Virtumonde, Smitfraud, Zeno, all kinds of stuff

[Ura-Maru]

I've got a real mess here. Virtumonde, a whole alphabet of Smitfrauds and CoolWWWSearches, Clientman, DeepDive, ZenoSearch, Win32.Small.ny, and probably a few others as well.

Taskmanager's been disabled by one of the little pests, and I can't seem to re-enable it. I've tried using the regedit manual fix, and the command line version. Each time it looks like it works, but the key keeps popping back in.

The computer is getting constant pop up warnings for spyware and viruses found, both in ie and from 'windows security.' Also, of course, ads for products that will supposedly fix this, and (presumably bogus) demands to upgrade windows security.

Though, in retrospect, upgrading windows security would have been a good idea before all this showed up.

Spybot 1.4 was telling me to re-scan after a reboot with the network disconnected. After which it would tell me to do it again, and keep cycling. Spybot 1.5.2 just removes everything, or seems to, but it's back again at the next scan, and the pop-ups start again a few minutes later.

There was a fairly annoying infection on the same computer several months ago, that I'd thought was fixed. I don't know if it's been lurking around all this time, or if this is something that's shown up in the last few weeks.

Any help would be greatly appreciated. This is on a family computer, and my repeated failures to improve the situation have not been very good for my rep as the family geek.


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:56 PM, on 6/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
C:\windows\system32\pmropn.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\new antispyware\avast4\aswUpdSv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\ncntqkdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\DOCUME~1\Edwina\APPLIC~1\ICROSO~1\nslookup.exe
C:\Documents and Settings\Edwina\My Documents\F?nts\r?ndll32.exe
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\VSTASCAN\vsaccess.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Edwina\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstudio.com/dp/searc.../8CgjwiE/Hpec=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.weatherstudio.com/dp/searc...6eMNFYAWYXowU=
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {08878A8B-3971-4643-88BB-1E1E424890EA} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {26D1A2E6-28F9-43E6-9A0D-A68BE6D35FA6} - C:\WINDOWS\system32\iifgFYsr.dll (file missing)
O2 - BHO: (no name) - {2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B} - C:\WINDOWS\system32\tuvtqqp.dll (file missing)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: BhoApp Class - {32131238-5434-4234-4234-432432423432} - C:\Program Files\altcmd\altcmd32.dll
O2 - BHO: Helper Class - {3670A914-63C2-4E67-8C9B-370AE1922143} - C:\Program Files\BChanger\bchanger.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {4D7F9440-8E65-44B9-98B1-0C72697E376C} - C:\WINDOWS\system32\ljJCuUmm.dll (file missing)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: WeatherStudio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O2 - BHO: (no name) - {8D384FC7-4CB4-4B13-B718-E148B20CA232} - C:\WINDOWS\system32\hgGabYQG.dll (file missing)
O2 - BHO: {03a11f25-4752-36c8-5894-c28d80db7249} - {9427bd08-d82c-4985-8c63-257452f11a30} - C:\WINDOWS\system32\jjcikwfs.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: gooochi browser optimizer - {c51e870a-f9f7-fe03-2f90-5dcc80d02b1d} - C:\WINDOWS\system32\{cc781633-302b-b76d-2f5f-2ef83eace530}.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {CFE82785-BE10-4186-9597-C2B5B9FE9290} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {D149BF6F-2388-7F51-F94E-7BA2E3E718C4} - C:\WINDOWS\system32\wyr.dll
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {E89CD8A6-BD36-459C-B131-96167C31B28D} - C:\WINDOWS\system32\geBuRjhG.dll (file missing)
O2 - BHO: (no name) - {F9DF827A-8FA7-48A3-B268-CA4DB563EA40} - C:\WINDOWS\system32\ddcBSKAR.dll
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: WeatherStudio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [WeatherStudio Desktop] "C:\Program Files\WeatherStudio Desktop\WeatherStudio Desktop.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [UADC_3354481086] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
O4 - HKLM\..\Run: [PremierOpinion] c:\windows\system32\pmropn.exe -boot
O4 - HKLM\..\Run: [{D4-40-06-61-DW}] C:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ncntqkdm.exe DWram
O4 - HKLM\..\Run: [70bd40ce] rundll32.exe "C:\WINDOWS\system32\lryehrsd.dll",b
O4 - HKLM\..\Run: [{0bc23157-a980-81ae-62a3-a8ba9f67cfdd}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{cc781633-302b-b76d-2f5f-2ef83eace530}.dll" DllStart
O4 - HKLM\..\Run: [avast!] C:\Program Files\new antispyware\avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM738e7352] Rundll32.exe "C:\WINDOWS\system32\lmlwpokg.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4210] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5930] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1448] command /c del "C:\WINDOWS\system32\geBuRjhG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9433] cmd /c del "C:\WINDOWS\system32\geBuRjhG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6879] command /c del "C:\WINDOWS\system32\ljJCuUmm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9085] cmd /c del "C:\WINDOWS\system32\ljJCuUmm.dll_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Edwina\APPLIC~1\ICROSO~1\nslookup.exe" -vt ndrv
O4 - HKCU\..\Run: [Mpsp] "C:\Documents and Settings\Edwina\My Documents\F?nts\r?ndll32.exe"
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Edwina\Application Data\Microsoft\Windows\byprcb.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\new antispyware\Spybot - Search & Destroy 1-5\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201740934859
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A4583A-A704-4733-BC1F-E18CEA58111D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
O20 - AppInit_DLLs: C:\WINDOWS\system32\pmai.dll
O20 - Winlogon Notify: ddcBSKAR - C:\WINDOWS\SYSTEM32\ddcBSKAR.dll
O20 - Winlogon Notify: PremierOpinion - C:\WINDOWS\system32\pmls.dll
O20 - Winlogon Notify: tuvtqqp - tuvtqqp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\new antispyware\avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\new antispyware\avast4\ashserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 15945 bytes

