Help remove virtumonde and smitfraud c.coreservice

[calmva]

Hi

Thanks for taking the time to help. Spybot indicates our computer has the virtumonde and smitfraud-c.coreservice viruses. First I tried vundofix without success. I followed the instructions to do before posting. When I ran the Kaspersky scan the first time it made it halfway through and stopped. When I tried to run it again it wouldn't start. I ran Spybot in safe mode twice and got all the problems in red fixed. I was unable to log onto spybot forums on the infected machine and am doing so on another in the house. Below is the HJT log. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 7:56:12 PM, on 2/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINDOWS\system32\B1B3B1B5B6B6B0.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Matthew\MYDOCU~1\YSTEM3~1\iexplore.exe
C:\Program Files\??stem32\l?ass.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tpid=10244&ttid=104
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...JEpv52NcYCllR9AaUmajieh9xMyjYF/lw1zJQcqBR4sg=
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ign.com/"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
O2 - BHO: (no name) - {178673D0-84D1-4364-9A4D-2192C6D6AEA8} - (no file)
O2 - BHO: (no name) - {191D2EC7-78F6-4491-9F19-3DDF562C0CAF} - (no file)
O2 - BHO: (no name) - {19C348F1-430F-4E22-91D2-D11D3D0BB8D4} - (no file)
O2 - BHO: (no name) - {1E41CC0E-46FA-477A-A61F-2AD838CBF691} - (no file)
O2 - BHO: (no name) - {200D0AAD-71B1-51C9-DDB0-092BA4662A54} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - (no file)
O2 - BHO: (no name) - {323EC892-5200-70DC-0467-5E00BCC98ACC} - C:\WINDOWS\system32\aico.dll
O2 - BHO: (no name) - {32F4788A-F976-4C10-943E-B29A8B44A07F} - (no file)
O2 - BHO: (no name) - {36C0F118-56B9-4CF4-2DA4-F6022A9B380E} - (no file)
O2 - BHO: (no name) - {421AF260-3AF5-102D-F8C8-64A396F8AC99} - (no file)
O2 - BHO: (no name) - {4838A974-3E34-4148-A09B-E0F9E8D75F99} - (no file)
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EB909D1-0002-4D7E-9E50-029023284206} - (no file)
O2 - BHO: (no name) - {716e997e-b1c8-4004-89e4-96bfb073222b} - C:\WINDOWS\system32\pjpbjhpt.dll
O2 - BHO: (no name) - {7576BA7C-3E11-4B50-8DF3-8EF0E997414C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77BD3630-EF63-4548-9BD0-278B1B629150} - (no file)
O2 - BHO: (no name) - {7DBA8EE4-006E-4F10-8F58-44377D055A83} - (no file)
O2 - BHO: (no name) - {8F06137F-A3C3-4DAB-AABF-59AACAEBFAF9} - (no file)
O2 - BHO: (no name) - {9DBDCCD3-D822-40C0-89DC-71648AA3D2C1} - (no file)
O2 - BHO: (no name) - {A1894415-6581-412D-BD45-2CC088DF5614} - (no file)
O2 - BHO: (no name) - {B1FAFF16-678E-430B-D25A-3DE672810394} - (no file)
O2 - BHO: (no name) - {B4ADAF47-33DD-4D5F-DC5A-3DE672810297} - (no file)
O2 - BHO: (no name) - {B5FDF840-328F-4D0F-DA5A-3DE672815EC5} - (no file)
O2 - BHO: (no name) - {C0F12AFD-FE29-47A4-BD53-F539B3DB84D7} - (no file)
O2 - BHO: (no name) - {C10D788C-A04D-48E3-998A-1C75DAED1437} - (no file)
O2 - BHO: (no name) - {CAAF4337-0422-4FBD-A1B7-7AED34B47180} - (no file)
O2 - BHO: (no name) - {D8D86E20-E619-4FF3-93B7-A824E521F6B4} - (no file)
O2 - BHO: (no name) - {DE70807B-934E-46E9-BDF4-8E850A2EA61E} - (no file)
O2 - BHO: (no name) - {E0647A24-B3A0-4F20-AA8B-97EB2D82EDF6} - (no file)
O2 - BHO: (no name) - {F2BBA1B4-E557-458E-8553-759B22C0346F} - (no file)
O2 - BHO: (no name) - {FB43A648-A1BF-4699-9762-7C1A68B89A1D} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [0204020607070108] B1B3B1B5B6B6B0.exe
O4 - HKLM\..\Run: [3430b7e2] rundll32.exe "C:\WINDOWS\system32\viveaiix.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [7D51447C11737A255E51] Rundll32.exe "C:\WINDOWS\system32\fmdihwek.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\Matthew\MYDOCU~1\YSTEM3~1\iexplore.exe" -vt yazb
O4 - HKCU\..\Run: [Brlr] "C:\Program Files\??stem32\l?ass.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm479YYUS
O8 - Extra context menu item: Boxtop - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kate\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Boxtop - {5D6F09DD-D9C3-42db-800A-EBF1E7EFCB0B} - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm (file missing) (HKCU)
O9 - Extra button: Boxtop - {629C5DAA-BABC-4d44-983D-97AFF415621C} - file://C:\Program Files\BoxTopsShoppingReminder\System\Temp\boxtopgmills_script0.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDDE3C-A447-4560-A84F-2A03995EF1AE}: NameServer = 192.168.0.1,192.168.1.1
O20 - Winlogon Notify: mljklll - mljklll.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winxyb32 - winxyb32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

[Shaba]

Hi calmva

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

 

[calmva]

Hi Shaba,

Thanks for helping. I have turned off Tea Timer and run ComboFix. I have included the HJL and ComboFix files as requested. I am able to get to the Spybot website and forums but am not able to log on with the infected computer. So I am logging on to Spybot S&D and uploading the files from another computer.

