Problem removing ldcore.dll

[adamczykon]

I would greatly appreciate any assistance with removing this annoying malware.

Here is my HJT Log (Kaspersky log to follow):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:19 AM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\windows\system32\ksdsrngo.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rwintldq.exe
C:\WINDOWS\SYSTEM32\??pPatch\s?ool32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\vvgeowbv.exe,C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\pmnlmnl.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {91DA894E-64D9-3C2B-892F-4FE6078408C6} - C:\WINDOWS\system32\xzfyh.dll
O2 - BHO: (no name) - {91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: aivskurq.msdn_hlp - {A6E432B4-D4C2-43B3-BF55-C364F8F7362A} - C:\WINDOWS\system32\aivskurq.dll (file missing)
O2 - BHO: (no name) - {A8FD2B6E-2560-44EA-938F-1AD41B931361} - C:\Program Files\microsoft frontpage\mexoca4444.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
O4 - HKLM\..\Run: [{A4-40-01-12-ZN}] C:\windows\system32\ksdsrngo.exe CHD001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\rwintldq.exe CHD001
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\ksdsrngo.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\rwintldq.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/online...inetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: pmnlmnl - pmnlmnl.dll (file missing)
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\wlsijpur.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)

--
End of file - 12233 bytes

[adamczykon]

Again, any assistance with cleaning this up would be greatly appreciated.

Here is my Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 8:03:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 455723
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 132120
Number of viruses found: 12
Number of infected objects: 54
Number of suspicious objects: 0
Duration of the scan process: 02:37:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\Steve\~Running.ping Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\History\History.IE5\MSHist012007110920071110\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\CEMG555077.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\CEMG555077.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\cmdinst.exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\install_en.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temp\k11u72.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\Steve\Local Settings\Temp\k11u72.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\Perflib_Perfdata_d60.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\Perflib_Perfdata_f8c.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~DF146B.tmp Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file14 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Steve\Local Settings\Temp\~uga6psetup.exe Inno: infected - 4 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\5V5RMFNS\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JM1HGTNV\k11u72[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\JM1HGTNV\k11u72[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\TTC-4444[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\OS37Q1G7\TTC-4444[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\acdt-pid72[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\acdt-pid72[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\X5JFTQVP\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\YQ8Y37AI\sep_WOO_SCH_MOTO315_black_728x90[1].swf Object is locked skipped
C:\Documents and Settings\Steve\Local Settings\Temporary Internet Files\Content.IE5\YQ8Y37AI\woo_july_U520_728x90[1].swf Object is locked skipped
C:\Documents and Settings\Steve\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Steve\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ASAP\ASAPBHO_log.html Object is locked skipped
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\access_log Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\error_log Object is locked skipped
C:\Program Files\HP Web Jetadmin\logs\ssl_request_log Object is locked skipped
C:\Program Files\microsoft frontpage\mexoca4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\microsoft frontpage\mexoca555077.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\microsoft frontpage\mexoca83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Network Monitor\netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Program Files\Temporary\wininstall.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112840.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112841.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112842.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112875.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112876.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112877.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112889.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112892.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112910.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112974.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112975.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112976.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112977.dll Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112978.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112979.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112980.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\A0112981.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP843\change.log Object is locked skipped
C:\Temp\ocli.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Temp\ocli.exe/data0003 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Temp\ocli.exe/data0004/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Temp\ocli.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Temp\ocli.exe/data0005 Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Temp\ocli.exe NSIS: infected - 5 skipped
C:\WINDOWS\b122.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\fkwggshm.exe Object is locked skipped
C:\WINDOWS\mrofinu1000106.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\a1\rarndrll2.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\core.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\g2\caws83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\SYSTEM32\g2\caws83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\SYSTEM32\h1\wdb51en.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\ldcore.dll Object is locked skipped
C:\WINDOWS\SYSTEM32\Logfiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\Mz08r\Mz08r1099.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\r2\wr31drs.exe Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\winexy32.dll Object is locked skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\wbun.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[Mr_JAk3]

Hello and welcome to the Forums

You're quite infected...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[adamczykon]

ComboFix 07-11-08.1 - Steve 2007-11-11 13:37:23.1 - NTFSx86
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\Steve\ResErrors.log
C:\Documents and Settings\Steve\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Steve\Start Menu\Programs\Startup\think-adz.lnk
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\764.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\caws83122.exe
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\v8
C:\WINDOWS\system32\v8\taldrvr11.exe
C:\WINDOWS\system32\xzfyh.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\asappsrv.dll
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\command.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbun.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core


