Vritumonde assistance request

[sidvegas]

I have read and, I believe, completed the "Before you post" instructions. McAfee AV and Spybot were turned off before Kapersky but were on during HJT. Prior to this process I have tried Spybot S&D, McAfee's recommended fix invlolving suspending rundll, winlogon and explorer process prior to virus search. I've ran Symantec's solution, Vundofix and Spyware Terminator ( which I think deposited another Trojan). Here as the results as requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:08 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1148374838\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Replay AV 8\ReplayAV.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
c:\program files\common files\aol\1148374838\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1148374838\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148374838\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [74e2cb35] rundll32.exe "C:\WINDOWS\system32\wmlxpmha.dll",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay AV 8\ReplayAV.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163714551406
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://207.207.60.50/SiteRoots/main/...Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...32/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11677 bytes

[sidvegas]

In order to fit the results into 2 posts a large section of locked files that were primarily images, quicken files, personal journal files and album art that began with C:\found.00?\dir000?.chk\* where the first 2 variables are [0...3] were removed but can be provided upon request.

With that provision here are the Kaspersky results:

Wednesday, February 20, 2008 1:54:25 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/02/2008
Kaspersky Anti-Virus database records: 573463


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 201583
Number of viruses found 4
Number of infected objects 47
Number of suspicious objects 0
Duration of the scan process 02:43:32

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped

C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{FB40AC7A-E687-42C9-8413-D5EC478BF4FA}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR6.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\67f0ffea73270a45718f1e3e20cef644_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\76a8985d28cef607bd39f3d2990c76aa_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c180fb8b4d202ffaa08b6cd75a0e4a6e_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped

C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Sean Dobson\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Application Data\ApplicationHistory\NotifyAlert.exe.83a8f8c0.ini.inuse Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Temp\Perflib_Perfdata_a48.dat Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Temp\sqlite_3do3pvpIdC2Qmcl Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Temp\sqlite_h6hiL7TPGyE3Ot1 Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Temp\sqlite_SL68W2subfSDc7M Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Temporary Internet Files\Content.IE5\3KAGDTC6\customer_entry169[1].htm Object is locked skipped

C:\Documents and Settings\Sean Dobson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sean Dobson\ntuser.dat Object is locked skipped

C:\Documents and Settings\Sean Dobson\ntuser.dat.LOG Object is locked skipped

C:\Program Files\GE Security Supra\DaemonLog.txt Object is locked skipped

C:\Program Files\GE Security Supra\SyncLog.txt Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1245\A0176863.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.irk skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1245\A0176863.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ieg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1245\A0176863.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ieg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1245\A0176863.exe RarSFX: infected - 3 skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1245\A0176864.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.irk skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1245\A0176864.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ieg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1245\A0176864.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ieg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1245\A0176864.exe RarSFX: infected - 3 skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1246\A0178140.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1246\A0178142.dll Infected: not-a-virus:AdWare.Win32.Mostofate.ad skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1247\A0178165.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1248\A0179447.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1248\A0179468.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1248\A0179470.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1248\A0179471.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1248\A0179472.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1248\A0179473.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1248\A0179528.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1249\A0183752.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1249\A0183755.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0185576.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0185580.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0185584.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0185585.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0189014.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.irk skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0189014.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ieg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0189014.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ieg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0189014.exe RarSFX: infected - 3 skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0189015.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.irk skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0189015.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ieg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0189015.exe/data.rar Infected: Trojan-Downloader.Win32.Small.ieg skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0189015.exe RarSFX: infected - 3 skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0190212.dll Infected: not-a-virus:AdWare.Win32.Mostofate.ad skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\A0190285.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1251\change.log Object is locked skipped

C:\VundoFix Backups\abqnmlqr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\ddcyawv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\dlyrixbv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\fbvedhsk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\ghgfdnkk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\kucqkqhk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\nnnkkhi.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\VundoFix Backups\vnxjwmus.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\awtqp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\ODiag.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\OSession.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\ddcyawv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\SYSTEM32\geedd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\spjufbno.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\00006.SPL Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wmlxpmha.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\WINDOWS\Temp\mcafee_s2cGxl9sNmMQOwM Object is locked skipped
C:\WINDOWS\Temp\mcmsc_hhlHwZwg2gNGzDH Object is locked skipped
C:\WINDOWS\Temp\mcmsc_HrvrrDYp4IWCddx Object is locked skipped
C:\WINDOWS\Temp\mcmsc_lduxQtxJ00kTh2c Object is locked skipped
C:\WINDOWS\Temp\mcmsc_qpFN2G3FcpbwAvo Object is locked skipped
C:\WINDOWS\Temp\sqlite_8TSrrlsMD4IG3d0 Object is locked skipped
C:\WINDOWS\Temp\sqlite_C59Qbv38ubZlyGc Object is locked skipped
C:\WINDOWS\Temp\sqlite_ivcp75CEDgXMum3 Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000004-00000000-00000002-00001102-00000004-20061102}.CDF Object is locked skipped

Scan process completed.