Logfile of HijackThis v1.99.1
Scan saved at 5:01:05 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINDOWS\system32\B1B3B1B5B6B6B0.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ign.com/"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [0204020607070108] B1B3B1B5B6B6B0.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [7D51447C11737A255E51] Rundll32.exe "C:\WINDOWS\system32\egmhdwuw.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Brlr] "C:\Program Files\??stem32\l?ass.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm479YYUS
O8 - Extra context menu item: Boxtop - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kate\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Boxtop - {5D6F09DD-D9C3-42db-800A-EBF1E7EFCB0B} - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm (file missing) (HKCU)
O9 - Extra button: Boxtop - {629C5DAA-BABC-4d44-983D-97AFF415621C} - file://C:\Program Files\BoxTopsShoppingReminder\System\Temp\boxtopgmills_script0.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDDE3C-A447-4560-A84F-2A03995EF1AE}: NameServer = 192.168.0.1,192.168.1.1
O20 - Winlogon Notify: mljklll - mljklll.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winxyb32 - winxyb32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

[calmva]

Here is the ComboFix file:


ComboFix 08-02.05.3 - Matthew 2008-02-08 16:46:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.670 [GMT -5:00]
Running from: C:\Documents and Settings\Matthew\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\HPNN.sys
C:\Documents and Settings\Matthew\My Documents\CROSOF~1
C:\Documents and Settings\Matthew\My Documents\PPATCH~1
C:\Documents and Settings\Matthew\My Documents\YSTEM3~1
C:\Documents and Settings\Matthew\My Documents\YSTEM3~1\?ystem32\
C:\Documents and Settings\Matthew\My Documents\YSTEM3~1\iexplore.exe
C:\Documents and Settings\Nora\Start Menu\Programs\Startup\TA_Start.lnk
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\SpyGuardPro
C:\Program Files\dobe~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\SpyGuardPro
C:\Program Files\SpyGuardPro\unins000.dat
C:\Program Files\SpyGuardPro\unins000.exe
C:\Program Files\stem32~1
C:\Program Files\stem32~1\l?ass.exe
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\Thelc___.fon
C:\WINDOWS\system32\aico.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\HPNN.sys
C:\WINDOWS\system32\e1
C:\WINDOWS\system32\gebccdc.dll
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\pjpbjhpt.dll
C:\WINDOWS\SYSTEM32\rtutv.ini
C:\WINDOWS\SYSTEM32\rtutv.ini2
C:\WINDOWS\system32\viveaiix.dll
C:\WINDOWS\system32\wintit32.exe
C:\WINDOWS\SYSTEM32\xiiaeviv.ini
C:\WINDOWS\system32\yayyvuu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_HPNN
-------\LEGACY_NETWORK_MONITOR
-------\HPNN