End of HJT log


Thanks,

Ura-Maru
--
I suppose it's like swimming away from a shark. I just have to be more of a geek than the rest of my family, without regard to my absolute geek ranking.

[Shaba]

Hi Ura-Maru

Please upload this file:

C:\Program Files\BChanger\bchanger.dll here and fill in requested info.

Let me know when you have done it and we'll continue

[Ura-Maru]

Ok, I've sent it in.

Thanks,
Ura-Maru

[miekiemoes]

Hi,

Sorry to jump in for a second..

Do you know what program the C:\Program Files\BChanger is?
Did you install it? If so, can you provide us the info and link where you can download it?
If you don't know the program, then please zip the entire BChanger folder and upload it here as well: http://www.bleepingcomputer.com/subm....php?channel=8

Thank you very much for your cooperation.

Shaba will assist you further.

[Shaba]

No problem mieke

Ura-Maru, after you have done what miekemoes requested, please do this:

Create own folder for HijackThis to desktop and move it into that folder.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

[Ura-Maru]

The zip's sent off. I have no idea what it is or where it came from. The dates imply it's just a few days old, and no one should have been using the computer since then for anything. (except myself, trying to fix it)

Should have may be the oprative phrase, however.

I ran ComboFix from Safe Mode, but it rebooted into normal mode, which meant some starter aps and a couple of pop-ups came up before it was finished. I hope this dosn't alter it's results.

I probably should have asked before running it, but I can't use Task Manager to help it along if it runs into difficulty. (it didn't this time) Is that a real problem?


