I ran Spybot in safe mode signed on with administrator rights and these keep returning. I read a post that had a simular problem and downloaded and ran combofix and here is my log.
ComboFix 08-05-21.2 - c.saar 2008-05-22 8:58:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1329 [GMT -5:00]
Running from: C:\Documents and Settings\c.saar\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\c.saar\Desktop\Privacy Protector.url
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\agvqxvlt.ini
C:\WINDOWS\system32\BKnUBJjl.ini
C:\WINDOWS\system32\BKnUBJjl.ini2
C:\WINDOWS\system32\bplqrqde.dll
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\CKQqsBeg.ini
C:\WINDOWS\system32\CKQqsBeg.ini2
C:\WINDOWS\system32\cuwjxjxi.ini
C:\WINDOWS\system32\ebfdkove.ini
C:\WINDOWS\system32\edqrqlpb.ini
C:\WINDOWS\system32\fwcpksgi.ini
C:\WINDOWS\system32\GghkQXbc.ini
C:\WINDOWS\system32\GghkQXbc.ini2
C:\WINDOWS\system32\gjjTAcdd.ini
C:\WINDOWS\system32\gjjTAcdd.ini2
C:\WINDOWS\system32\isaevnet.ini
C:\WINDOWS\system32\ixjxjwuc.dll
C:\WINDOWS\system32\kRBbHRqr.ini
C:\WINDOWS\system32\kRBbHRqr.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nqrtutwa.ini
C:\WINDOWS\system32\nqrtutwa.ini2
C:\WINDOWS\system32\oamlmudd.ini
C:\WINDOWS\system32\ojqrgmaw.ini
C:\WINDOWS\system32\pksquunl.ini
C:\WINDOWS\system32\qrjrokhd.ini
C:\WINDOWS\system32\ryquilgp.ini
C:\WINDOWS\system32\soqwemjr.ini
C:\WINDOWS\system32\tDMllUtv.ini
C:\WINDOWS\system32\tDMllUtv.ini2
C:\WINDOWS\system32\tlvxqvga.dll
C:\WINDOWS\system32\vvGfPXbc.ini
C:\WINDOWS\system32\vvGfPXbc.ini2
C:\WINDOWS\system32\vyJTstwa.ini
C:\WINDOWS\system32\vyJTstwa.ini2
C:\WINDOWS\system32\WDNmlUvw.ini
C:\WINDOWS\system32\WDNmlUvw.ini2
C:\WINDOWS\system32\wvjkgrho.ini
C:\WINDOWS\system32\wxGgNUtv.ini
C:\WINDOWS\system32\wxGgNUtv.ini2
C:\WINDOWS\system32\XxyIknmp.ini
C:\WINDOWS\system32\XxyIknmp.ini2
C:\WINDOWS\system32\YGiPsBIi.ini
C:\WINDOWS\system32\YGiPsBIi.ini2
.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.
2008-05-22 08:28 . 2008-05-22 08:28 318,336 --a------ C:\WINDOWS\system32\geBsqQKC.dll_old
2008-05-22 07:44 . 2008-05-22 07:44 90,624 --a------ C:\WINDOWS\system32\rjmewqos.dll
2008-05-21 16:15 . 2008-05-22 07:42 534 --ahs---- C:\WINDOWS\system32\ayfvphpo.ini
2008-05-20 13:02 . 2008-05-20 13:02 91,264 --------- C:\WINDOWS\system32\ohrgkjvw.dll
2008-05-20 08:09 . 2008-05-20 08:09 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-19 09:54 . 2008-05-19 16:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-19 09:54 . 2008-05-19 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-19 07:14 . 2008-05-16 18:58 266,240 --a------ C:\WINDOWS\fvowketqfgq.dll
2008-05-19 07:14 . 2008-05-16 18:58 159,744 --a------ C:\WINDOWS\emxa.exe
2008-05-15 17:15 . 2008-05-15 17:15 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-15 14:59 . 2008-05-15 15:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 14:59 . 2008-05-15 14:59 84 --a------ C:\WINDOWS\system32\ikhcore.cfg
2008-05-15 13:49 . 2008-05-15 13:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-15 13:33 . 2008-05-15 13:33 <DIR> d-------- C:\Documents and Settings\c.saar\Application Data\TmpRecentIcons
2008-05-15 12:57 . 2008-05-15 15:18 62,910 --a------ C:\Program Files\Uninstall.exe
2008-05-15 12:57 . 2008-05-15 15:18 0 --a------ C:\Program Files\uninstall.dat
2008-05-15 11:55 . 2008-05-16 18:57 274,432 --a------ C:\WINDOWS\mpfanvqg.dll
2008-05-15 11:55 . 2008-05-15 10:41 159,744 --a------ C:\WINDOWS\exqb.exe
2008-05-15 11:55 . 2008-05-15 11:55 29,312 --a------ C:\WINDOWS\system32\iiFvVnom.dll
2008-05-07 09:16 . 2008-05-07 09:16 <DIR> d-------- C:\Documents and Settings\rfq\Application Data\ShoreWare Client
2008-05-07 09:15 . 2008-01-24 16:54 <DIR> d-------- C:\Documents and Settings\rfq\Application Data\InstallShield
2008-05-07 09:15 . 2008-01-24 16:57 <DIR> d-------- C:\Documents and Settings\rfq\Application Data\ATI
2008-05-07 09:15 . 2008-05-15 15:16 <DIR> d-------- C:\Documents and Settings\rfq
2008-05-06 14:40 . 2008-05-06 14:41 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-04-28 09:35 . 2008-04-28 09:35 5,566,656 --a------ C:\vviewer.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 14:01 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-05-22 13:56 --------- d-----w C:\Documents and Settings\c.saar\Application Data\ShoreWare Client
2008-05-15 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-15 12:13 --------- d-----w C:\Documents and Settings\c.saar\Application Data\AdobeUM
2008-04-24 14:22 --------- d-----w C:\Documents and Settings\c.saar\Application Data\Service Management
2008-04-21 14:07 --------- d-----w C:\Program Files\ITI
2008-04-09 18:47 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-08 12:26 --------- d-----w C:\Program Files\Java
2008-03-25 20:08 --------- d-----w C:\Program Files\Virtual Earth 3D
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132F969E-2442-47BE-8CC8-955483AF951B}]
2008-05-16 18:58 266240 --a------ C:\WINDOWS\fvowketqfgq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A2AC7FC-E8BC-43A1-B04F-184C1F3EE569}]
C:\WINDOWS\system32\iIBsPiGY.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F229EC3-5B72-4268-AE88-CA5148966E3D}]
C:\WINDOWS\system32\rqRHbBRk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}]