((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-08 16:38 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\egmhdwuw.dll
2008-02-08 16:38 . 2008-02-06 20:30 3,373 --a------ C:\WINDOWS\SYSTEM32\egmhdwuw.xml
2008-02-08 16:37 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\saciitlo.dll
2008-02-08 16:37 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\nzwqgdko.dll
2008-02-08 16:37 . 2008-02-06 20:30 3,373 --a------ C:\WINDOWS\SYSTEM32\saciitlo.xml
2008-02-08 16:37 . 2008-02-06 20:30 3,373 --a------ C:\WINDOWS\SYSTEM32\nzwqgdko.xml
2008-02-07 17:39 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ljgzbjnd.dll
2008-02-07 17:39 . 2008-02-06 20:30 3,373 --a------ C:\WINDOWS\SYSTEM32\ljgzbjnd.xml
2008-02-07 17:38 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\helzjgvr.dll
2008-02-07 17:38 . 2008-02-06 20:30 3,373 --a------ C:\WINDOWS\SYSTEM32\helzjgvr.xml
2008-02-07 08:51 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\podhvchm.dll
2008-02-07 08:51 . 2008-02-06 20:30 3,373 --a------ C:\WINDOWS\SYSTEM32\podhvchm.xml
2008-02-06 15:27 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fmdihwek.dll
2008-02-06 15:27 . 2008-02-06 20:30 3,373 --a------ C:\WINDOWS\SYSTEM32\fmdihwek.xml
2008-02-05 21:38 . 2003-02-24 19:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-05 21:32 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\oridndps.dll
2008-02-05 21:32 . 2008-02-05 19:10 3,274 --a------ C:\WINDOWS\SYSTEM32\oridndps.xml
2008-02-05 06:06 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\kikofnyx.dll
2008-02-05 06:06 . 2008-02-06 15:27 3,274 --a------ C:\WINDOWS\SYSTEM32\kikofnyx.xml
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 20:00 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\lqibputh.dll
2008-02-04 20:00 . 2008-02-05 00:30 3,372 --a------ C:\WINDOWS\SYSTEM32\lqibputh.xml
2008-02-04 19:57 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fiyawjuy.dll
2008-02-04 19:57 . 2008-02-04 19:39 3,372 --a------ C:\WINDOWS\SYSTEM32\fiyawjuy.xml
2008-02-04 19:30 . 2008-02-04 19:30 <DIR> d-------- C:\WINDOWS\Sun
2008-02-04 19:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-04 19:29 . 2008-02-04 19:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 17:28 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\yyjpcqou.dll
2008-02-04 17:28 . 2008-02-04 19:39 3,372 --a------ C:\WINDOWS\SYSTEM32\yyjpcqou.xml
2008-02-04 17:10 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\zfgfscqo.dll
2008-02-04 17:10 . 2008-02-04 16:30 3,373 --a------ C:\WINDOWS\SYSTEM32\zfgfscqo.xml
2008-02-04 16:39 . 2008-02-04 16:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-04 16:33 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\xnszzshp.dll
2008-02-04 16:33 . 2008-02-04 16:30 3,373 --a------ C:\WINDOWS\SYSTEM32\xnszzshp.xml
2008-02-04 15:49 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\qckwucac.dll
2008-02-04 15:49 . 2008-02-04 06:37 3,275 --a------ C:\WINDOWS\SYSTEM32\qckwucac.xml
2008-02-04 06:38 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\kryagtad.dll
2008-02-04 06:38 . 2008-02-04 16:30 3,373 --a------ C:\WINDOWS\SYSTEM32\kryagtad.xml
2008-02-03 23:01 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\wiccdtxd.dll
2008-02-03 23:01 . 2008-02-04 06:37 3,275 --a------ C:\WINDOWS\SYSTEM32\wiccdtxd.xml
2008-02-03 13:41 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\boblmnhk.dll
2008-02-03 13:41 . 2008-02-03 22:42 3,275 --a------ C:\WINDOWS\SYSTEM32\boblmnhk.xml
2008-02-02 23:13 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\grvexblz.dll
2008-02-02 23:13 . 2008-02-03 13:14 3,372 --a------ C:\WINDOWS\SYSTEM32\grvexblz.xml
2008-02-02 18:06 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\xbgptgxh.dll
2008-02-02 18:06 . 2008-02-02 18:40 3,373 --a------ C:\WINDOWS\SYSTEM32\xbgptgxh.xml
2008-02-02 11:53 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ojdchfic.dll
2008-02-02 11:53 . 2008-02-02 11:06 3,274 --a------ C:\WINDOWS\SYSTEM32\ojdchfic.xml
2008-02-02 01:55 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\omdrszpq.dll
2008-02-02 01:55 . 2008-02-02 17:54 3,373 --a------ C:\WINDOWS\SYSTEM32\omdrszpq.xml
2008-02-01 20:44 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\rdenlpnp.dll
2008-02-01 20:44 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\nkwegkgk.dll
2008-02-01 20:44 . 2008-02-01 19:50 3,274 --a------ C:\WINDOWS\SYSTEM32\rdenlpnp.xml
2008-02-01 20:44 . 2008-02-01 20:51 3,274 --a------ C:\WINDOWS\SYSTEM32\nkwegkgk.xml
2008-02-01 11:46 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\mhhvexbo.dll
2008-02-01 11:46 . 2008-02-01 19:50 3,274 --a------ C:\WINDOWS\SYSTEM32\mhhvexbo.xml
2008-01-31 16:53 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\tdqqpqud.dll
2008-01-31 16:53 . 2008-02-01 09:59 3,371 --a------ C:\WINDOWS\SYSTEM32\tdqqpqud.xml
2008-01-31 16:26 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\dmjlpxhe.dll
2008-01-31 16:26 . 2008-01-31 15:56 3,372 --a------ C:\WINDOWS\SYSTEM32\dmjlpxhe.xml
2008-01-31 15:37 . 2008-01-04 16:58 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2008-01-31 15:37 . 2008-01-04 16:58 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-01-31 15:37 . 2008-01-04 16:58 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-01-30 21:53 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\zhcbggxl.dll
2008-01-30 21:53 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\bmycxyov.dll
2008-01-30 21:53 . 2008-01-31 16:48 3,372 --a------ C:\WINDOWS\SYSTEM32\bmycxyov.xml
2008-01-30 21:53 . 2008-01-30 17:57 3,275 --a------ C:\WINDOWS\SYSTEM32\zhcbggxl.xml
2008-01-30 14:55 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\nwbjtfju.dll
2008-01-30 14:55 . 2008-01-30 17:57 3,275 --a------ C:\WINDOWS\SYSTEM32\nwbjtfju.xml