ComboFix Log

ComboFix 08-06-20.4 - Edwina 2008-06-22 15:48:29.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.308 [GMT -4:00]
Running from: C:\Documents and Settings\Edwina\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Edwina\Application Data\ICROSO~1
C:\Documents and Settings\Edwina\Application Data\ICROSO~1\?icrosoft\
C:\Documents and Settings\Edwina\Application Data\ICROSO~1\nslookup.exe
C:\Documents and Settings\Edwina\My Documents\FNTS~1
C:\Documents and Settings\Edwina\My Documents\FNTS~1\r?ndll32.exe
C:\Documents and Settings\Edwina\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Edwina\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Edwina\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\AntiSpywareMaster
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\Windows Plus\quka.dll
C:\Program Files\Windows Plus\quka83.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\BM738e7352.xml
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\{cc781633-302b-b76d-2f5f-2ef83eace530}.dll
C:\WINDOWS\system32\aacxastw.ini
C:\WINDOWS\system32\AbJmnnpo.ini
C:\WINDOWS\system32\AbJmnnpo.ini2
C:\WINDOWS\system32\aciplwra.ini
C:\WINDOWS\system32\acpuunuf.ini
C:\WINDOWS\system32\akjwfmga.ini
C:\WINDOWS\system32\apdfgsku.ini
C:\WINDOWS\system32\bannugfs.ini
C:\WINDOWS\system32\becicpxv.ini
C:\WINDOWS\system32\bgnesihi.ini
C:\WINDOWS\system32\bkynplwo.ini
C:\WINDOWS\system32\bpfakeeu.ini
C:\WINDOWS\system32\bvmkfyln.ini
C:\WINDOWS\system32\byXOhEvV.dll
C:\WINDOWS\system32\ckiuqhqw.ini
C:\WINDOWS\system32\csweltpj.ini
C:\WINDOWS\system32\cvkjbvhu.ini
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\daSgo02\daSgo021099.exe
C:\WINDOWS\system32\ddcBSKAR.dll
C:\WINDOWS\system32\dfbawjbl.ini
C:\WINDOWS\system32\dhajojtj.dll
C:\WINDOWS\system32\dhlawokg.ini
C:\WINDOWS\system32\djmkygst.ini
C:\WINDOWS\system32\drivers\fltmgrr.sys
C:\WINDOWS\system32\dsrheyrl.ini
C:\WINDOWS\system32\duywoait.ini
C:\WINDOWS\system32\dwfrjckk.exe
C:\WINDOWS\system32\dyytnyel.ini
C:\WINDOWS\system32\eabptpit.ini
C:\WINDOWS\system32\epjmfbqy.ini
C:\WINDOWS\system32\erhtlcjv.ini
C:\WINDOWS\system32\eshpbknf.ini
C:\WINDOWS\system32\evevwbtd.ini
C:\WINDOWS\system32\exnnumjs.ini
C:\WINDOWS\system32\eytdwbiw.ini
C:\WINDOWS\system32\fhapnrou.dll
C:\WINDOWS\system32\fjwmyiqu.ini
C:\WINDOWS\system32\fnlrfnmd.ini
C:\WINDOWS\system32\fopndnsn.ini
C:\WINDOWS\system32\fxfynujj.ini
C:\WINDOWS\system32\g99.exe
C:\WINDOWS\system32\gbymcbkk.dll
C:\WINDOWS\system32\gdycebiq.ini
C:\WINDOWS\system32\GhjRuBeg.ini
C:\WINDOWS\system32\GhjRuBeg.ini2
C:\WINDOWS\system32\gnveqkgy.ini
C:\WINDOWS\system32\gobdvcmu.ini
C:\WINDOWS\system32\gokgxhey.dll
C:\WINDOWS\system32\gqjevatm.ini
C:\WINDOWS\system32\GQYbaGgh.ini
C:\WINDOWS\system32\GQYbaGgh.ini2
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hcudrbyt.ini
C:\WINDOWS\system32\henopawt.ini
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\hkvdcdxk.ini
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\hrnecgrf.ini
C:\WINDOWS\system32\iccdewwm.ini
C:\WINDOWS\system32\iivijmun.ini
C:\WINDOWS\system32\iivqtjsk.ini
C:\WINDOWS\system32\ijocbojp.ini
C:\WINDOWS\system32\ikjvolxa.ini
C:\WINDOWS\system32\isgnpyhl.ini
C:\WINDOWS\system32\itevgvgf.ini
C:\WINDOWS\system32\iulkuvtb.ini
C:\WINDOWS\system32\jhinhrxs.ini
C:\WINDOWS\system32\jjcikwfs.dll
C:\WINDOWS\system32\jlmkycta.dll
C:\WINDOWS\system32\jmmxljkk.exe
C:\WINDOWS\system32\kcaxgeya.ini
C:\WINDOWS\system32\kcofjapv.ini
C:\WINDOWS\system32\knhsjupi.ini
C:\WINDOWS\system32\kpopcifs.ini
C:\WINDOWS\system32\krcfjory.ini
C:\WINDOWS\system32\kryloqvw.ini
C:\WINDOWS\system32\lcoigwaj.ini
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\lmlwpokg.dll
C:\WINDOWS\system32\lnmwvuyl.ini
C:\WINDOWS\system32\lryehrsd.dll
C:\WINDOWS\system32\lsmphtxw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgmbbtce.ini
C:\WINDOWS\system32\mhsvxujn.dll
C:\WINDOWS\system32\mlvasgsj.ini
C:\WINDOWS\system32\mmUuCJjl.ini
C:\WINDOWS\system32\mmUuCJjl.ini2
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\mrrbrbce.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\myugshea.dll
C:\WINDOWS\system32\nadbhgkp.ini
C:\WINDOWS\system32\nafaytad.ini
C:\WINDOWS\system32\ncntqkdm.exe
C:\WINDOWS\system32\nikbjfjw.ini
C:\WINDOWS\system32\nixfukxm.dll
C:\WINDOWS\system32\nodhijto.ini
C:\WINDOWS\system32\noidyeea.ini
C:\WINDOWS\system32\obvpqahh.ini
C:\WINDOWS\system32\ocaumgvi.ini
C:\WINDOWS\system32\opnnmJbA.dll
C:\WINDOWS\system32\ouigwfwg.ini
C:\WINDOWS\system32\oyjgivgx.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pemhkord.ini
C:\WINDOWS\system32\pkghbdan.dll
C:\WINDOWS\system32\pmtplcei.ini
C:\WINDOWS\system32\ppgpgqkc.ini
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\pqogvmxx.dll
C:\WINDOWS\system32\qdbnjsfy.ini
C:\WINDOWS\system32\qnfjimtx.ini
C:\WINDOWS\system32\qrmydyef.ini
C:\WINDOWS\system32\qtrqyuqv.ini
C:\WINDOWS\system32\rdhpkkpb.ini
C:\WINDOWS\system32\reantnkf.ini
C:\WINDOWS\system32\rsbjqoip.ini
C:\WINDOWS\system32\rsYFgfii.ini
C:\WINDOWS\system32\rsYFgfii.ini2
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\scaxlmfy.dll
C:\WINDOWS\system32\sfanohmw.dll
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\slqkfgmc.ini
C:\WINDOWS\system32\soigvrpg.ini
C:\WINDOWS\system32\syfusepb.ini
C:\WINDOWS\system32\tcntaxdn.exe
C:\WINDOWS\system32\thvcgnev.ini
C:\WINDOWS\system32\tidhmvsa.ini
C:\WINDOWS\system32\tsmakdfr.ini
C:\WINDOWS\system32\ubaoenss.ini
C:\WINDOWS\system32\ubcoinbf.ini
C:\WINDOWS\system32\ujlpdmid.ini
C:\WINDOWS\system32\ukeumlen.ini
C:\WINDOWS\system32\uqavtges.ini
C:\WINDOWS\system32\uwgormjd.ini
C:\WINDOWS\system32\vbntukjl.dll
C:\WINDOWS\system32\vjmxaqtp.ini
C:\WINDOWS\system32\vwiymvho.ini
C:\WINDOWS\system32\waeedgjj.ini
C:\WINDOWS\system32\wftgqabf.ini
C:\WINDOWS\system32\whhkbjov.ini
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\wkcfjscl.ini
C:\WINDOWS\system32\wrlakfmh.ini
C:\WINDOWS\system32\wyr.dll
C:\WINDOWS\system32\xajghfhe.ini
C:\WINDOWS\system32\xobglmbh.ini
C:\WINDOWS\system32\xosdtadt.ini
C:\WINDOWS\system32\xtwqbjey.dll
C:\WINDOWS\system32\xwmlwtfr.ini
C:\WINDOWS\system32\xwvheybw.ini
C:\WINDOWS\system32\ybaxxnvw.ini
C:\WINDOWS\system32\yclvlrkm.exe
C:\WINDOWS\system32\yigjhnfx.ini
C:\WINDOWS\system32\ykghqmyi.ini
C:\WINDOWS\system32\ymjrgdjj.ini
C:\WINDOWS\system32\ynqkddtd.dll
C:\WINDOWS\system32\yxglhuoy.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe
C:\WINDOWS\ymante~1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FLTMGRR
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Service_fltmgrr
-------\Service_MsSecurity1.209.4