TIA for the help!

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

You have a lot of infected System Restore files, until we clean them later, do not use System Restore.

Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

Post the Vundofix.txt and a new HJT log

Thanks

[sidvegas]

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 3:19:01 PM 2/18/2008

Listing files found while scanning....


VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 3:46:21 PM 2/18/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\abqnmlqr.dll
C:\WINDOWS\SYSTEM32\bccdd.ini
C:\WINDOWS\SYSTEM32\bccdd.ini2
C:\WINDOWS\SYSTEM32\ddccb.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\fbvedhsk.dll
C:\WINDOWS\SYSTEM32\ghgfdnkk.dll
C:\WINDOWS\SYSTEM32\kucqkqhk.dll
C:\WINDOWS\SYSTEM32\nnnkkhi.dll
C:\WINDOWS\system32\yfbmxgvf.dll
C:\windows\SYSTEM32\yfbmxgvf.dllbox

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\abqnmlqr.dll
C:\WINDOWS\SYSTEM32\abqnmlqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\bccdd.ini
C:\WINDOWS\SYSTEM32\bccdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\bccdd.ini2
C:\WINDOWS\SYSTEM32\bccdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ddccb.dll
C:\WINDOWS\SYSTEM32\ddccb.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\fbvedhsk.dll
C:\WINDOWS\SYSTEM32\fbvedhsk.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ghgfdnkk.dll
C:\WINDOWS\SYSTEM32\ghgfdnkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kucqkqhk.dll
C:\WINDOWS\SYSTEM32\kucqkqhk.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\nnnkkhi.dll
C:\WINDOWS\SYSTEM32\nnnkkhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yfbmxgvf.dll
C:\WINDOWS\system32\yfbmxgvf.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\yfbmxgvf.dllbox
C:\windows\SYSTEM32\yfbmxgvf.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 9:20:58 PM 2/18/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\dlyrixbv.dll
C:\WINDOWS\SYSTEM32\vbxiryld.ini
C:\WINDOWS\SYSTEM32\vnxjwmus.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\dlyrixbv.dll
C:\WINDOWS\SYSTEM32\dlyrixbv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\vbxiryld.ini
C:\WINDOWS\SYSTEM32\vbxiryld.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\vnxjwmus.dll
C:\WINDOWS\SYSTEM32\vnxjwmus.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\dlyrixbv.dll
C:\WINDOWS\SYSTEM32\dlyrixbv.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 11:11:02 PM 2/18/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\ddcyawv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 12:16:44 AM 2/19/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\ddcyawv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 5:51:25 PM 2/21/2008

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\awtqp.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddeeg.ini
C:\WINDOWS\SYSTEM32\ddeeg.ini2
C:\WINDOWS\SYSTEM32\geedd.dll
C:\WINDOWS\SYSTEM32\gyttcjrr.dll
C:\windows\SYSTEM32\hzsqmoaa.dllbox
C:\WINDOWS\SYSTEM32\nnxkwvyd.dll
C:\WINDOWS\SYSTEM32\pqtwa.ini
C:\WINDOWS\SYSTEM32\pqtwa.ini2
C:\WINDOWS\SYSTEM32\spjufbno.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\awtqp.dll
C:\WINDOWS\SYSTEM32\awtqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\ddeeg.ini
C:\WINDOWS\SYSTEM32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ddeeg.ini2
C:\WINDOWS\SYSTEM32\ddeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\geedd.dll
C:\WINDOWS\SYSTEM32\geedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\gyttcjrr.dll
C:\WINDOWS\SYSTEM32\gyttcjrr.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\hzsqmoaa.dllbox
C:\windows\SYSTEM32\hzsqmoaa.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\nnxkwvyd.dll
C:\WINDOWS\SYSTEM32\nnxkwvyd.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\pqtwa.ini
C:\WINDOWS\SYSTEM32\pqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\pqtwa.ini2
C:\WINDOWS\SYSTEM32\pqtwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\spjufbno.dll
C:\WINDOWS\SYSTEM32\spjufbno.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\ddcyawv.dll
C:\WINDOWS\SYSTEM32\ddcyawv.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Rebooted, ran Vundofix, and removed above file at startup.

