Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:30 PM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\xndbnuga.dll",b
O4 - HKLM\..\Run: [C:\WINDOWS\system32\baloon.exe] C:\WINDOWS\system32\baloon.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\cfrog.exe] C:\WINDOWS\system32\cfrog.exe
O4 - HKLM\..\Run: [WiniGuard] C:\Program Files\WiniGuard Software\WiniGuard\WiniGuard.exe -min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190
O17 - HKLM\System\CS4\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190
O20 - AppInit_DLLs: karna.dat kldkih.dll zfldaw.dll atiylz.dll bnjabd.dll umivwb.dll vkkoqy.dll kbzpwf.dll iifrgt.dll rvhypi.dll nmghjx.dll tehncq.dll kznory.dll tssxan.dll mwjjaj.dll lbwcwl.dll ionhob.dll knpcdg.dll mlhmft.dll opwmqj.dll qvnqat.dll fcsqcv.dll irblmf.dll whfuil.dll wdmiwl.dll vpijjb.dll xcujfl.dll
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - c:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6128 bytes

Any help would be greatly appreciated.

Thank you.

Finally figured out how to shut off Teatimer. Here is the new log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:08 PM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\xndbnuga.dll",b
O4 - HKLM\..\Run: [C:\WINDOWS\system32\baloon.exe] C:\WINDOWS\system32\baloon.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\cfrog.exe] C:\WINDOWS\system32\cfrog.exe
O4 - HKLM\..\Run: [WiniGuard] C:\Program Files\WiniGuard Software\WiniGuard\WiniGuard.exe -min
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - HKUS\S-1-5-21-725345543-1202660629-1801674531-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-725345543-1202660629-1801674531-1003\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-725345543-1202660629-1801674531-1003\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe (User '?')
O4 - S-1-5-21-725345543-1202660629-1801674531-1003 Startup: PowerReg Scheduler.exe (User '?')
O4 - S-1-5-21-725345543-1202660629-1801674531-1003 Startup: Xfire.lnk.disabled (User '?')
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190
O17 - HKLM\System\CS4\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190
O20 - AppInit_DLLs: karna.dat kldkih.dll zfldaw.dll atiylz.dll bnjabd.dll umivwb.dll vkkoqy.dll kbzpwf.dll iifrgt.dll rvhypi.dll nmghjx.dll tehncq.dll kznory.dll tssxan.dll mwjjaj.dll lbwcwl.dll ionhob.dll knpcdg.dll mlhmft.dll opwmqj.dll qvnqat.dll fcsqcv.dll irblmf.dll whfuil.dll wdmiwl.dll vpijjb.dll xcujfl.dll
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - c:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6725 bytes


I could not figure out how to turn off teatimer due to being unable to access Spybot. Everytime i tried to access Spybot I recieved a message stating invaild floating point operation. I finally thought to use the task manager.

hi,

we will get a download to use: Please keep tea timer disabled until we are done. This is how Tea Timer should be disabled:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

---------------------------------
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply
----------------------------------
after you use MBAM:

start HJT, click the "Scan" button. check the items below,(if present) close any open windows, then click "Fixed checked"

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\xndbnuga.dll",b

O4 - HKLM\..\Run: [C:\WINDOWS\system32\baloon.exe] C:\WINDOWS\system32\baloon.exe

O4 - HKLM\..\Run: [C:\WINDOWS\system32\cfrog.exe] C:\WINDOWS\system32\cfrog.exe

O4 - HKLM\..\Run: [WiniGuard] C:\Program Files\WiniGuard Software\WiniGuard\WiniGuard.exe -min

O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe

O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O17 - HKLM\System\CCS\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190

O17 - HKLM\System\CS1\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190

O17 - HKLM\System\CS2\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190

O17 - HKLM\System\CS4\Services\Tcpip\..\{69A8A868-F0A6-4DFF-A194-CECE47D259B3}: NameServer = 85.255.112.156;85.255.112.190