((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-22 15:57 . 2008-06-22 15:57 2,019 --a------ C:\WINDOWS\default.htm
2008-06-22 15:28 . 2008-06-22 15:28 41,379 --a------ C:\Program Files\BChanger.zip
2008-06-19 19:53 . 2008-06-22 15:28 <DIR> d-------- C:\Program Files\BChanger
2008-06-17 21:00 . 2008-06-17 21:00 167,976 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-06-17 19:51 . 2008-06-17 19:51 130 --a------ C:\WINDOWS\ODBC.INI
2008-06-17 18:43 . 2008-06-19 20:03 63,902 --a------ C:\WINDOWS\system32\{cc781633-302b-b76d-2f5f-2ef83eace530}.dll-uninst.exe
2008-06-15 19:43 . 2008-06-17 20:07 <DIR> d-------- C:\Program Files\new antispyware
2008-06-11 17:33 . 2008-06-19 19:53 <DIR> d-------- C:\Program Files\GetModule
2008-06-11 17:32 . 2008-06-11 17:32 <DIR> d-------- C:\Program Files\iCheck
2008-06-11 17:32 . 2008-06-17 19:03 <DIR> d-------- C:\Program Files\GetPack
2008-06-11 17:31 . 2008-06-19 19:53 <DIR> d-------- C:\Program Files\altcmd
2008-06-07 19:54 . 2008-06-07 19:54 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\WeatherStudio
2008-06-06 17:22 . 2008-06-11 17:32 586 --ahs---- C:\WINDOWS\system32\txjoswaf.ini
2008-06-05 19:00 . 2008-06-06 03:08 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\WeatherStudio
2008-06-05 16:43 . 2008-06-05 16:43 49,184 --a------ C:\WINDOWS\system32\jpwnw64k.exe
2008-06-05 12:20 . 2008-06-05 12:20 65,528 --a------ C:\WINDOWS\b104.exe.bin
2008-06-05 12:16 . 2008-06-05 12:16 16,382 --a------ C:\WINDOWS\b103.exe.bin
2008-06-05 12:06 . 2008-06-05 12:06 57,337 --a------ C:\WINDOWS\b156.exe.bin
2008-06-04 12:02 . 2008-06-07 00:30 95,833 --a------ C:\WINDOWS\system32\{469104d8-d9e1-bead-e4fe-8ed6459d9bc1}.dll-uninst.exe
2008-06-04 11:58 . 2008-06-04 12:02 135,168 --a------ C:\WINDOWS\TEK76.exe
2008-06-04 11:57 . 2008-06-04 11:57 <DIR> d-------- C:\WINDOWS\system32\vntiho01
2008-06-04 11:57 . 2008-06-11 21:23 <DIR> d-------- C:\WINDOWS\system32\Vco1
2008-06-04 11:57 . 2008-06-15 20:28 <DIR> d-------- C:\WINDOWS\system32\sTMP
2008-06-04 11:57 . 2008-06-11 21:23 <DIR> d-------- C:\WINDOWS\system32\fIE
2008-06-04 11:57 . 2008-06-11 21:23 <DIR> d-------- C:\WINDOWS\system32\Dev3
2008-06-04 11:57 . 2008-06-15 20:28 <DIR> d-------- C:\WINDOWS\system32\a053
2008-06-04 11:57 . 2008-06-11 21:23 <DIR> d-------- C:\WINDOWS\system32\6026c
2008-06-04 11:57 . 2008-06-04 11:57 87,513 --a------ C:\WINDOWS\system32\iftuyszv.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 19:53 --------- d-----w C:\Program Files\Windows Plus
2008-06-20 22:09 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-06-20 00:00 --------- d-----w C:\Documents and Settings\Edwina\Application Data\WeatherStudio
2008-06-19 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\WeatherStudio
2008-06-18 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-15 23:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-06 21:25 --------- d-----w C:\Program Files\The Weather Channel FW
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 01:00 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-05-01 23:49 --------- d-----w C:\Program Files\Picasa2
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-27 07:09 368,640 ----a-w C:\WINDOWS\system32\pmls.dll
2008-03-26 14:17 118,784 ----a-w C:\WINDOWS\system32\pmai.dll
2007-11-12 01:38 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-06-15 06:11 29,184 ----a-w C:\Documents and Settings\Edwina\wn0008.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08878A8B-3971-4643-88BB-1E1E424890EA}]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26D1A2E6-28F9-43E6-9A0D-A68BE6D35FA6}]
C:\WINDOWS\system32\iifgFYsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32131238-5434-4234-4234-432432423432}]
2008-06-22 15:59 147456 --a------ C:\Program Files\altcmd\altcmd32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3670A914-63C2-4E67-8C9B-370AE1922143}]
2008-06-19 10:21 36864 --a------ C:\Program Files\BChanger\bchanger.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D7F9440-8E65-44B9-98B1-0C72697E376C}]
C:\WINDOWS\system32\ljJCuUmm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D384FC7-4CB4-4B13-B718-E148B20CA232}]
C:\WINDOWS\system32\hgGabYQG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFE82785-BE10-4186-9597-C2B5B9FE9290}]
C:\WINDOWS\system32\awtss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E89CD8A6-BD36-459C-B131-96167C31B28D}]
C:\WINDOWS\system32\geBuRjhG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"Uaol"="C:\DOCUME~1\Edwina\APPLIC~1\ICROSO~1\nslookup.exe" [ ]
"Mpsp"="C:\Documents and Settings\Edwina\My Documents\F?nts\r?ndll32.exe" [ ]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 16:18 785520]
"GetPack19"="C:\Program Files\GetPack\GetPack19.exe" [2008-06-17 05:56 350208]
"GetModule19"="C:\Program Files\GetModule\GetModule19.exe" [2008-06-17 05:58 351744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 01:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 01:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 01:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48 32881]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-30 00:46 98304]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20 8192]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 13:06 106496]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"WeatherStudio Desktop"="C:\Program Files\WeatherStudio Desktop\WeatherStudio Desktop.exe" [ ]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 09:35 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 11:24 180269]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 13:21 116224]
"UADC_3354481086"="C:\Program Files\AdvancedCleaner Free\UADCcw.exe" [ ]
"PremierOpinion"="c:\windows\system32\pmropn.exe" [2008-01-30 20:45 1609728]
"{D4-40-06-61-DW}"="C:\windows\system32\rwwnw64d.exe" [ ]
"avast!"="C:\Program Files\new antispyware\avast4\ashDisp.exe" [2003-05-12 09:52 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-08-31 15:40:17 629248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PremierOpinion]
C:\WINDOWS\system32\pmls.dll 2008-03-27 03:09 368640 C:\WINDOWS\system32\pmls.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtqqp]
tuvtqqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\pmai.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\windows\\system32\\pmropn.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 13:00:02 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 15:57:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\silc_dll.dll 53248 bytes executable
C:\WINDOWS\system32\model.dat 1358156 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\Program Files\new antispyware\avast4\aswUpdSv.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\ehome\ehRec.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\VSTASCAN\vsaccess.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
.
**************************************************************************
.
Completion time: 2008-06-22 16:01:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 20:01:26

