Program Files\Opera\opera.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1219595746261&h=23fbbd6d3b2219a0beb62d862fdf3c28/&filename=jinstall-6u7-windows-i586-jc.cab
O20 - AppInit_DLLs: kpselq.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7464 bytes

pskelley
2008-09-29, 14:41
Not much showing in the HJT log, you said:

There was nothing found by Malwarebytes in safe mode. So I have no log, I guess? It ran for over 4 hrs.
Takes one hour on my computers, how are your maintenance proceedures, when did you Check for Disk Errors last?
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/kbtip.mspx
When did you defrag your drives last?
http://support.microsoft.com/kb/314848
How must RAM is installed on this computer?
Right click MyComputer then click Properties. On the General tab in the lower right corner is the RAM, post that information.

I dont use IE, so I don't know if it is working or has those stupid popups.
I would like to see the results of this scan and it only runs on IE, you do have IE installed on the computer.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with the RAM count and any other information I requested.

Thanks

lizardlize
2008-09-30, 04:36
I have 504 MB Ram.

I don't think I have ever run Check disk for errors. I just did it and it seemed to run fine. It didnt say there was any problems, but I dont know if it would tell me.

Defrag was done last week.

I was unable to get Kaspersky to run. It kept telling me that I needed Java 1.5 or later. When I go to the Java page, it says that I am updated to the most current version.

pskelley
2008-09-30, 15:10
I have 504 MB Ram.
That is not too much, if you are running any resource intense games or programs it might not be enough. I use my computer for basic computing and I have 1.25 MB's.


I was unable to get Kaspersky to run. It kept telling me that I needed Java 1.5 or later. When I go to the Java page, it says that I am updated to the most current version.
I need to see this scan result, you have Java version C:\Program Files\Java\jre1.6.0_07\
so continue to try to run it, make sure you are using Internet Explorer.

How is the computer running? Evidence of malware?

lizardlize
2008-09-30, 21:20
I have tried and tried to get past that screen, but it will not let me because it does not think I have Java installed.
"You need to install Java version 1.5 or later to run Kaspersky Online Scanner 7.0."

Is there something else I can try?

pskelley
2008-10-01, 00:34
How is the computer running? Evidence of malware?

Please provide the information I request.

Please make sure you have no old version of combofix on the computer, then do this:

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

lizardlize
2008-10-01, 08:58
computer is running fast however still have some issues with downloading things or getting them to work like kasperkey. here are the logs

ComboFix 08-09-30.03 - Owner 2008-09-30 22:37:43.5 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-09-29 22:01 . 2008-09-29 22:01 <DIR> d-------- C:\fsaua.data
2008-09-28 14:52 . 2008-09-28 14:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-28 14:51 . 2004-08-19 18:37 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-09-28 14:51 . 2004-08-19 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-09-28 14:51 . 2004-08-19 18:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-09-28 14:51 . 2004-08-19 18:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-09-28 14:51 . 2008-09-28 14:51 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-28 12:26 . 2008-09-28 12:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-28 12:26 . 2008-09-28 12:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-09-28 12:26 . 2008-09-28 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-28 12:26 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-28 12:26 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-26 17:58 . 2008-09-27 10:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-26 10:28 . 2008-09-27 08:57 427 --a------ C:\WINDOWS\wininit.ini
2008-09-26 07:19 . 2008-09-26 07:19 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-25 13:46 . 2007-08-13 18:45 78,336 --a--c--- C:\WINDOWS\system32\dllcache\ieencode.dll
2008-09-25 13:00 . 2008-09-25 13:00 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-09-23 21:27 . 2008-09-23 21:27 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Avanquest
2008-09-23 21:26 . 2008-09-23 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-23 21:21 . 2008-09-23 21:21 <DIR> dr-hs---- C:\_Backup.RC
2008-09-23 21:21 . 2008-09-24 00:20 <DIR> d--h----- C:\_Backup
2008-09-23 21:19 . 2008-09-23 21:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Avanquest
2008-09-23 21:14 . 2008-09-23 21:14 <DIR> d-------- C:\Program Files\Avanquest
2008-09-23 21:10 . 2008-09-23 21:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 15:23 --------- d-----w C:\Program Files\Java
2008-09-28 17:53 --------- d-----w C:\Program Files\Zinio
2008-09-28 17:53 --------- d-----w C:\Program Files\QuickTime
2008-09-28 17:53 --------- d-----w C:\Program Files\iTunes
2008-09-28 17:53 --------- d-----w C:\Program Files\Digital Media Reader
2008-09-27 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-09-27 01:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-26 16:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-25 22:30 --------- d-----w C:\Program Files\xxx.xxx
2008-09-25 19:47 --------- d-----w C:\Program Files\Opera
2008-09-24 02:55 --------- d-----w C:\Program Files\Symantec
2008-09-24 02:28 --------- d-----w C:\Program Files\Photo Manager
2008-09-24 02:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-22 00:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-08-24 16:43 --------- d-----w C:\Program Files\Sun
2008-08-22 18:00 29,600 ----a-w C:\windows\system32\mxntdfg.exe
2008-08-06 00:55 265,720 ----a-w C:\windows\system32\msdbg2.dll
2008-07-19 05:10 94,920 ----a-w C:\windows\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\windows\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\windows\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\windows\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\windows\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\windows\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\windows\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\windows\system32\wuaueng.dll
2008-07-09 00:10 129,784 ----a-w C:\windows\system32\pxafs.dll
2008-07-09 00:09 118,520 ----a-w C:\windows\system32\pxinsi64.exe
2008-07-09 00:09 116,472 ----a-w C:\windows\system32\pxcpyi64.exe
2008-07-07 20:32 253,952 ----a-w C:\windows\system32\es.dll
2008-03-26 15:20 228,336 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2008-03-09 01:48 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2005-12-18 18:20 0 -c--a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2002-07-26 22:02 153,088 -c--a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\windows\system32\dumprep 0 -u" [X]
"HostManager"="C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe" [2006-09-25 50736]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"LVCOMSX"="C:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"VirusScannerPro"="C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe" [2008-08-26 173312]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-10-02 67488]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ShowWnd"="ShowWnd.exe" [2003-09-19 C:\WINDOWS\ShowWnd.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kpselq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 LStone;Pinnacle Systems Studio AV/DV Overlay;C:\windows\system32\DRIVERS\lstone2k.sys [2002-12-10 11:20]
R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOCUME~1\Owner\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []
R3 I97DRIVER;I97DRIVER;C:\PROGRA~1\AVANQU~1\Fix-It\dgs.sys [2007-08-31 11:18]
S1 MemAlloc;MemAlloc;C:\windows\system32\DRIVERS\memalloc.sys [2002-08-26 04:51]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 14:46]
S2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 09:20]
S3 MailScan;MailScan;C:\PROGRA~1\AVANQU~1\Fix-It\MailScan.sys [2008-08-26 14:14]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17147075-1ead-11d9-bea6-806d6172696f}]
\Shell\AutoRun\command - F:\cdplayer.exe