O20 - AppInit_DLLs: karna.dat kldkih.dll zfldaw.dll atiylz.dll bnjabd.dll umivwb.dll vkkoqy.dll kbzpwf.dll iifrgt.dll rvhypi.dll nmghjx.dll tehncq.dll kznory.dll tssxan.dll mwjjaj.dll lbwcwl.dll ionhob.dll knpcdg.dll mlhmft.dll opwmqj.dll qvnqat.dll fcsqcv.dll irblmf.dll whfuil.dll wdmiwl.dll vpijjb.dll xcujfl.dll

after you use hjt: reboot computer, then rescan and post a new hjt log.

I know how I would normally disable Teatimer. As I stated before I Can Not do anything in SpyBot with out thousands of annoying popups bos stating Floating point error. Now will it be an issue just turning Teatimer off via the Task manager cause thats the only way at the moment i can turn it off.

One more thing your link does not work. I don:t know why but it does not work for me. I cant open it by clicking typing or copy and pasting.

hi,

ok we will try another download to use. Its called combofix. you need to read through this guide first which will explain everything. You can install the recovery console manually or combofix can do it for you after its started.
Disable tea timer and your anti-virus and any other anti-malware apps you have before using combofix. If you can get to the link post back.

guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link works. File downloaded. I am about to install, and run. Will post report after run is complete.

And here is the report.