Pre-Run: 56,748,232,704 bytes free
Post-Run: 57,714,450,432 bytes free

461 --- E O F --- 2008-05-17 07:03:04

end Combofix Log


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:01 PM, on 6/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
C:\windows\system32\pmropn.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Edwina\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstudio.com/dp/searc...AL5upcdgb3jA==
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {08878A8B-3971-4643-88BB-1E1E424890EA} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {26D1A2E6-28F9-43E6-9A0D-A68BE6D35FA6} - C:\WINDOWS\system32\iifgFYsr.dll (file missing)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: BhoApp Class - {32131238-5434-4234-4234-432432423432} - C:\Program Files\altcmd\altcmd32.dll
O2 - BHO: Helper Class - {3670A914-63C2-4E67-8C9B-370AE1922143} - C:\Program Files\BChanger\bchanger.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {4D7F9440-8E65-44B9-98B1-0C72697E376C} - C:\WINDOWS\system32\ljJCuUmm.dll (file missing)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\NEWANT~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: WeatherStudio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O2 - BHO: (no name) - {8D384FC7-4CB4-4B13-B718-E148B20CA232} - C:\WINDOWS\system32\hgGabYQG.dll (file missing)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {CFE82785-BE10-4186-9597-C2B5B9FE9290} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {E89CD8A6-BD36-459C-B131-96167C31B28D} - C:\WINDOWS\system32\geBuRjhG.dll (file missing)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: WeatherStudio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [WeatherStudio Desktop] "C:\Program Files\WeatherStudio Desktop\WeatherStudio Desktop.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [UADC_3354481086] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
O4 - HKLM\..\Run: [PremierOpinion] c:\windows\system32\pmropn.exe -boot
O4 - HKLM\..\Run: [{D4-40-06-61-DW}] C:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [avast!] C:\Program Files\new antispyware\avast4\ashDisp.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Edwina\APPLIC~1\ICROSO~1\nslookup.exe" -vt ndrv
O4 - HKCU\..\Run: [Mpsp] "C:\Documents and Settings\Edwina\My Documents\F?nts\r?ndll32.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\NEWANT~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\NEWANT~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201740934859
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A4583A-A704-4733-BC1F-E18CEA58111D}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\WINDOWS\system32\pmai.dll
O20 - Winlogon Notify: PremierOpinion - C:\WINDOWS\system32\pmls.dll
O20 - Winlogon Notify: tuvtqqp - tuvtqqp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\new antispyware\avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\new antispyware\avast4\ashserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 11378 bytes