[sidvegas]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:23 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1148374838\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Replay AV 8\ReplayAV.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
c:\program files\common files\aol\1148374838\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1148374838\ee\aolsoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Dell\EUSW\DSLog.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148374838\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay AV 8\ReplayAV.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163714551406
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://207.207.60.50/SiteRoots/main/...Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...32/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12676 bytes

[pskelley]

Thanks for returning your information, sorry for the bad news but since you posted the first HJT log and when you posted this one, your log is showing a new trojan that is likely a very bad one, see this:
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
It may be this: http://www.sophos.com/virusinfo/anal...ojagentdp.html
So many hackers use the same name it is hard to tell with scanning the files, see the Google:
Please use one or more of these freee online scans to find out what that is:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

You will probably need to unhide files and folers to find it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
I do not have the folder or files on my computer but start like this:
C:\Program Files\Common Files\InstallShield\UPDATE~1\agent.exe <<< scan that file. The folder UPDATE may be part but I can not tell from here.

If it is the trojan I supplied information about above, keep this in mind:

Turns off anti-virus applications
Allows others to access the computer
Reduces system security
Installs itself in the Registry
Used in DOS attacks

Review this information: http://www.dslreports.com/faq/10451 to be safe.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above
the buttons and right click, then click on Add More Files. When the next window opens,
copy and paste the files into the boxes and click on Add File(s), then click on Close Window.
Then click Remove Vundo.

(files/s to add)

C:\WINDOWS\SYSTEM32\ddcyawv.dll

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
(Alexa toolbar related resource users. You can leave the next two items if you use Alexa)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\SYSTEM32\ddcyawv.dll <<< delete that file if it is there.

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log with the information about agent.exe

Thanks

[sidvegas]

The new logfile is below. I started the instructions as requested but ran into problems deleting c:\windows\system32\ddcyawv.dll. It returned the error that the file was in use or access denied.
So, I ran Process Explorer from Sysinternals and discovered it was attached to 4 programs that included aolsoftware.exe, syncservice.exe, mcvsshldexe and Explorer.exe.
I stopped all of the processes except explorer and ran ATF. I then killed rundll.exe and all other non-essential processes.
Started command window
Killed explorer
Used command window to delete c:\...ddcyawv.dll
Ran ATF again
Killed winlogon
Shut down cmnd
Exited ProcessExplorer
Executed Hard Power off
Restarted and their were 2 icons on the desktop that had been there and were redirectors but were now without icons. I dropped them into the Recycle bin and ran ATF on the Recycle bin. It returned that no files were deleted. So, I checked all and ran ATF, again, and it deleted files about the size of the two shortcuts. Then I ran HJT and here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:46 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\ge security supra\syncservice.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1148374838\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Replay AV 8\ReplayAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
c:\program files\common files\aol\1148374838\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1148374838\ee\aolsoftware.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\system32\ddcyawv.dll (file missing)
O2 - BHO: (no name) - {0820B6D6-5494-482B-B8CE-B5B89EE237C3} - C:\WINDOWS\system32\pmkjk.dll (file missing)
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {240AAFE9-3A0B-456D-BA68-D26D509216ED} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {30C7BA5B-B3BF-4780-BD2C-1685ECB3149C} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: (no name) - {4CA871FE-2B90-4AB5-8D62-554CF1294F83} - C:\WINDOWS\system32\geeda.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {572A51AB-B227-469C-8FD3-45E0CBC9477C} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {68535A01-3F55-45B0-87C2-5859A5AEB847} - (no file)
O2 - BHO: (no name) - {6E7D1B79-4E94-4688-B306-AD04900E73ED} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {789421DB-F598-4805-A096-69561CFCB1E1} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {98F002FB-B645-4309-BF4D-DC380999DD27} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: {0276a29d-3e66-0e29-a364-b34c371a5e8c} - {c8e5a173-c43b-463a-92e0-66e3d92a6720} - C:\WINDOWS\system32\dlfaoydy.dll (file missing)
O2 - BHO: (no name) - {CA823C10-0A24-4A76-9A74-5F281A950AB1} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {E8FD22A6-9747-494A-ADB9-3BC3CB0A0449} - (no file)
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [74e2cb35] rundll32.exe "C:\WINDOWS\system32\dcycacqe.dll",b
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148374838\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay AV 8\ReplayAV.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163714551406
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://207.207.60.50/SiteRoots/main/...Downloader.cab
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...32/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 13875 bytes

Thank you for the help.