((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 13:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 13:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-11-09 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 19:22 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Viewpoint
2007-11-09 18:57 4 --a------ C:\WINDOWS\SYSTEM32\stfv.bin
2007-11-09 18:56 443,454 --ahs---- C:\WINDOWS\SYSTEM32\wybeg.bak2
2007-11-09 05:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\acespy
2007-11-09 05:23 6,465 --ahs---- C:\WINDOWS\SYSTEM32\wybeg.bak1
2007-11-09 05:20 12 --a------ C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
2007-11-09 05:19 196,680 --a------ C:\WINDOWS\SYSTEM32\rwintldq.exe
2007-11-09 05:18 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SpyGuardPro
2007-11-09 05:18 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-11-09 05:18 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-11-09 05:16 <DIR> d--hs---- C:\WINDOWS\U3RldmUgQWRhbWN6eWs
2007-11-08 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz08r
2007-11-08 13:18 <DIR> d-------- C:\Temp\mZOr
2007-11-08 13:18 <DIR> d-------- C:\Temp
2007-11-08 13:18 507,179 --a------ C:\Temp\ocli.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 18:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-10 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-10 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-10 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-09 10:19 --------- d-----w C:\Program Files\microsoft frontpage
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\U3RldmUgQWRhbWN6eWs\oal5xAo0kql1vqhdyqP.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
C:\WINDOWS\system32\pmnlmnl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97}]
C:\WINDOWS\system32\gebyw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
C:\WINDOWS\system32\aivskurq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FD2B6E-2560-44EA-938F-1AD41B931361}]
2007-08-02 08:43 282624 --a------ C:\Program Files\microsoft frontpage\mexoca4444.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-22 18:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 11:55]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-09 19:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASAPSvc.exe"="C:\Program Files\ASAP\ASAPSvc.exe" [2006-01-11 22:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB6631"=command /c del "C:\WINDOWS\settn.dll_tobedeleted"
"SpybotDeletingD3992"=cmd /c del "C:\WINDOWS\settn.dll_tobedeleted"
"SpybotDeletingB3583"=command /c del "C:\WINDOWS\kvnab.dll_tobedeleted"
"SpybotDeletingD5923"=cmd /c del "C:\WINDOWS\kvnab.dll_tobedeleted"
"SpybotDeletingB4389"=command /c del "C:\WINDOWS\SYSTEM32\wml.exe_tobedeleted"
"SpybotDeletingD8871"=cmd /c del "C:\WINDOWS\SYSTEM32\wml.exe_tobedeleted"
"SpybotDeletingB155"=command /c del "C:\WINDOWS\SYSTEM32\vxddsk.exe_tobedeleted"
"SpybotDeletingD1415"=cmd /c del "C:\WINDOWS\SYSTEM32\vxddsk.exe_tobedeleted"
"SpybotDeletingB8745"=command /c del "C:\WINDOWS\flt.dll_tobedeleted"
"SpybotDeletingD2410"=cmd /c del "C:\WINDOWS\flt.dll_tobedeleted"
"SpybotDeletingB5913"=command /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
"SpybotDeletingD1884"=cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.cache.dsk_tobedeleted"
"SpybotDeletingB3543"=command /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"
"SpybotDeletingD3584"=cmd /c del "C:\WINDOWS\SYSTEM32\drivers\core.sys_tobedeleted"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-06-22 10:00:55]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-14 10:28:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-09-28 19:44:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WINDOWS\system32\pmnlmnl.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe,C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmnl]
pmnlmnl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]
winexy32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyw.dll

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
R2 HPWebJetadmin;HP Web Jetadmin;"C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 14:05:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 14:20:55 - machine was rebooted
.
--- E O F ---

[Mr_JAk3]

Hi.

You have this aceapy keylogger installed. I'll assume that you haven't installed it on purpose; One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.


Backup Your Registry with ERUNT:

• Download erunt.zip to your Desktop from here:
  http://aumha.org/downloads/erunt.zip
• Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
• Inside the new folder, double-click ERUNT.exe to start the program
• OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Make sure there are NO blank lines before Windows Registry Editor Version 5.00
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.


Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\WINDOWS\SYSTEM32\acespy
C:\Documents and Settings\Steve\Application Data\SpyGuardPro
C:\WINDOWS\U3RldmUgQWRhbWN6eWs
C:\WINDOWS\SYSTEM32\Mz08r
C:\Temp\mZOr

File::
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\wybeg.bak2
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\system32\pmnlmnl.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\gebyw.dll
C:\Program Files\microsoft frontpage\mexoca4444.dll


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91F6BC8D-E607-4CDF-8C5E-3CC14FAABF97}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FD2B6E-2560-44EA-938F-1AD41B931361}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=-

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlmnl]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winexy32]

Save this as "CFScript"



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

[adamczykon]

I followed your instructions and came up with the following combofix file (new HJT file to follow):

ComboFix 07-11-08.1 - Steve 2007-11-14 18:12:15.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.768 [GMT -5:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\microsoft frontpage\mexoca4444.dll
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\pmnlmnl.dll
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\wybeg.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Steve\Application Data\SpyGuardPro
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\avtasks.dat
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\av.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\ga6Support.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Steve\Application Data\SpyGuardPro\PGE.dat
C:\Program Files\microsoft frontpage\mexoca4444.dll
C:\Temp\mZOr
C:\WINDOWS\SYSTEM32\acespy
C:\WINDOWS\SYSTEM32\acespy\__acelog.ndx
C:\WINDOWS\SYSTEM32\acespy\systune.exe
C:\WINDOWS\SYSTEM32\dpqaqlqx.bin
C:\WINDOWS\SYSTEM32\Mz08r
C:\WINDOWS\SYSTEM32\rwintldq.exe
C:\WINDOWS\SYSTEM32\stfv.bin
C:\WINDOWS\SYSTEM32\wybeg.bak1
C:\WINDOWS\SYSTEM32\wybeg.bak2
C:\WINDOWS\U3RldmUgQWRhbWN6eWs
C:\WINDOWS\U3RldmUgQWRhbWN6eWs\oal5xAo0kql1vqhdyqP.vbs

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-11 13:49 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\SUPERAntiSpyware.com
2007-11-11 13:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-11 13:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 20:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-11-09 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-09 19:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-09 19:22 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Viewpoint
2007-11-09 05:18 1,060,864 --a------ C:\WINDOWS\SYSTEM32\mfc71.dll
2007-11-09 05:18 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-11-08 13:18 <DIR> d-------- C:\Temp
2007-11-08 13:18 507,179 --a------ C:\Temp\ocli.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 22:41 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-14 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-11 18:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 00:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-10 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-10 00:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_14.07.26.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\11-14-2007\ERDNT.EXE
+ 2007-11-14 22:33:59 4,833,280 ----a-w C:\WINDOWS\erdnt\11-14-2007\Users\00000001\NTUSER.DAT
+ 2007-11-14 22:34:00 12,288 ----a-w C:\WINDOWS\erdnt\11-14-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\erdnt\2007-11-14\ERDNT.EXE
+ 2007-11-14 23:08:58 4,833,280 ----a-w C:\WINDOWS\erdnt\2007-11-14\Users\00000001\NTUSER.DAT
+ 2007-11-14 23:08:58 12,288 ----a-w C:\WINDOWS\erdnt\2007-11-14\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 02:01]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-22 18:59]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-03 12:00]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-11 11:55]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 04:00]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 12:21]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-09 19:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASAPSvc.exe"="C:\Program Files\ASAP\ASAPSvc.exe" [2006-01-11 22:08]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-06-22 10:00:55]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-14 10:28:03]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-09-28 19:44:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= ???

R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe
R2 AsfAlrt;AsfAlrt;\??\C:\WINDOWS\System32\drivers\AsfAlrt.sys
R2 HPWebJetadmin;HP Web Jetadmin;"C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 18:15:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-14 18:16:34
C:\ComboFix2.txt ... 2007-11-11 18:41
C:\ComboFix3.txt ... 2007-11-11 14:20
.
--- E O F ---

[adamczykon]

And here's my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:58 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/online...inetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)

--
End of file - 8525 bytes

[Mr_JAk3]

Hi

We'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

We'll do this again:

Backup Your Registry with ERUNT:

• Download erunt.zip to your Desktop from here:
  http://aumha.org/downloads/erunt.zip
• Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
• Inside the new folder, double-click ERUNT.exe to start the program
• OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe


Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Make sure there are NO blank lines before Windows Registry Editor Version 5.00
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)


Run ATF Cleaner

• Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Restart your computer to the safe mode:

• Restart your computer
• Start tapping the F8 key when the computer restarts.
• When the start menu opens, choose Safe mode
• Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, you should now mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found
• If so, click it and then click the next icon right below and select Move incurable
• After the scan, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot the computer in Normal Mode,
• Post the Cure-it report and a fresh HijackThis log

[adamczykon]

Here's the Drweb.csv file (HJT to follow).