ComboFix 09-01-19.03 - Owner 2009-01-19 17:02:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1595 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\otufowe.dat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ruqy.dl
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\sofinab.vbs
C:\resycled
c:\windows\system32\acopiw.dll
c:\windows\system32\agunbdnx.ini
c:\windows\system32\ahtn.htm
c:\windows\system32\ayhtuuen.ini
c:\windows\system32\bchnklvg.dll
c:\windows\system32\bglmychr.ini
c:\windows\system32\bjneryhr.ini
c:\windows\system32\bmqhxdco.ini
c:\windows\system32\chkopiaw.dll
c:\windows\system32\coqiqsfq.ini
c:\windows\system32\dfihgfii.ini
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekasvltpvjt.sys
c:\windows\system32\efcCsqpo.dll
c:\windows\system32\enfajbaa.dll
c:\windows\system32\eopatwri.dll
c:\windows\system32\eusbahbs.ini
c:\windows\system32\fhynhhak.ini
c:\windows\system32\fpbflayl.ini
c:\windows\system32\frmwrk32.exe
c:\windows\system32\fsiwqpxo.dll
c:\windows\system32\fvvxxhfe.ini
c:\windows\system32\gcwvuotx.ini
c:\windows\system32\gfjtxvoj.dll
c:\windows\system32\ghcxgabm.ini
c:\windows\system32\gtxknsow.ini
c:\windows\system32\gvghfqww.dll
c:\windows\system32\hbhdsaeo.ini
c:\windows\system32\hrhhvpti.ini
c:\windows\system32\hsjdvqrv.dll
c:\windows\system32\hyehmv.dll
c:\windows\system32\ickangec.dll
c:\windows\system32\iffafkxu.dll
c:\windows\system32\ijslenpv.ini
c:\windows\system32\irwtapoe.ini
c:\windows\system32\jhcusa.dll
c:\windows\system32\jhxyvqpm.ini
c:\windows\system32\jufagjtx.dll
c:\windows\system32\kfextrfh.dll
c:\windows\system32\kgwpqfqs.ini
c:\windows\system32\khpwel.dll
c:\windows\system32\luxjibvg.ini
c:\windows\system32\lyalfbpf.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mdyyjnmu.dll
c:\windows\system32\mfgnfmsr.dll
c:\windows\system32\mhcmbv.dll
c:\windows\system32\mphxmbdc.ini
c:\windows\system32\nglynhub.ini
c:\windows\system32\nlknyksu.ini
c:\windows\system32\nnkqjveg.ini
c:\windows\system32\ntdll64.exe
c:\windows\system32\pcvjuh.dll
c:\windows\system32\pfgvneac.ini
c:\windows\system32\pmnnMgEv.dll
c:\windows\system32\rkxktk.dll
c:\windows\system32\rmdgcjkx.ini
c:\windows\system32\rohnplcv.dll
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaeiqkokoa.dll
c:\windows\system32\senekaexubfpcb.dat
c:\windows\system32\senekafcpqnoba.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekamdxsaqll.dll
c:\windows\system32\slhvrfue.ini
c:\windows\system32\svbvym.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\test.ttt
c:\windows\system32\tiehegcq.dll
c:\windows\system32\uglfnajy.ini
c:\windows\system32\ukkrrgdg.ini
c:\windows\system32\uniq.tll
c:\windows\system32\uohdyfde.ini
c:\windows\system32\vclpnhor.ini
c:\windows\system32\vdaopmur.ini
c:\windows\system32\vdaymtgk.ini
c:\windows\system32\vEgMnnmp.ini
c:\windows\system32\vEgMnnmp.ini2
c:\windows\system32\vpnelsji.dll
c:\windows\system32\vrqvdjsh.ini
c:\windows\system32\waipokhc.ini
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wtgirusm.ini
c:\windows\system32\wwqfhgvg.ini
c:\windows\system32\xatvvgud.ini
c:\windows\system32\xcujfl.dll
c:\windows\system32\xdgpkg.dll
c:\windows\system32\xhlhuttx.ini
c:\windows\system32\xianpz.dll
c:\windows\system32\xilflygu.ini
c:\windows\system32\xkeyftdi.ini
c:\windows\system32\xtouvwcg.dll
c:\windows\system32\xttuhlhx.dll
c:\windows\system32\ysdscheo.ini
c:\windows\system32\yxuicjux.ini
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-16 06:48 . 2009-01-16 06:48 133,120 --a------ c:\windows\odamukimu.dll
2009-01-16 06:36 . 2009-01-16 06:36 41,984 --a------ c:\windows\system32\chert5-998.exe
2009-01-16 06:36 . 2009-01-16 06:36 41,984 --a------ c:\windows\Brenamukohiyima.dll
2009-01-15 18:27 . 2009-01-15 18:27 40,960 --a------ c:\windows\system32\moidwkcw.dll