2008-01-29 21:50 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\tzuseiup.dll
2008-01-29 21:50 . 2008-01-30 11:40 3,372 --a------ C:\WINDOWS\SYSTEM32\tzuseiup.xml
2008-01-29 18:27 . 2008-02-04 18:14 <DIR> d-------- C:\VundoFix Backups
2008-01-29 18:23 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\zpizqnxd.dll
2008-01-29 18:23 . 2008-01-29 21:19 3,372 --a------ C:\WINDOWS\SYSTEM32\zpizqnxd.xml
2008-01-29 17:11 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ywrirvxu.dll
2008-01-29 17:11 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\szkepcwo.dll
2008-01-29 17:11 . 2008-01-29 18:19 3,372 --a------ C:\WINDOWS\SYSTEM32\ywrirvxu.xml
2008-01-29 17:11 . 2008-01-29 17:10 3,372 --a------ C:\WINDOWS\SYSTEM32\szkepcwo.xml
2008-01-29 15:01 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\lmpstiso.dll
2008-01-29 15:01 . 2008-01-29 17:10 3,372 --a------ C:\WINDOWS\SYSTEM32\lmpstiso.xml
2008-01-29 13:56 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\lgoggran.dll
2008-01-29 13:56 . 2008-01-29 14:57 3,372 --a------ C:\WINDOWS\SYSTEM32\lgoggran.xml
2008-01-28 21:57 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\cafnqucz.dll
2008-01-28 21:57 . 2008-01-29 13:53 3,372 --a------ C:\WINDOWS\SYSTEM32\cafnqucz.xml
2008-01-28 20:19 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ketujplu.dll
2008-01-28 20:19 . 2008-01-28 21:41 3,372 --a------ C:\WINDOWS\SYSTEM32\ketujplu.xml
2008-01-28 20:11 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\xguwehaf.dll
2008-01-28 20:11 . 2008-01-28 20:18 3,372 --a------ C:\WINDOWS\SYSTEM32\xguwehaf.xml
2008-01-28 19:32 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ltklauds.dll
2008-01-28 19:32 . 2008-01-28 14:36 3,372 --a------ C:\WINDOWS\SYSTEM32\ltklauds.xml
2008-01-28 18:46 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\qoyzaldp.dll
2008-01-28 18:46 . 2008-01-28 14:36 3,372 --a------ C:\WINDOWS\SYSTEM32\qoyzaldp.xml
2008-01-28 18:45 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\elclnras.dll
2008-01-28 18:45 . 2008-01-28 14:36 3,372 --a------ C:\WINDOWS\SYSTEM32\elclnras.xml
2008-01-28 18:00 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\phmdchht.dll
2008-01-28 18:00 . 2008-01-28 14:36 3,372 --a------ C:\WINDOWS\SYSTEM32\phmdchht.xml
2008-01-28 14:34 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\dxekroen.dll
2008-01-28 14:34 . 2008-01-28 11:53 3,372 --a------ C:\WINDOWS\SYSTEM32\dxekroen.xml
2008-01-28 11:39 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\zgtxzflh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 01:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 00:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 00:30 --------- d-----w C:\Program Files\Java
2008-01-29 01:24 --------- d-----w C:\Documents and Settings\Matthew\Application Data\AdobeUM
2008-01-28 17:18 --------- d-----w C:\Program Files\iTunes
2008-01-28 17:18 --------- d-----w C:\Program Files\iPod
2008-01-28 17:17 --------- d-----w C:\Program Files\QuickTime
2008-01-28 16:56 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 01:30 --------- d-----w C:\Program Files\Yjhgtzuz
2008-01-27 01:30 --------- d-----w C:\Program Files\Xglzdbxu
2008-01-27 01:30 --------- d-----w C:\Program Files\jcninaru
2008-01-27 01:30 --------- d-----w C:\Program Files\Iezhqlof
2008-01-27 01:30 --------- d-----w C:\Program Files\Gblodrif
2008-01-27 01:30 --------- d-----w C:\Program Files\Eawlmdgh
2008-01-27 01:30 --------- d-----w C:\Program Files\Btvteqkj
2008-01-27 01:30 --------- d-----w C:\Program Files\Bbanhjmq
2008-01-27 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 18:15 --------- d-----w C:\Program Files\World of Warcraft
2008-01-12 01:29 --------- d-----w C:\Program Files\Valitec DataReady
2008-01-12 00:17 --------- d-----w C:\Program Files\Canon
2008-01-12 00:14 --------- d-----w C:\Program Files\ArcSoft
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-03 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-12-30 16:11 --------- d-----w C:\Documents and Settings\Nora\Application Data\Apple Computer
2007-12-30 14:46 --------- d-----w C:\Documents and Settings\Matthew\Application Data\Apple Computer
2007-12-29 02:44 --------- d-----w C:\Program Files\Avex
2007-12-23 21:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 20:33 --------- d-----w C:\Program Files\Wonderland Adventures
2007-12-23 20:31 --------- d-----w C:\Program Files\Wonderland Secret Worlds
2007-12-23 20:29 --------- d-----w C:\Program Files\Wonderland
2007-11-17 03:51 246 ----a-w C:\Program Files\Common Files\zyri
2007-04-16 21:34 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-23 03:23 57,824 -c--a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
2005-08-12 22:28 3,788,235 -c--a-w C:\Program Files\mwplugin.exe
2005-07-28 17:58 883,933 -c--a-w C:\Program Files\mixfx1.exe
2005-07-28 17:54 883,933 -c--a-w C:\Program Files\Microsft mixfx1.exe
2004-02-16 20:48 57,432 -c--a-w C:\Documents and Settings\Matthew\Application Data\GDIPFONTCACHEV1.DAT
2003-12-14 23:12 857,580 -c--a-w C:\Program Files\ShutterflyPluginInstall.EXE
2005-07-29 21:24 472 --sha-r C:\WINDOWS\TWljaGFlbA\nq53u3I5vE.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"Brlr"="C:\Program Files\??stem32\l?ass.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 18:52 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 14:20 2061816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"0204020607070108"="B1B3B1B5B6B6B0.exe" [2007-12-14 07:40 120832 C:\WINDOWS\SYSTEM32\B1B3B1B5B6B6B0.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"7D51447C11737A255E51"="C:\WINDOWS\system32\egmhdwuw.dll" [2007-12-24 21:38 98368]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-02-24 19:47:45 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljklll]
mljklll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxyb32]
winxyb32.dll