NOTE: I am no longer able to use IE so I'm using Firefox to get to this forum (IE just opens and then immediately closes with no messages). Print spooler is also no longer running and I lost my installed printer.

04802078.FIL;C:\$VAULT$.AVG;Trojan.PurityAd.origin;Incurable.Moved.;
04804281.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
04805750.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04823609.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
04826343.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
04826390.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04828937.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04830218.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
04832812.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
04833015.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
04837843.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
04840031.FIL;C:\$VAULT$.AVG;Trojan.PWS.Gamania.origin;Incurable.Moved.;
04840156.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
04841078.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
05223171.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
33646828.FIL;C:\$VAULT$.AVG;Trojan.Winpop.origin;Incurable.Moved.;
33646984.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
33647062.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
33647109.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
33647187.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
33647234.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
33647328.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
33647406.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39813188.FIL;C:\$VAULT$.AVG;Trojan.Winpop.origin;Incurable.Moved.;
39815860.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39817579.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
39817626.FIL;C:\$VAULT$.AVG;Trojan.Click.4740;Deleted.;
39817688.FIL;C:\$VAULT$.AVG;Trojan.EzulaAd;Deleted.;
39820141.FIL\data001;C:\$VAULT$.AVG\39820141.FIL;Adware.MediaTicket.origin;;
39820141.FIL\data002;C:\$VAULT$.AVG\39820141.FIL;Trojan.PurityAd.origin;;
39820141.FIL;C:\$VAULT$.AVG;Archive contains infected objects;Moved.;
39820313.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.origin;Incurable.Moved.;
39822079.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.31817;Deleted.;
39824610.FIL;C:\$VAULT$.AVG;Trojan.Mezzia;Deleted.;
39827126.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.5013;Deleted.;
39828860.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.24715;Deleted.;
39828938.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36206;Deleted.;
mexoca555077.dll;C:\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
mexoca83122.dll;C:\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
mexoca4444.dll.vir;C:\qoobox\Quarantine\C\Program Files\microsoft frontpage;Adware.Ttc;Moved.;
rwintldq.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32;Adware.Hotbot.origin;Moved.;
xzfyh.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\SYSTEM32;Adware.ClickSpring.origin;Moved.;
asappsrv.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\U3RldmUgQWRhbWN6eWs;Trojan.Proxy.493;Deleted.;
command.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\U3RldmUgQWRhbWN6eWs;Trojan.Proxy.493;Deleted.;
A0112847.exe\data002;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842\A0112847.exe;Trojan.DownLoader.origin;;
A0112847.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Archive contains infected objects;Moved.;
A0112875.sys;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Program.Winfixer - read error;;
A0112876.sys;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Program.Winfixer - read error;;
A0112887.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP842;Trojan.Fakealert.352;Deleted.;
A0113108.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845;Trojan.DnsChange;Deleted.;
A0113143.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Adware.ClickSpring.origin;Moved.;
A0113144.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Trojan.Proxy.493;Deleted.;
A0113145.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847;Trojan.Proxy.493;Deleted.;
A0113314.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP852;Adware.Ttc;Moved.;
A0113315.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP852;Adware.Hotbot.origin;Moved.;

[adamczykon]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:48, on 2007-11-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\ASAP\ASAPSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Steve\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ASAP Browser Helper Object - {9A2A2BF3-A049-407A-B548-4668E673DCF7} - C:\Program Files\ASAP\ASAPBHO.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB001" /M "Stylus C88"
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [ASAPSvc.exe] "C:\Program Files\ASAP\ASAPSvc.exe" (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-2558107475-2740083912-10409753-1005\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/online...inetesting.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152571135828
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)

--
End of file - 8358 bytes