[sidvegas]

I used Kaspersky to check the files in that directory but didn't return any positive results. I've had problems with that file, though. The program is from Macromedia and contains a file, ISUSPM.exe, that repetively tries to install JASC Photoshop updates and asks for the location of the files.

[pskelley]

agent.exe <<< are you saying you scanned this file with no results? What about the other two scanners I provided? Open the file, right click it and see what information is there. I hesitate to advise you to delete it unless you say so. It may or may not be malware, but it will not be the first time hackers have installed their junk in a valid location.

It looks like TeaTimer is keeping junk in the memory, blocking us from removing it, let's try this.

1) Make sure hidden files are enabled:

2) Disable TeaTimer

3) In some cases it's sometimes quite usefull to reset TeaTimer, once you've had it disabled to remove HijackThis entries :
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat http://downloads.subratam.org/ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

4) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above
the buttons and right click, then click on Add More Files. When the next window opens,
copy and paste the files into the boxes and click on Add File(s), then click on Close Window.
Then click Remove Vundo.

(files/s to add)

C:\WINDOWS\system32\dcycacqe.dll

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\system32\ddcyawv.dll (file missing)
O2 - BHO: (no name) - {0820B6D6-5494-482B-B8CE-B5B89EE237C3} - C:\WINDOWS\system32\pmkjk.dll (file missing)
O2 - BHO: (no name) - {240AAFE9-3A0B-456D-BA68-D26D509216ED} - C:\WINDOWS\system32\ssqrs.dll (file missing)
O2 - BHO: (no name) - {30C7BA5B-B3BF-4780-BD2C-1685ECB3149C} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {4CA871FE-2B90-4AB5-8D62-554CF1294F83} - C:\WINDOWS\system32\geeda.dll (file missing)
O2 - BHO: (no name) - {572A51AB-B227-469C-8FD3-45E0CBC9477C} - (no file)
O2 - BHO: (no name) - {68535A01-3F55-45B0-87C2-5859A5AEB847} - (no file)
O2 - BHO: (no name) - {6E7D1B79-4E94-4688-B306-AD04900E73ED} - (no file)
O2 - BHO: (no name) - {789421DB-F598-4805-A096-69561CFCB1E1} - C:\WINDOWS\system32\pmkhg.dll (file missing)
O2 - BHO: (no name) - {98F002FB-B645-4309-BF4D-DC380999DD27} - C:\WINDOWS\system32\awtqp.dll (file missing)
O2 - BHO: {0276a29d-3e66-0e29-a364-b34c371a5e8c} - {c8e5a173-c43b-463a-92e0-66e3d92a6720} - C:\WINDOWS\system32\dlfaoydy.dll (file missing)
O2 - BHO: (no name) - {CA823C10-0A24-4A76-9A74-5F281A950AB1} - C:\WINDOWS\system32\awtqq.dll (file missing)
O2 - BHO: (no name) - {E8FD22A6-9747-494A-ADB9-3BC3CB0A0449} - (no file)
O4 - HKLM\..\Run: [74e2cb35] rundll32.exe "C:\WINDOWS\system32\dcycacqe.dll",b
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\dcycacqe.dll <<< make sure this one is gone

7) Run ATF Cleaner

Restart, post a new HJT log along with the information about the questionable file: agent.exe
Add any comments you think will help.

Thanks

[sidvegas]

agent.exe>>>I scanned this file and all files in the same directory without results from all 3 services. When I reboot my computer McAfee tells me briefly that I am not fully protected and will often correct that status without me changing anything. I checked the event log and notice a few minutes before I logged off that C:\program files\....ISUSPM.exe was blocked from making registry changes.


I seemed to have problems running the reset Teatimer.bat file. It tells me:

Tea Time and SpyBot must be closed (which they are) and to press any key. I receive input error: There is no script engine for file extension ".vbs".
operable program or batch file.
Could not find C:\Documents and SEttings\Sean Dobson\Desktop\Setpaths.bat

Finished
Press any key to continue. . . .


Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:07 AM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\ge security supra\syncservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\AOL\1148374838\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Replay AV 8\ReplayAV.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1148374838\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1148374838\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\McAfee\MSC\mcshell.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148374838\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Replay AV] "C:\Program Files\Replay AV 8\ReplayAV.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163714551406
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - http://207.207.60.50/SiteRoots/main/...Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...32/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 12460 bytes