S2 cis1284;cis1284;C:\WINDOWS\System32\drivers\cis1284.sys []
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 12:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 14:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2003-06-15 14:10:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 16:54:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\egmhdwuw.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-02-08 16:58:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 21:58:28
.
2008-01-28 14:02:04 --- E O F ---

 

[Shaba]

Hi

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\egmhdwuw.dll
C:\WINDOWS\SYSTEM32\egmhdwuw.xml
C:\WINDOWS\SYSTEM32\saciitlo.dll
C:\WINDOWS\SYSTEM32\nzwqgdko.dll
C:\WINDOWS\SYSTEM32\saciitlo.xml
C:\WINDOWS\SYSTEM32\nzwqgdko.xml
C:\WINDOWS\SYSTEM32\ljgzbjnd.dll
C:\WINDOWS\SYSTEM32\ljgzbjnd.xml
C:\WINDOWS\SYSTEM32\helzjgvr.dll
C:\WINDOWS\SYSTEM32\helzjgvr.xml
C:\WINDOWS\SYSTEM32\podhvchm.dll
C:\WINDOWS\SYSTEM32\podhvchm.xml
C:\WINDOWS\SYSTEM32\fmdihwek.dll
C:\WINDOWS\SYSTEM32\fmdihwek.xml
C:\WINDOWS\SYSTEM32\oridndps.dll
C:\WINDOWS\SYSTEM32\oridndps.xml
C:\WINDOWS\SYSTEM32\kikofnyx.dll
C:\WINDOWS\SYSTEM32\kikofnyx.xml
C:\WINDOWS\SYSTEM32\lqibputh.dll
C:\WINDOWS\SYSTEM32\lqibputh.xml
C:\WINDOWS\SYSTEM32\fiyawjuy.dll
C:\WINDOWS\SYSTEM32\fiyawjuy.xml
C:\WINDOWS\SYSTEM32\yyjpcqou.dll
C:\WINDOWS\SYSTEM32\yyjpcqou.xml
C:\WINDOWS\SYSTEM32\zfgfscqo.dll
C:\WINDOWS\SYSTEM32\zfgfscqo.xml
C:\WINDOWS\SYSTEM32\xnszzshp.dll
C:\WINDOWS\SYSTEM32\xnszzshp.xml
C:\WINDOWS\SYSTEM32\qckwucac.dll
C:\WINDOWS\SYSTEM32\qckwucac.xml
C:\WINDOWS\SYSTEM32\kryagtad.dll
C:\WINDOWS\SYSTEM32\kryagtad.xml
C:\WINDOWS\SYSTEM32\wiccdtxd.dll
C:\WINDOWS\SYSTEM32\wiccdtxd.xml
C:\WINDOWS\SYSTEM32\boblmnhk.dll
C:\WINDOWS\SYSTEM32\boblmnhk.xml
C:\WINDOWS\SYSTEM32\grvexblz.dll
C:\WINDOWS\SYSTEM32\grvexblz.xml
C:\WINDOWS\SYSTEM32\xbgptgxh.dll
C:\WINDOWS\SYSTEM32\xbgptgxh.xml
C:\WINDOWS\SYSTEM32\ojdchfic.dll
C:\WINDOWS\SYSTEM32\ojdchfic.xml
C:\WINDOWS\SYSTEM32\omdrszpq.dll
C:\WINDOWS\SYSTEM32\omdrszpq.xml
C:\WINDOWS\SYSTEM32\rdenlpnp.dll
C:\WINDOWS\SYSTEM32\nkwegkgk.dll
C:\WINDOWS\SYSTEM32\rdenlpnp.xml
C:\WINDOWS\SYSTEM32\nkwegkgk.xml
C:\WINDOWS\SYSTEM32\mhhvexbo.dll
C:\WINDOWS\SYSTEM32\mhhvexbo.xml
C:\WINDOWS\SYSTEM32\tdqqpqud.dll
C:\WINDOWS\SYSTEM32\tdqqpqud.xml
C:\WINDOWS\SYSTEM32\dmjlpxhe.dll
C:\WINDOWS\SYSTEM32\dmjlpxhe.xml
C:\WINDOWS\SYSTEM32\zhcbggxl.dll
C:\WINDOWS\SYSTEM32\bmycxyov.dll
C:\WINDOWS\SYSTEM32\bmycxyov.xml
C:\WINDOWS\SYSTEM32\zhcbggxl.xml
C:\WINDOWS\SYSTEM32\nwbjtfju.dll
C:\WINDOWS\SYSTEM32\nwbjtfju.xml
C:\WINDOWS\SYSTEM32\tzuseiup.dll
C:\WINDOWS\SYSTEM32\tzuseiup.xml
C:\WINDOWS\SYSTEM32\zpizqnxd.dll
C:\WINDOWS\SYSTEM32\zpizqnxd.xml
C:\WINDOWS\SYSTEM32\ywrirvxu.dll
C:\WINDOWS\SYSTEM32\szkepcwo.dll
C:\WINDOWS\SYSTEM32\ywrirvxu.xml
C:\WINDOWS\SYSTEM32\szkepcwo.xml
C:\WINDOWS\SYSTEM32\lmpstiso.dll
C:\WINDOWS\SYSTEM32\lgoggran.dll
C:\WINDOWS\SYSTEM32\lgoggran.xml
C:\WINDOWS\SYSTEM32\cafnqucz.dll
C:\WINDOWS\SYSTEM32\cafnqucz.xml
C:\WINDOWS\SYSTEM32\ketujplu.dll
C:\WINDOWS\SYSTEM32\ketujplu.xml
C:\WINDOWS\SYSTEM32\xguwehaf.dll
C:\WINDOWS\SYSTEM32\xguwehaf.xml
C:\WINDOWS\SYSTEM32\ltklauds.dll
C:\WINDOWS\SYSTEM32\ltklauds.xml
C:\WINDOWS\SYSTEM32\qoyzaldp.dll
C:\WINDOWS\SYSTEM32\qoyzaldp.xml
C:\WINDOWS\SYSTEM32\elclnras.dll
C:\WINDOWS\SYSTEM32\elclnras.xml
C:\WINDOWS\SYSTEM32\phmdchht.dll
C:\WINDOWS\SYSTEM32\phmdchht.xml
C:\WINDOWS\SYSTEM32\dxekroen.dll
C:\WINDOWS\SYSTEM32\dxekroen.xml
C:\WINDOWS\SYSTEM32\zgtxzflh.dll
C:\Program Files\mixfx1.exe
C:\Program Files\Microsft mixfx1.exe
C:\WINDOWS\system32\B1B3B1B5B6B6B0.exe

Folder::
C:\Program Files\Yjhgtzuz
C:\Program Files\Xglzdbxu
C:\Program Files\jcninaru
C:\Program Files\Iezhqlof
C:\Program Files\Gblodrif
C:\Program Files\Eawlmdgh
C:\Program Files\Btvteqkj
C:\Program Files\Bbanhjmq

Driver::
cis1284

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Brlr"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0204020607070108"=-
"7D51447C11737A255E51"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljklll]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxyb32]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[calmva]

Hi Shaba

I copied the script and put it into ComboFix as requested. Here are the Combofix and HJT files. I am able to log into Spybot S&D forums from the infected computer now.