2008-05-15 11:55 29312 --a------ C:\WINDOWS\system32\iiFvVnom.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31A8A323-D26E-4A0F-BFDC-FB964883CA1A}]
C:\WINDOWS\system32\vtUllMDt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DBDEC3F-92D1-4101-84B2-5E25275B9A5D}]
C:\WINDOWS\system32\cbXPfGvv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D7AF18B-C53B-4B8C-8064-B84109DCBD5F}]
C:\WINDOWS\system32\awtutrqn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58D945B1-7DDA-403D-A601-3ED43B58E6AF}]
C:\WINDOWS\system32\vtUNgGxw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DB80989-E9CE-4D38-9A6B-50C52CCEE0E8}]
C:\WINDOWS\system32\ddcATjjg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68F1C742-C335-4121-8A9A-9608E3AC30F1}]
C:\WINDOWS\system32\pmnkIyxX.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9315B09A-31A7-474E-A0AF-64E185F07B80}]
C:\WINDOWS\system32\geBsqQKC.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BED2BE48-9ED3-4031-9D02-40DDA539FFBE}]
C:\WINDOWS\system32\awtsTJyv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C13810C6-8E6A-45A1-95A7-A8064C0B5086}]
C:\WINDOWS\system32\ljJBUnKB.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C19E2C76-AFC8-41AF-BB4B-B32BD2BB7A3D}]
C:\WINDOWS\system32\cbXQkhgG.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB6C056C-7AB3-4B83-A1ED-F729DFA09206}]
C:\WINDOWS\system32\wvUlmNDW.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-28 12:29 68856]
"ShoreTel Personal Call Manager"="C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe" [2007-09-04 13:43 41000]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 02:40 124656]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-03-18 23:30 184320]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 06:00 143360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 20:12 1036288]
"RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 10:00 1116920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 18:23 118784]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-03-18 23:29 212992]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 20:03 178712]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-24 16:58 227328]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 18:14 53408]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12 90112]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328]
"ec2362de"="C:\WINDOWS\system32\rjmewqos.dll" [2008-05-22 07:44 90624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-02-28 14:54:12 25214]
Pervasive.SQL Workgroup Engine.lnk - C:\PVSW\Bin\w3dbsmgr.exe [2008-01-28 11:08:53 102450]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-10-22 03:47:02 806912]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2E529F87-2B52-438C-9E7C-7D0A0DD910BA}"= C:\WINDOWS\system32\iiFvVnom.dll [2008-05-15 11:55 29312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {2F001474-AB1D-4273-8D7F-FA3D728F24FD} - C:\WINDOWS\mpfanvqg.dll [2008-05-16 18:57 274432]
"vbksrofa"= {AA4F8A59-417B-49BF-96FD-9BB9F764E66E} - C:\WINDOWS\vbksrofa.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iiFvVnom]
iiFvVnom.dll 2008-05-15 11:55 29312 C:\WINDOWS\system32\iiFvVnom.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yoa86.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\PVSW\\Bin\\w3dbsmgr.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\ap.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\Ar.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\AB.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\BL.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\CM.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\CN.EXE"=
"C:\\Program Files\\Timberline Office\\Accounting\\EQ.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\Fs.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\GL.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\Jc.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\Pr.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\PJ.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\TR.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\sm.exe"=
"C:\\Program Files\\Common Files\\Sage\\Sage Common Desktop\\1.0\\Desktop.exe"=
"C:\\Program Files\\Timberline Office\\Accounting\\TS.exe"=
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 11:35]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;"C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe" -service []
R2 Sage.ServiceHost.Host.1.0;Sage Service Host v1.0;c:\program files\timberline office\shared\sage.servicehost.host.exe [2007-09-06 12:39]
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 14:04:03 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 09:01:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\soqwemjr.ini 294 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\iiFvVnom.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\rjmewqos.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SHOREL~1\SHOREW~1\STCHost.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\SHOREL~1\SHOREW~1\CSISCMGR.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\mpas-d.exe
C:\d0bff5abd1c5f977c2\mpsigstub.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-22 9:04:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 14:04:30
Pre-Run: 233,282,187,264 bytes free
Post-Run: 233,205,280,768 bytes free
251 --- E O F --- 2008-05-22 14:04:35