2009-01-14 18:23 . 2009-01-14 18:23 0 --a------ C:\xf4.tmp
2009-01-13 05:18 . 2009-01-13 05:18 31,232 --a------ c:\windows\system32\pcload.exe
2009-01-12 12:32 . 2009-01-12 12:32 279,712 --a------ c:\windows\system32\drivers\atksgt.sys
2009-01-12 12:32 . 2009-01-12 12:32 25,888 --a------ c:\windows\system32\drivers\lirsgt.sys
2009-01-12 12:22 . 2009-01-12 12:22 <DIR> d-------- c:\program files\Deep Silver
2009-01-12 07:48 . 2009-01-12 07:48 2,915,944 --a------ c:\windows\system32\drivers\appdrv01.sys
2009-01-12 07:48 . 2009-01-12 07:48 304,528 --a------ c:\windows\system32\appdrvrem01.exe
2009-01-10 16:01 . 2009-01-10 16:01 <DIR> d-------- c:\program files\directx
2009-01-10 15:59 . 2009-01-10 15:59 <DIR> d-------- c:\program files\14 Degrees East
2009-01-10 15:38 . 2009-01-10 17:15 914 --a------ c:\windows\_delis32.ini
2009-01-10 13:55 . 2009-01-10 13:55 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-01-10 13:28 . 2009-01-10 13:28 <DIR> d-------- c:\program files\GameSpy Arcade
2009-01-08 04:27 . 2009-01-08 04:27 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Xfire
2009-01-07 11:08 . 2009-01-07 11:08 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-06 18:53 . 2009-01-12 01:16 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-28 14:25 . 2008-12-28 14:25 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Xfire
2008-12-24 21:58 . 2008-12-24 21:58 <DIR> d-------- c:\program files\WebEx
2008-12-24 21:56 . 2008-12-24 21:56 <DIR> d-------- c:\program files\Common Files\Pure Networks Shared
2008-12-24 21:56 . 2008-05-16 06:10 25,272 --a------ c:\windows\system32\drivers\purendis.sys
2008-12-24 21:56 . 2008-05-16 06:10 23,992 --a------ c:\windows\system32\drivers\pnarp.sys
2008-12-24 21:55 . 2008-12-24 21:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Pure Networks
2008-12-24 21:47 . 2009-01-07 04:05 526 --a------ c:\windows\wininit.ini
2008-12-23 22:17 . 2008-12-23 22:17 0 --a------ c:\windows\iPlayer.INI
2008-12-23 22:15 . 2008-12-23 22:15 <DIR> d-------- c:\program files\InterActual
2008-12-19 23:45 . 2009-01-14 18:22 107,888 --a------ c:\windows\system32\CmdLineExt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 23:23 --------- d-----w c:\documents and settings\Owner\Application Data\Xfire
2009-01-13 18:48 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2009-01-13 02:48 --------- d-----w c:\documents and settings\Owner\Application Data\DNA
2009-01-13 02:38 --------- d-----w c:\program files\Steam
2009-01-13 02:38 --------- d-----w c:\program files\DNA
2009-01-08 03:51 --------- d-s---w c:\program files\Xfire
2008-12-25 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Linksys
2008-12-25 02:54 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-25 02:52 --------- d-----w c:\program files\Linksys
2008-12-24 03:17 --------- d-----w c:\documents and settings\Owner\Application Data\dvdcss
2008-12-19 22:53 --------- d-----w c:\program files\rockstar games
2008-12-18 22:25 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-17 19:46 --------- d-----w c:\documents and settings\Owner\Application Data\QQ Games Plugin
2008-12-17 19:37 --------- d-----w c:\documents and settings\Owner\Application Data\acccore
2008-12-17 19:35 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-12-17 19:34 --------- d-----w c:\program files\Tencent
2008-12-17 19:34 --------- d-----w c:\program files\AIM6
2008-12-17 19:34 --------- d-----w c:\documents and settings\Owner\Application Data\Tencent
2008-12-17 19:34 --------- d-----w c:\documents and settings\Owner\Application Data\QQ Games
2008-12-17 19:32 --------- d-----w c:\program files\Viewpoint
2008-12-17 19:32 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-17 19:32 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-17 19:32 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-12-17 19:31 --------- d-----w c:\program files\Common Files\AOL