Thanks,
calmva

ComboFix 08-02.05.3 - Matthew 2008-02-09 8:36:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.621 [GMT -5:00]
Running from: C:\Documents and Settings\Matthew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matthew\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Microsft mixfx1.exe
C:\Program Files\mixfx1.exe
C:\WINDOWS\system32\B1B3B1B5B6B6B0.exe
C:\WINDOWS\SYSTEM32\bmycxyov.dll
C:\WINDOWS\SYSTEM32\bmycxyov.xml
C:\WINDOWS\SYSTEM32\boblmnhk.dll
C:\WINDOWS\SYSTEM32\boblmnhk.xml
C:\WINDOWS\SYSTEM32\cafnqucz.dll
C:\WINDOWS\SYSTEM32\cafnqucz.xml
C:\WINDOWS\SYSTEM32\dmjlpxhe.dll
C:\WINDOWS\SYSTEM32\dmjlpxhe.xml
C:\WINDOWS\SYSTEM32\dxekroen.dll
C:\WINDOWS\SYSTEM32\dxekroen.xml
C:\WINDOWS\SYSTEM32\egmhdwuw.dll
C:\WINDOWS\SYSTEM32\egmhdwuw.xml
C:\WINDOWS\SYSTEM32\elclnras.dll
C:\WINDOWS\SYSTEM32\elclnras.xml
C:\WINDOWS\SYSTEM32\fiyawjuy.dll
C:\WINDOWS\SYSTEM32\fiyawjuy.xml
C:\WINDOWS\SYSTEM32\fmdihwek.dll
C:\WINDOWS\SYSTEM32\fmdihwek.xml
C:\WINDOWS\SYSTEM32\grvexblz.dll
C:\WINDOWS\SYSTEM32\grvexblz.xml
C:\WINDOWS\SYSTEM32\helzjgvr.dll
C:\WINDOWS\SYSTEM32\helzjgvr.xml
C:\WINDOWS\SYSTEM32\ketujplu.dll
C:\WINDOWS\SYSTEM32\ketujplu.xml
C:\WINDOWS\SYSTEM32\kikofnyx.dll
C:\WINDOWS\SYSTEM32\kikofnyx.xml
C:\WINDOWS\SYSTEM32\kryagtad.dll
C:\WINDOWS\SYSTEM32\kryagtad.xml
C:\WINDOWS\SYSTEM32\lgoggran.dll
C:\WINDOWS\SYSTEM32\lgoggran.xml
C:\WINDOWS\SYSTEM32\ljgzbjnd.dll
C:\WINDOWS\SYSTEM32\ljgzbjnd.xml
C:\WINDOWS\SYSTEM32\lmpstiso.dll
C:\WINDOWS\SYSTEM32\lqibputh.dll
C:\WINDOWS\SYSTEM32\lqibputh.xml
C:\WINDOWS\SYSTEM32\ltklauds.dll
C:\WINDOWS\SYSTEM32\ltklauds.xml
C:\WINDOWS\SYSTEM32\mhhvexbo.dll
C:\WINDOWS\SYSTEM32\mhhvexbo.xml
C:\WINDOWS\SYSTEM32\nkwegkgk.dll
C:\WINDOWS\SYSTEM32\nkwegkgk.xml
C:\WINDOWS\SYSTEM32\nwbjtfju.dll
C:\WINDOWS\SYSTEM32\nwbjtfju.xml
C:\WINDOWS\SYSTEM32\nzwqgdko.dll
C:\WINDOWS\SYSTEM32\nzwqgdko.xml
C:\WINDOWS\SYSTEM32\ojdchfic.dll
C:\WINDOWS\SYSTEM32\ojdchfic.xml
C:\WINDOWS\SYSTEM32\omdrszpq.dll
C:\WINDOWS\SYSTEM32\omdrszpq.xml
C:\WINDOWS\SYSTEM32\oridndps.dll
C:\WINDOWS\SYSTEM32\oridndps.xml
C:\WINDOWS\SYSTEM32\phmdchht.dll
C:\WINDOWS\SYSTEM32\phmdchht.xml
C:\WINDOWS\SYSTEM32\podhvchm.dll
C:\WINDOWS\SYSTEM32\podhvchm.xml
C:\WINDOWS\SYSTEM32\qckwucac.dll
C:\WINDOWS\SYSTEM32\qckwucac.xml
C:\WINDOWS\SYSTEM32\qoyzaldp.dll
C:\WINDOWS\SYSTEM32\qoyzaldp.xml
C:\WINDOWS\SYSTEM32\rdenlpnp.dll
C:\WINDOWS\SYSTEM32\rdenlpnp.xml
C:\WINDOWS\SYSTEM32\saciitlo.dll
C:\WINDOWS\SYSTEM32\saciitlo.xml
C:\WINDOWS\SYSTEM32\szkepcwo.dll
C:\WINDOWS\SYSTEM32\szkepcwo.xml
C:\WINDOWS\SYSTEM32\tdqqpqud.dll
C:\WINDOWS\SYSTEM32\tdqqpqud.xml
C:\WINDOWS\SYSTEM32\tzuseiup.dll
C:\WINDOWS\SYSTEM32\tzuseiup.xml
C:\WINDOWS\SYSTEM32\wiccdtxd.dll
C:\WINDOWS\SYSTEM32\wiccdtxd.xml
C:\WINDOWS\SYSTEM32\xbgptgxh.dll
C:\WINDOWS\SYSTEM32\xbgptgxh.xml
C:\WINDOWS\SYSTEM32\xguwehaf.dll
C:\WINDOWS\SYSTEM32\xguwehaf.xml
C:\WINDOWS\SYSTEM32\xnszzshp.dll
C:\WINDOWS\SYSTEM32\xnszzshp.xml
C:\WINDOWS\SYSTEM32\ywrirvxu.dll
C:\WINDOWS\SYSTEM32\ywrirvxu.xml
C:\WINDOWS\SYSTEM32\yyjpcqou.dll
C:\WINDOWS\SYSTEM32\yyjpcqou.xml
C:\WINDOWS\SYSTEM32\zfgfscqo.dll
C:\WINDOWS\SYSTEM32\zfgfscqo.xml
C:\WINDOWS\SYSTEM32\zgtxzflh.dll
C:\WINDOWS\SYSTEM32\zhcbggxl.dll
C:\WINDOWS\SYSTEM32\zhcbggxl.xml
C:\WINDOWS\SYSTEM32\zpizqnxd.dll