End HJT Log


Thanks, Again
Ura-Maru

[Shaba]

Hi

Please post next HijackThis log taken in normal mode

[Ura-Maru]

Sorry about that.

Normal Mode HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:10 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
C:\windows\system32\pmropn.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\GetPack\GetPack19.exe
C:\Program Files\GetModule\GetModule19.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\spoolsv.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\new antispyware\avast4\aswUpdSv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Edwina\Desktop\HiJackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\f1570947f8ce451e47060cfdc13f1bf1\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.weatherstudio.com/dp/searc...AL5upcdgb3jA==
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {08878A8B-3971-4643-88BB-1E1E424890EA} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {26D1A2E6-28F9-43E6-9A0D-A68BE6D35FA6} - C:\WINDOWS\system32\iifgFYsr.dll (file missing)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: BhoApp Class - {32131238-5434-4234-4234-432432423432} - C:\Program Files\altcmd\altcmd32.dll
O2 - BHO: Helper Class - {3670A914-63C2-4E67-8C9B-370AE1922143} - C:\Program Files\BChanger\bchanger.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {4D7F9440-8E65-44B9-98B1-0C72697E376C} - C:\WINDOWS\system32\ljJCuUmm.dll (file missing)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\NEWANT~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: WeatherStudio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O2 - BHO: (no name) - {8D384FC7-4CB4-4B13-B718-E148B20CA232} - C:\WINDOWS\system32\hgGabYQG.dll (file missing)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {CFE82785-BE10-4186-9597-C2B5B9FE9290} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {E89CD8A6-BD36-459C-B131-96167C31B28D} - C:\WINDOWS\system32\geBuRjhG.dll (file missing)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: WeatherStudio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\WeatherStudio\bin\WeatherStudio.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [WeatherStudio Desktop] "C:\Program Files\WeatherStudio Desktop\WeatherStudio Desktop.exe"
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [UADC_3354481086] "C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c
O4 - HKLM\..\Run: [PremierOpinion] c:\windows\system32\pmropn.exe -boot
O4 - HKLM\..\Run: [{D4-40-06-61-DW}] C:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [avast!] C:\Program Files\new antispyware\avast4\ashDisp.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uaol] "C:\DOCUME~1\Edwina\APPLIC~1\ICROSO~1\nslookup.exe" -vt ndrv
O4 - HKCU\..\Run: [Mpsp] "C:\Documents and Settings\Edwina\My Documents\F?nts\r?ndll32.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [GetPack19] "C:\Program Files\GetPack\GetPack19.exe"
O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe"
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntqkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\NEWANT~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\NEWANT~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201740934859
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A4583A-A704-4733-BC1F-E18CEA58111D}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\WINDOWS\system32\pmai.dll
O20 - Winlogon Notify: PremierOpinion - C:\WINDOWS\system32\pmls.dll
O20 - Winlogon Notify: tuvtqqp - tuvtqqp.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\new antispyware\avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\new antispyware\avast4\ashserv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 12811 bytes

End of HJT log


Normal Mode ComboFix log:

ComboFix 08-06-20.4 - Edwina 2008-06-23 17:53:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.108 [GMT -4:00]
Running from: C:\Documents and Settings\Edwina\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\Edwina\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Edwina\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Edwina\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Edwina\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Edwina\Start Menu\Programs\Startup\DW_Start.lnk
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\b103.exe.bin
C:\WINDOWS\b104.exe.bin
C:\WINDOWS\b156.exe.bin
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\default.htm
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-22 16:02 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-22 16:02 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-22 15:28 . 2008-06-22 15:28 41,379 --a------ C:\Program Files\BChanger.zip
2008-06-19 19:53 . 2008-06-22 15:28 <DIR> d-------- C:\Program Files\BChanger
2008-06-17 19:51 . 2008-06-17 19:51 130 --a------ C:\WINDOWS\ODBC.INI
2008-06-17 18:43 . 2008-06-19 20:03 63,902 --a------ C:\WINDOWS\system32\{cc781633-302b-b76d-2f5f-2ef83eace530}.dll-uninst.exe
2008-06-15 19:43 . 2008-06-17 20:07 <DIR> d-------- C:\Program Files\new antispyware
2008-06-11 17:33 . 2008-06-19 19:53 <DIR> d-------- C:\Program Files\GetModule
2008-06-11 17:32 . 2008-06-11 17:32 <DIR> d-------- C:\Program Files\iCheck
2008-06-11 17:32 . 2008-06-17 19:03 <DIR> d-------- C:\Program Files\GetPack
2008-06-11 17:31 . 2008-06-23 18:01 <DIR> d-------- C:\Program Files\altcmd
2008-06-07 19:54 . 2008-06-07 19:54 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\WeatherStudio
2008-06-06 17:22 . 2008-06-11 17:32 586 --ahs---- C:\WINDOWS\system32\txjoswaf.ini
2008-06-05 19:00 . 2008-06-06 03:08 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\WeatherStudio
2008-06-05 16:43 . 2008-06-05 16:43 49,184 --a------ C:\WINDOWS\system32\jpwnw64k.exe
2008-06-04 12:02 . 2008-06-07 00:30 95,833 --a------ C:\WINDOWS\system32\{469104d8-d9e1-bead-e4fe-8ed6459d9bc1}.dll-uninst.exe
2008-06-04 11:58 . 2008-06-04 12:02 135,168 --a------ C:\WINDOWS\TEK76.exe
2008-06-04 11:57 . 2008-06-04 11:57 <DIR> d-------- C:\WINDOWS\system32\vntiho01
2008-06-04 11:57 . 2008-06-11 21:23 <DIR> d-------- C:\WINDOWS\system32\Vco1
2008-06-04 11:57 . 2008-06-15 20:28 <DIR> d-------- C:\WINDOWS\system32\sTMP
2008-06-04 11:57 . 2008-06-11 21:23 <DIR> d-------- C:\WINDOWS\system32\fIE
2008-06-04 11:57 . 2008-06-11 21:23 <DIR> d-------- C:\WINDOWS\system32\Dev3
2008-06-04 11:57 . 2008-06-15 20:28 <DIR> d-------- C:\WINDOWS\system32\a053
2008-06-04 11:57 . 2008-06-11 21:23 <DIR> d-------- C:\WINDOWS\system32\6026c

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 21:53 --------- d-----w C:\Documents and Settings\Edwina\Application Data\WeatherStudio
2008-06-23 21:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\WeatherStudio
2008-06-22 19:53 --------- d-----w C:\Program Files\Windows Plus
2008-06-18 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-15 23:46 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-06 21:25 --------- d-----w C:\Program Files\The Weather Channel FW
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-01 23:49 --------- d-----w C:\Program Files\Picasa2
2008-04-29 15:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 15:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 15:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2007-11-12 01:38 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-06-15 06:11 29,184 ----a-w C:\Documents and Settings\Edwina\wn0008.exe
.