2008-12-17 19:31 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-16 22:20 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-16 22:19 --------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2008-12-16 16:30 --------- d-----w c:\program files\Yahoo!
2008-12-16 16:30 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-16 16:30 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-16 16:30 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-16 04:33 --------- d-----w c:\program files\DivX
2008-12-16 04:32 --------- d-----w c:\documents and settings\Owner\Application Data\DivX
2008-12-16 03:14 52,736 ----a-w c:\windows\ipuninst.exe
2008-12-15 19:45 --------- d-----w c:\program files\agth
2008-12-15 19:16 --------- d-----w c:\program files\Pajamas
2008-12-15 02:57 --------- d-----w c:\program files\InstallShield 11
2008-12-15 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2008-12-15 02:53 --------- d-----w c:\program files\Common Files\Merge Modules
2008-12-15 02:53 --------- d-----w c:\program files\Common Files\InstallShield Shared
2008-12-14 23:45 --------- d-----w c:\program files\Interplay
2008-12-14 21:16 --------- d-----w c:\program files\BlackIsle
2008-12-12 17:45 --------- d-----w c:\program files\Java
2008-12-09 18:58 --------- d-----w c:\documents and settings\Owner\Application Data\OpenOffice.org
2008-12-09 18:54 --------- d-----w c:\program files\OpenOffice.org 3
2008-12-09 18:54 --------- d-----w c:\program files\JRE
2008-12-09 18:39 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-06 23:14 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-03 22:58 27,904 ----a-w c:\windows\system32\drivers\ndisprot.sys
2008-12-02 01:03 --------- d-----w c:\program files\TRABULANCE
2008-12-01 05:16 --------- d-----w c:\program files\Yin-Yang
2008-11-30 23:29 --------- d-----w c:\program files\MindGene
2008-11-30 16:38 --------- d-----w c:\program files\ZyX
2008-11-30 16:33 --------- d-----w c:\program files\ANGELSMILE
2008-11-30 16:31 --------- d-----w c:\program files\Will
2008-11-30 16:25 --------- d-----w c:\program files\DO
2008-11-30 00:57 --------- d-----w c:\program files\Amorous Professor Cherry
2008-11-29 00:46 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2008-11-27 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\NexonUS
2008-11-26 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2008-11-26 00:14 --------- d-----w c:\program files\Microsoft Games
2008-11-21 21:47 9,464 ----a-w c:\windows\system32\drivers\cdralw2k.sys
2008-11-21 21:47 9,336 ----a-w c:\windows\system32\drivers\cdr4_xp.sys
2008-11-21 21:47 43,528 ----a-w c:\windows\system32\drivers\PxHelp20.sys
2008-11-19 03:44 --------- d-----w c:\program files\PowerISO
2008-10-31 00:05 18,022 ----a-w c:\documents and settings\Owner\Application Data\hutazowuca.bin
2008-10-31 00:05 16,911 ----a-w c:\program files\Common Files\mifehifu.dl
2008-10-31 00:05 15,747 ----a-w c:\program files\Common Files\xohipexizy.ban
2008-10-31 00:05 15,542 ----a-w c:\documents and settings\Owner\Application Data\ozajoviq.dll
2008-10-31 00:05 15,343 ----a-w c:\documents and settings\All Users\Application Data\agezezalic.exe
2008-10-31 00:05 14,472 ----a-w c:\documents and settings\All Users\Application Data\ihojuren.bat
2008-10-31 00:05 13,245 ----a-w c:\windows\jujazyfo.bat
2008-10-31 00:05 13,162 ----a-w c:\documents and settings\Owner\Application Data\fyryq.bat
2008-10-31 00:05 12,079 ----a-w c:\windows\opihanon.exe
2008-10-31 00:05 11,081 ----a-w c:\program files\Common Files\gived.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-10-14 863688]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-10-14 863688]