C:\WINDOWS\SYSTEM32\zpizqnxd.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Bbanhjmq
C:\Program Files\Btvteqkj
C:\Program Files\Eawlmdgh
C:\Program Files\Gblodrif
C:\Program Files\Iezhqlof
C:\Program Files\jcninaru
C:\Program Files\Microsft mixfx1.exe
C:\Program Files\mixfx1.exe
C:\Program Files\Xglzdbxu
C:\Program Files\Yjhgtzuz
C:\WINDOWS\system32\B1B3B1B5B6B6B0.exe
C:\WINDOWS\SYSTEM32\bmycxyov.dll
C:\WINDOWS\SYSTEM32\bmycxyov.xml
C:\WINDOWS\SYSTEM32\boblmnhk.dll
C:\WINDOWS\SYSTEM32\boblmnhk.xml
C:\WINDOWS\SYSTEM32\cafnqucz.dll
C:\WINDOWS\SYSTEM32\cafnqucz.xml
C:\WINDOWS\SYSTEM32\dmjlpxhe.dll
C:\WINDOWS\SYSTEM32\dmjlpxhe.xml
C:\WINDOWS\SYSTEM32\dxekroen.dll
C:\WINDOWS\SYSTEM32\dxekroen.xml
C:\WINDOWS\SYSTEM32\egmhdwuw.dll
C:\WINDOWS\SYSTEM32\egmhdwuw.xml
C:\WINDOWS\SYSTEM32\elclnras.dll
C:\WINDOWS\SYSTEM32\elclnras.xml
C:\WINDOWS\SYSTEM32\fiyawjuy.dll
C:\WINDOWS\SYSTEM32\fiyawjuy.xml
C:\WINDOWS\SYSTEM32\fmdihwek.dll
C:\WINDOWS\SYSTEM32\fmdihwek.xml
C:\WINDOWS\SYSTEM32\grvexblz.dll
C:\WINDOWS\SYSTEM32\grvexblz.xml
C:\WINDOWS\SYSTEM32\helzjgvr.dll
C:\WINDOWS\SYSTEM32\helzjgvr.xml
C:\WINDOWS\SYSTEM32\ketujplu.dll
C:\WINDOWS\SYSTEM32\ketujplu.xml
C:\WINDOWS\SYSTEM32\kikofnyx.dll
C:\WINDOWS\SYSTEM32\kikofnyx.xml
C:\WINDOWS\SYSTEM32\kryagtad.dll
C:\WINDOWS\SYSTEM32\kryagtad.xml
C:\WINDOWS\SYSTEM32\lgoggran.dll
C:\WINDOWS\SYSTEM32\lgoggran.xml
C:\WINDOWS\SYSTEM32\ljgzbjnd.dll
C:\WINDOWS\SYSTEM32\ljgzbjnd.xml
C:\WINDOWS\SYSTEM32\lmpstiso.dll
C:\WINDOWS\SYSTEM32\lqibputh.dll
C:\WINDOWS\SYSTEM32\lqibputh.xml
C:\WINDOWS\SYSTEM32\ltklauds.dll
C:\WINDOWS\SYSTEM32\ltklauds.xml
C:\WINDOWS\SYSTEM32\mhhvexbo.dll
C:\WINDOWS\SYSTEM32\mhhvexbo.xml
C:\WINDOWS\SYSTEM32\nkwegkgk.dll
C:\WINDOWS\SYSTEM32\nkwegkgk.xml
C:\WINDOWS\SYSTEM32\nwbjtfju.dll
C:\WINDOWS\SYSTEM32\nwbjtfju.xml
C:\WINDOWS\SYSTEM32\nzwqgdko.dll
C:\WINDOWS\SYSTEM32\nzwqgdko.xml
C:\WINDOWS\SYSTEM32\ojdchfic.dll
C:\WINDOWS\SYSTEM32\ojdchfic.xml
C:\WINDOWS\SYSTEM32\omdrszpq.dll
C:\WINDOWS\SYSTEM32\omdrszpq.xml
C:\WINDOWS\SYSTEM32\oridndps.dll
C:\WINDOWS\SYSTEM32\oridndps.xml
C:\WINDOWS\SYSTEM32\phmdchht.dll
C:\WINDOWS\SYSTEM32\phmdchht.xml
C:\WINDOWS\SYSTEM32\podhvchm.dll
C:\WINDOWS\SYSTEM32\podhvchm.xml
C:\WINDOWS\SYSTEM32\qckwucac.dll
C:\WINDOWS\SYSTEM32\qckwucac.xml
C:\WINDOWS\SYSTEM32\qoyzaldp.dll
C:\WINDOWS\SYSTEM32\qoyzaldp.xml
C:\WINDOWS\SYSTEM32\rdenlpnp.dll
C:\WINDOWS\SYSTEM32\rdenlpnp.xml
C:\WINDOWS\SYSTEM32\saciitlo.dll
C:\WINDOWS\SYSTEM32\saciitlo.xml
C:\WINDOWS\SYSTEM32\szkepcwo.dll
C:\WINDOWS\SYSTEM32\szkepcwo.xml
C:\WINDOWS\SYSTEM32\tdqqpqud.dll
C:\WINDOWS\SYSTEM32\tdqqpqud.xml
C:\WINDOWS\SYSTEM32\tzuseiup.dll
C:\WINDOWS\SYSTEM32\tzuseiup.xml
C:\WINDOWS\SYSTEM32\wiccdtxd.dll
C:\WINDOWS\SYSTEM32\wiccdtxd.xml
C:\WINDOWS\SYSTEM32\xbgptgxh.dll
C:\WINDOWS\SYSTEM32\xbgptgxh.xml
C:\WINDOWS\SYSTEM32\xguwehaf.dll
C:\WINDOWS\SYSTEM32\xguwehaf.xml
C:\WINDOWS\SYSTEM32\xnszzshp.dll
C:\WINDOWS\SYSTEM32\xnszzshp.xml
C:\WINDOWS\SYSTEM32\ywrirvxu.dll
C:\WINDOWS\SYSTEM32\ywrirvxu.xml
C:\WINDOWS\SYSTEM32\yyjpcqou.dll
C:\WINDOWS\SYSTEM32\yyjpcqou.xml
C:\WINDOWS\SYSTEM32\zfgfscqo.dll
C:\WINDOWS\SYSTEM32\zfgfscqo.xml
C:\WINDOWS\SYSTEM32\zgtxzflh.dll
C:\WINDOWS\SYSTEM32\zhcbggxl.dll
C:\WINDOWS\SYSTEM32\zhcbggxl.xml
C:\WINDOWS\SYSTEM32\zpizqnxd.dll
C:\WINDOWS\SYSTEM32\zpizqnxd.xml