*Newly Created Service* - MAILSCAN
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 22:41:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-30 22:47:21
ComboFix-quarantined-files.txt 2008-10-01 05:46:14
ComboFix2.txt 2008-09-28 19:18:01

Pre-Run: 117,091,368,960 bytes free
Post-Run: 117,225,185,280 bytes free

131 --- E O F --- 2008-09-29 07:31:42


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:52 PM, on 9/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\windows\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\wuauclt.exe
C:\windows\explorer.exe
C:\windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191778237\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1222788107829&h=08a4c3ca0e7ab96e05278cf89b88294c/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: kpselq.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7714 bytes

pskelley
2008-10-01, 13:03
Thanks for the feedback, let's do this:

Open notepad and copy/paste the text in the codebox below into it:


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This may start ComboFix again. I do not need the log from CFScript, we are removing a registry leftover only.

This is next:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif


http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

You said:

however still have some issues with downloading things or getting them to work like kasperkey.
This is not a malware problem, we will finish soon and I will post links to a couple of good free forums where you can get help with Windows XP issues.

lizardlize
2008-10-01, 19:14
Im not sure i need that i have my gateway restore dvd. This contains the rc shouldnt it? It says applications, drivers and operating system. If you think it does not contain then let me know and i will install.

lizardlize
2008-10-01, 20:23
I just realized i have already done this step a few days ago I installed it using combo fix

pskelley
2008-10-01, 21:05
It is up to you but OEM restore disks, usually do not. If you do not wish to install Recovery Console, then let's finish like this.

Remove combofix from the computer like this:


Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

lizardlize
2008-10-01, 23:47
Thankyou again for your help, I just wanted to tell you that last night i ran a fsecure scan because i could not get kasperkey to work. any way i used interned explore. it took about 6hrs and right before it ended it stopped scanning and said something about internet explorer has occurred a error. It showed that i had 1300 virus and 12 spyware and skipped 65. Is that a issue i should be aware of or not.

pskelley
2008-10-02, 00:26
If F-Secure is showing that many viruses, then you likely have a file infector which is what I was trying to find out by running the Kaspersky Online Scan. I suggest you reformat the computer and been done with it.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

lizardlize
2008-10-02, 00:40
That sucks! I need to back up stuff how can i be sure that the files i back up wont infect me once the computer is reformatted?

pskelley
2008-10-02, 02:04
I suggest you read the links I posted, that is the information I have available. You may certainly google for additional information. I would say you are beyond the point where you can think about backing up files with that many (as F-Secure reports) infected.