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2004-05-20 90224]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Xjaniw"="c:\windows\odamukimu.dll" [2009-01-16 133120]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 c:\windows\SkyTel.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-12-10 256000]
Xfire.lnk.disabled [2008-12-26 650]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Steam"="c:\program files\Steam\Steam.exe" -silent
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"ares"=c:\program files\Ares Ultra\Ares Ultra.exe -h
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"58d27dcb"=rundll32.exe "c:\windows\system32\xndbnuga.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Ares Ultra\\Ares Ultra.exe"=
"c:\\Program Files\\Turbine\\Dungeons & Dragons Online - Stormreach\\dndclient.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\rockstar games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=
"c:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\xrEngine.exe"=
"c:\\Program Files\\Deep Silver\\S.T.A.L.K.E.R. - Clear Sky\\bin\\dedicated\\xrEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2009-01-12 2915944]
R4 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-17 24652]
S3 naecd;naecd;\??\c:\docume~1\Owner\LOCALS~1\Temp\naecd.sys --> c:\docume~1\Owner\LOCALS~1\Temp\naecd.sys [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-12-03 27904]
S4 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S4 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{062990B9-6E57-40D9-BE51-F0FCB2A190E0} - (no file)
BHO-{1C428C8D-B7A6-4B4D-A43F-9D66D8442F23} - (no file)
BHO-{1EDC07F9-DC25-4630-99C1-CA11CFB0D26D} - (no file)
BHO-{2230D878-9489-4D30-8F67-663575F87E3B} - (no file)
BHO-{2838B912-1276-4D6E-8AC0-952F52E80EC4} - (no file)
BHO-{2B44BA60-C2B3-410E-9050-6B7EDD2C8EBB} - (no file)
BHO-{366C88DC-5679-4ACF-999D-7EB543472B0A} - c:\windows\system32\pmnnMgEv.dll
BHO-{45DE8515-C8BE-42BE-A58A-D93A32BED1EB} - (no file)
BHO-{5737A3AA-BB3A-4502-ACED-AF39E324EC1D} - (no file)
BHO-{5CBD930F-D300-445C-B521-CB0F3C4AD889} - (no file)
BHO-{604F6BB4-546B-4BD6-B9B2-75CA292E5C47} - c:\windows\system32\iifghifd.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\efcCsqpo.dll
BHO-{784DB16F-F9A0-4360-AFA3-07359F24D9CA} - (no file)
BHO-{7BD77EEF-4AE5-4D36-A777-B2D6920293D7} - (no file)
BHO-{7FBAE3B9-98CC-4D02-B562-6EB45D154337} - (no file)
BHO-{81706E4D-1CA2-4703-AC71-66E25A48791D} - (no file)
BHO-{84CCBB3F-45A0-4D0A-8432-D9F8D7735B90} - (no file)
BHO-{870f409d-7f36-46fc-a095-8eab240d31ac} - c:\windows\system32\svbvym.dll
BHO-{9F04FCB5-6F23-4737-A4DC-BDA7AFD8B0FF} - (no file)
BHO-{A07B5C99-8B1C-4388-8BB6-6DEAEEA0B35E} - (no file)
BHO-{A4D4BACD-2EFE-465E-8FBD-09DCAF8EB2FE} - (no file)
BHO-{D083534D-4E28-402D-946E-FB8E87961884} - (no file)
BHO-{D69E913D-7A6C-43EB-B025-121C2A1538A6} - (no file)
BHO-{DCFD8053-1C75-427A-94B5-72593C16FA50} - (no file)
BHO-{ED9A5EEC-BED5-4E54-A183-C87848F91CDA} - (no file)
BHO-{F3982346-B138-4D68-92DE-B722A24356F7} - (no file)
BHO-{FA7A0F3A-EE35-485E-906D-230588C6FB03} - (no file)
HKCU-Run-Google Update - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
HKLM-Run-c:\windows\system32\baloon.exe - c:\windows\system32\baloon.exe
HKLM-Run-c:\windows\system32\cfrog.exe - c:\windows\system32\cfrog.exe
HKLM-Run-WiniGuard - c:\program files\WiniGuard Software\WiniGuard\WiniGuard.exe
HKLM-Run-58d27dcb - c:\windows\system32\xndbnuga.dll
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\efcCsqpo.dll
Notify-pmnLDtQK - pmnLDtQK.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
LSP: c:\windows\TEMP\ntdll64.dll
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ed8gp943.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 17:11:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\win32hlp.cnf 503 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b6,0b,b1,bb,5a,16,31,e9,3a,3b,04,0e,45,79,bf,34,92,1b,70,8d,a1,fd,9d,
06,b0,0b,01,1a,8c,86,1b,6b,8c,ce,56,7f,50,41,ff,97,fd,f3,76,8a,b5,e4,a4,cb,\
"??"=hex:f2,82,ba,8a,20,01,60,69,4c,5c,f6,f8,f5,a4,95,f5