((((((((((((((((((((((((((((( snapshot@2008-06-22_16.01.06.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
+ 2008-05-07 05:12:40 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll
+ 2008-05-07 05:04:15 1,288,192 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll
+ 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll
- 2008-06-22 19:56:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-23 22:01:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-03-01 13:06:20 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2008-03-01 13:06:21 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2008-03-01 13:06:21 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2008-03-01 13:06:21 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2008-03-01 13:06:21 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll
+ 2008-02-29 08:55:23 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2008-03-01 13:06:21 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2008-03-01 13:06:21 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2008-03-01 13:06:22 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll
+ 2008-03-01 13:06:22 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2008-03-01 13:06:24 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll
+ 2008-03-01 13:06:24 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2008-03-01 13:06:25 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll
+ 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2008-02-29 08:55:46 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2008-03-01 13:06:25 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2008-03-01 13:06:26 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll
+ 2008-03-01 13:06:26 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll
+ 2008-03-01 22:36:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2008-03-01 13:06:28 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2008-03-01 13:06:28 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2008-03-01 13:06:29 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2008-03-01 13:06:29 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2008-03-01 13:06:29 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll
+ 2008-03-01 13:06:29 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2008-03-01 13:06:30 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2008-03-01 13:06:30 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2008-03-01 13:06:31 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-03-01 13:06:20 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-03-01 13:06:20 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-03-01 13:06:21 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2008-04-23 04:16:28 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
- 2008-02-29 08:55:23 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-03-01 13:06:22 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2008-03-01 13:06:24 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-03-01 13:06:25 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2008-02-22 10:00:51 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2008-02-29 08:55:46 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 07:40:18 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-02-26 11:59:50 294,912 ------w C:\WINDOWS\system32\dllcache\msctf.dll
- 2008-03-01 13:06:26 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2008-03-01 22:36:30 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-24 02:16:30 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-03-01 13:06:29 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2007-10-29 22:35:13 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 04:55:40 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll
- 2006-07-13 08:48:58 202,240 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-03-01 13:06:29 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-03-01 13:06:30 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-03-01 13:06:21 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
- 2008-03-01 13:06:21 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2008-03-01 13:06:21 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2008-03-01 13:06:21 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2008-02-29 08:55:23 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2008-03-01 13:06:21 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2008-03-01 13:06:21 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2008-03-01 13:06:22 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2008-03-01 13:06:22 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2008-03-01 13:06:24 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2008-03-01 13:06:24 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2008-03-01 13:06:25 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2008-03-01 13:06:25 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2008-05-09 18:35:06 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
- 2004-08-10 11:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
- 2008-03-01 13:06:26 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2008-03-01 13:06:26 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2008-03-01 22:36:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-24 02:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-03-01 13:06:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2008-03-01 13:06:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2008-03-01 13:06:29 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2008-03-01 13:06:29 102,912 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll
- 2008-03-01 13:06:29 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
- 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
+ 2008-05-07 04:55:40 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
- 2007-03-06 01:22:33 14,048 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-03-01 13:06:29 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-03-01 13:06:30 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-03-01 13:06:30 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-03-01 13:06:31 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2008-04-23 04:16:29 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08878A8B-3971-4643-88BB-1E1E424890EA}]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26D1A2E6-28F9-43E6-9A0D-A68BE6D35FA6}]
C:\WINDOWS\system32\iifgFYsr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32131238-5434-4234-4234-432432423432}]
2008-06-23 18:04 147456 --a------ C:\Program Files\altcmd\altcmd32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3670A914-63C2-4E67-8C9B-370AE1922143}]
2008-06-19 10:21 36864 --a------ C:\Program Files\BChanger\bchanger.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D7F9440-8E65-44B9-98B1-0C72697E376C}]
C:\WINDOWS\system32\ljJCuUmm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D384FC7-4CB4-4B13-B718-E148B20CA232}]
C:\WINDOWS\system32\hgGabYQG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFE82785-BE10-4186-9597-C2B5B9FE9290}]
C:\WINDOWS\system32\awtss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E89CD8A6-BD36-459C-B131-96167C31B28D}]
C:\WINDOWS\system32\geBuRjhG.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-07-19 12:14 57344]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 17:46 135168]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00 15360]
"Uaol"="C:\DOCUME~1\Edwina\APPLIC~1\ICROSO~1\nslookup.exe" [ ]
"Mpsp"="C:\Documents and Settings\Edwina\My Documents\F?nts\r?ndll32.exe" [ ]
"DW6"="C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 16:18 785520]
"GetPack19"="C:\Program Files\GetPack\GetPack19.exe" [2008-06-17 05:56 350208]
"GetModule19"="C:\Program Files\GetModule\GetModule19.exe" [2008-06-17 05:58 351744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 01:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 01:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 01:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48 32881]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-30 00:46 98304]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20 8192]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 13:06 106496]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-07-19 12:06 40960]
"WeatherStudio Desktop"="C:\Program Files\WeatherStudio Desktop\WeatherStudio Desktop.exe" [ ]
"PDUiP6600DMon"="C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 09:35 69632]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 11:24 180269]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 13:21 116224]
"UADC_3354481086"="C:\Program Files\AdvancedCleaner Free\UADCcw.exe" [ ]
"PremierOpinion"="c:\windows\system32\pmropn.exe" [2008-01-30 20:45 1609728]
"{D4-40-06-61-DW}"="C:\windows\system32\rwwnw64d.exe" [ ]
"avast!"="C:\Program Files\new antispyware\avast4\ashDisp.exe" [2003-05-12 09:52 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 21:23 443968]

C:\Documents and Settings\Edwina\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-01-02 17:24:38 225280]
UMAX VistaAccess.lnk - C:\VSTASCAN\vsaccess.exe [2006-04-07 19:26:07 158208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe [2007-08-31 15:40:17 629248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PremierOpinion]
C:\WINDOWS\system32\pmls.dll 2008-03-27 03:09 368640 C:\WINDOWS\system32\pmls.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtqqp]
tuvtqqp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\pmai.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\windows\\system32\\pmropn.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 13:00:02 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 18:01:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\new antispyware\Ad Aware 2008\aawservice.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\new antispyware\avast4\aswUpdSv.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-06-23 18:05:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-23 22:05:34
ComboFix2.txt 2008-06-22 20:01:32

Pre-Run: 57,661,329,408 bytes free
Post-Run: 57,573,425,152 bytes free

411 --- E O F --- 2008-06-23 22:00:02

End of ComboFix log.


Thanks,
Ura-Maru

[Shaba]

Hi

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\pmai.dll

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

[Ura-Maru]

Hopefully this is readable enough . . .

Start of scanner results:

File: pmai.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 64c9b467f6408efc3e7f69c6d86aead8
Packers detected: -

Scanner results
Scan taken on 24 Jun 2008 20:45:05 (GMT)
A-Squared Found Adware.Win32.BHO.th
AntiVir Found ADSPY/Bho.TH.1
ArcaVir Found Adware.Bho.Th
Avast Found Win32:Adware-gen
AVG Antivirus Found nothing
BitDefender Found Adware.BHO.WRM
ClamAV Found Adware.BHO-424
CPsecure Found AdWare.W32.BHO.th
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Adware:W32/MarketScore.C (3, 1, 206), not-a-virus:AdWare.Win32.BHO.th (4, 1, 400)
Fortinet Found Adware/BHO
Ikarus Found not-a-virus:AdWare.Win32.BHO.th
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.BHO.th
NOD32 Found nothing
Norman Virus Control Found W32/BHO.BYS
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.BHO.th

End of Scanner Log

Thanks,
Ura-Maru