[HKEY_USERS\S-1-5-21-725345543-1202660629-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:19,68,f5,cb,70,b8,38,e5,af,82,7a,6a,54,ed,7e,c6,d7,c1,0d,16,10,
2d,44,55,bd,a8,9f,cd,53,c2,86,06,d5,cd,e2,78,e9,64,2a,f1,f6,31,1b,4c,58,5f,\
"rkeysecu"=hex:05,3b,f3,f1,f9,87,dd,08,71,29,16,40,5f,df,b4,67
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\java.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
.
**************************************************************************
.
Completion time: 2009-01-19 17:15:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 22:15:27

Pre-Run: 46,265,622,528 bytes free
Post-Run: 46,178,959,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
420 --- E O F --- 2008-11-13 05:47:21

Oh spybot is back to normal and seems my Virus software is also. The real time scan on it is picking up new viruses.

I'm happily awaiting your next order.

hi,

ok we will get another download to use. MBAM. Link should work ok now. Is your antivirus up to date?

MBAM:
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply. After you use MBAM rescan and post a new hjt log.

Ok scan in progress. Something intresting though I just found out. I can not update Spybot, Symantic, nor Malwarbytes. Also when ever i try to do anything security related such as click on spybot, symantic, or install somthing i get a virus alert from symantic called Trojan.Fakealert. Located C:\windows\Temp\ntdll64.dll. That is a new on that i have never seen before. Just thought i should let you know.

scan complete. Here is the log
New log after system reboot.

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/19/2009 10:33:42 PM
mbam-log-2009-01-19 (22-33-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202256
Time elapsed: 1 hour(s), 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\antispywarexp2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xjaniw (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{69a8a868-f0a6-4dff-a194-cece47d259b3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.156;85.255.112.190 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\chkopiaw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekamdxsaqll.dll.vir (Trojan.Seneka) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcCsqpo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gfjtxvoj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kfextrfh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pcvjuh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnnMgEv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xcujfl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekasvltpvjt.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP53\A0004813.dll (Rogue.AntivirusPro2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP54\A0004988.dll (Rogue.AntivirusPro2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP55\A0006046.dll (Rogue.AntivirusPro2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021008.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021021.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021030.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021045.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021057.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021059.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021078.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0020992.dll (Trojan.Seneka) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{98AB4CD7-6F8A-4E8C-BF4A-1E61E6FC5054}\RP163\A0021151.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ffkuz.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\odamukimu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\ozajoviq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

New HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:07 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dumprep.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {062990B9-6E57-40D9-BE51-F0FCB2A190E0} - (no file)
O2 - BHO: (no name) - {1C428C8D-B7A6-4B4D-A43F-9D66D8442F23} - (no file)
O2 - BHO: (no name) - {1EDC07F9-DC25-4630-99C1-CA11CFB0D26D} - (no file)
O2 - BHO: (no name) - {2230D878-9489-4D30-8F67-663575F87E3B} - (no file)
O2 - BHO: (no name) - {2838B912-1276-4D6E-8AC0-952F52E80EC4} - (no file)
O2 - BHO: (no name) - {2B44BA60-C2B3-410E-9050-6B7EDD2C8EBB} - (no file)
O2 - BHO: (no name) - {45DE8515-C8BE-42BE-A58A-D93A32BED1EB} - (no file)
O2 - BHO: (no name) - {5737A3AA-BB3A-4502-ACED-AF39E324EC1D} - (no file)
O2 - BHO: (no name) - {5CBD930F-D300-445C-B521-CB0F3C4AD889} - (no file)
O2 - BHO: (no name) - {604F6BB4-546B-4BD6-B9B2-75CA292E5C47} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {784DB16F-F9A0-4360-AFA3-07359F24D9CA} - (no file)
O2 - BHO: (no name) - {7BD77EEF-4AE5-4D36-A777-B2D6920293D7} - (no file)
O2 - BHO: (no name) - {7FBAE3B9-98CC-4D02-B562-6EB45D154337} - (no file)
O2 - BHO: (no name) - {81706E4D-1CA2-4703-AC71-66E25A48791D} - (no file)
O2 - BHO: (no name) - {84CCBB3F-45A0-4D0A-8432-D9F8D7735B90} - (no file)
O2 - BHO: (no name) - {9F04FCB5-6F23-4737-A4DC-BDA7AFD8B0FF} - (no file)
O2 - BHO: (no name) - {A07B5C99-8B1C-4388-8BB6-6DEAEEA0B35E} - (no file)
O2 - BHO: (no name) - {A4D4BACD-2EFE-465E-8FBD-09DCAF8EB2FE} - (no file)
O2 - BHO: (no name) - {D083534D-4E28-402D-946E-FB8E87961884} - (no file)
O2 - BHO: (no name) - {D69E913D-7A6C-43EB-B025-121C2A1538A6} - (no file)
O2 - BHO: (no name) - {DCFD8053-1C75-427A-94B5-72593C16FA50} - (no file)
O2 - BHO: (no name) - {ED9A5EEC-BED5-4E54-A183-C87848F91CDA} - (no file)
O2 - BHO: (no name) - {F3982346-B138-4D68-92DE-B722A24356F7} - (no file)
O2 - BHO: (no name) - {FA7A0F3A-EE35-485E-906D-230588C6FB03} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\xndbnuga.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: pmnLDtQK - C:\WINDOWS\
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - c:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7337 bytes

hi,

ok good. we will use hjt now: but first disable spybots tea timer so it wont go nuts:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
-----------------------------------

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

*select all that say (no file) on the end:*

O2 - BHO: (no name) - {062990B9-6E57-40D9-BE51-F0FCB2A190E0} - (no file)
O2 - BHO: (no name) - {1C428C8D-B7A6-4B4D-A43F-9D66D8442F23} - (no file)
O2 - BHO: (no name) - {1EDC07F9-DC25-4630-99C1-CA11CFB0D26D} - (no file)

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [58d27dcb] rundll32.exe "C:\WINDOWS\system32\xndbnuga.dll",b

O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: pmnLDtQK - C:\WINDOWS\

try to update MBAM and run it once more. Post the MBAM log and a new hjt log.

If you are familiar with your router then you should check its set up and make sure that its DNS Server is not in the form of 85.255.112.xyz

Ok all programs update now. Its going to take 30-45 minutes to conduct mbam scan. Should I have it fix what it finds. I want to know before i post logs.

hi,

yes have it fix what it finds.

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

1/20/2009 8:25:17 PM
mbam-log-2009-01-20 (20-25-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202438
Time elapsed: 1 hour(s), 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:32 PM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - c:\Program Files\Ares Ultra\chatServer.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4861 bytes

hi,

ok good. cruise around make sure the page re-directs are gone. Check your routers set-up to make sure its DNS server option dosnt show the ip range 85.255....( some trojans might change it, mainly if you are using the default password etc, which you shouldnt be)


c:\Program Files\Ares Ultra

This is not the official Ares p2p client. It is a ripped off clone. Hope you didnt pay money.

There is also much malware that is distributed via the networks.
take a look at this topic on my web page:
http://www.virusvault.us/p2p.html

No more pop ups or anything. I ran a scan with both Symantec and Spybot, no viruses found but i still have Virtumonde.Generic, and Virtumonde.prx. Also how do I check the router settings.

how do I check the router settings.

If the trojan had changed them you would still be getting page re-directs.

you would type in your browser:

http://192.168.1.1

to get to its interface, which is really just a web page.
take a look here also:
http://www.linksysbycisco.com/US/en/support#

read this also:
http://arstechnica.com/guides/tweaks/wireless-security.ars
http://www.practicallynetworked.com/support/wireless_secure.htm

Spybot is finding those?
post the lines from the spybot scan that show those
probably harmless registry leftovers.

Thank you shelf life. :)