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CIS1284
-------\cis1284


((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-05 21:38 . 2003-02-24 19:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 19:30 . 2008-02-04 19:30 <DIR> d-------- C:\WINDOWS\Sun
2008-02-04 19:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-04 19:29 . 2008-02-04 19:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 16:39 . 2008-02-04 16:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-31 15:37 . 2008-01-04 16:58 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2008-01-31 15:37 . 2008-01-04 16:58 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-01-31 15:37 . 2008-01-04 16:58 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-01-29 18:27 . 2008-02-04 18:14 <DIR> d-------- C:\VundoFix Backups
2008-01-29 15:01 . 2008-01-29 17:10 3,372 --a------ C:\WINDOWS\SYSTEM32\lmpstiso.xml
2008-01-28 11:39 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\pqwvsdfm.dll
2008-01-28 11:39 . 2008-01-28 08:50 3,372 --a------ C:\WINDOWS\SYSTEM32\zgtxzflh.xml
2008-01-28 11:39 . 2008-01-28 14:36 3,372 --a------ C:\WINDOWS\SYSTEM32\pqwvsdfm.xml
2008-01-28 11:09 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fnxxgmux.dll
2008-01-28 11:09 . 2008-01-28 08:50 3,372 --a------ C:\WINDOWS\SYSTEM32\fnxxgmux.xml
2008-01-28 09:02 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\hhfzlomm.dll
2008-01-28 09:02 . 2008-01-28 08:50 3,372 --a------ C:\WINDOWS\SYSTEM32\hhfzlomm.xml
2008-01-28 09:00 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\xdhmqvxl.dll
2008-01-28 09:00 . 2008-01-28 08:50 3,372 --a------ C:\WINDOWS\SYSTEM32\xdhmqvxl.xml
2008-01-27 23:18 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\bkbjvzjz.dll
2008-01-27 23:18 . 2008-01-28 08:50 3,372 --a------ C:\WINDOWS\SYSTEM32\bkbjvzjz.xml
2008-01-27 20:02 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\xchfzpvz.dll
2008-01-27 20:02 . 2008-01-26 21:17 3,372 --a------ C:\WINDOWS\SYSTEM32\xchfzpvz.xml
2008-01-27 19:30 . 2008-01-27 19:31 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-27 12:09 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\hdmivamu.dll
2008-01-27 12:09 . 2008-01-26 21:17 3,372 --a------ C:\WINDOWS\SYSTEM32\hdmivamu.xml
2008-01-26 21:37 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\yqfajaaw.dll
2008-01-26 21:37 . 2008-01-26 21:17 3,372 --a------ C:\WINDOWS\SYSTEM32\yqfajaaw.xml
2008-01-26 20:33 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\yqxtitho.dll
2008-01-26 20:33 . 2008-01-26 21:17 3,372 --a------ C:\WINDOWS\SYSTEM32\yqxtitho.xml
2008-01-26 10:50 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\axzwwvea.dll
2008-01-26 10:50 . 2008-01-26 19:34 3,372 --a------ C:\WINDOWS\SYSTEM32\axzwwvea.xml
2008-01-26 09:07 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fjwldjbz.dll
2008-01-26 09:07 . 2008-01-26 09:05 3,274 --a------ C:\WINDOWS\SYSTEM32\fjwldjbz.xml
2008-01-25 22:55 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\dduoereh.dll
2008-01-25 22:55 . 2008-01-24 21:26 3,274 --a------ C:\WINDOWS\SYSTEM32\dduoereh.xml
2008-01-25 22:54 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\jlbkaazs.dll
2008-01-25 22:54 . 2008-01-24 21:26 3,274 --a------ C:\WINDOWS\SYSTEM32\jlbkaazs.xml
2008-01-25 11:37 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\opmgspcz.dll
2008-01-25 11:37 . 2008-01-26 09:05 3,274 --a------ C:\WINDOWS\SYSTEM32\opmgspcz.xml
2008-01-24 22:43 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\qvstwyuc.dll
2008-01-24 22:43 . 2008-01-24 21:26 3,274 --a------ C:\WINDOWS\SYSTEM32\qvstwyuc.xml
2008-01-24 20:44 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\okhoynow.dll
2008-01-24 20:44 . 2008-01-24 17:56 3,274 --a------ C:\WINDOWS\SYSTEM32\okhoynow.xml
2008-01-24 19:42 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\nbceqylu.dll
2008-01-24 19:42 . 2008-01-24 21:26 3,274 --a------ C:\WINDOWS\SYSTEM32\nbceqylu.xml
2008-01-24 18:55 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\axywcsuu.dll
2008-01-24 18:55 . 2008-01-24 17:56 3,274 --a------ C:\WINDOWS\SYSTEM32\axywcsuu.xml
2008-01-24 17:57 . 2008-01-25 11:38 1,614 --ahs---- C:\WINDOWS\SYSTEM32\vkixfngo.ini
2008-01-24 17:28 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\xfajnxag.dll
2008-01-24 17:28 . 2008-01-24 17:56 3,274 --a------ C:\WINDOWS\SYSTEM32\xfajnxag.xml
2008-01-24 10:13 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fnchhpkn.dll
2008-01-24 10:13 . 2008-01-24 01:54 3,274 --a------ C:\WINDOWS\SYSTEM32\fnchhpkn.xml
2008-01-23 22:16 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\sbmnwshi.dll
2008-01-23 22:16 . 2008-01-24 01:54 3,274 --a------ C:\WINDOWS\SYSTEM32\sbmnwshi.xml
2008-01-23 17:59 . 2008-01-24 17:51 1,254 --ahs---- C:\WINDOWS\SYSTEM32\skugbfmf.ini
2008-01-23 16:32 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\vzqifleb.dll
2008-01-23 16:32 . 2008-01-23 18:45 3,274 --a------ C:\WINDOWS\SYSTEM32\vzqifleb.xml
2008-01-22 21:28 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\yytmkqcw.dll
2008-01-22 21:28 . 2008-01-23 15:28 3,274 --a------ C:\WINDOWS\SYSTEM32\yytmkqcw.xml
2008-01-22 17:58 . 2008-01-23 17:58 1,014 --ahs---- C:\WINDOWS\SYSTEM32\qlucvlil.ini
2008-01-22 16:00 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ktfkdtoe.dll
2008-01-22 16:00 . 2008-01-22 21:27 3,371 --a------ C:\WINDOWS\SYSTEM32\ktfkdtoe.xml
2008-01-22 14:54 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\aoreigck.dll
2008-01-22 14:54 . 2008-01-21 13:59 3,371 --a------ C:\WINDOWS\SYSTEM32\aoreigck.xml
2008-01-22 11:47 . 2008-01-22 11:47 <DIR> d-------- C:\WINDOWS\SYSTEM32\E1E3E1E5E6E6E0
2008-01-21 17:55 . 2008-01-22 17:56 834 --ahs---- C:\WINDOWS\SYSTEM32\jvcwkdiq.ini
2008-01-21 14:09 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ufbsouuq.dll
2008-01-21 14:09 . 2008-01-21 13:59 3,371 --a------ C:\WINDOWS\SYSTEM32\ufbsouuq.xml
2008-01-21 13:10 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\tzsrkyxv.dll
2008-01-21 13:10 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ittdghtv.dll
2008-01-21 13:10 . 2008-01-21 11:51 3,372 --a------ C:\WINDOWS\SYSTEM32\ittdghtv.xml
2008-01-21 13:10 . 2008-01-21 13:59 3,371 --a------ C:\WINDOWS\SYSTEM32\tzsrkyxv.xml
2008-01-21 09:44 . 2008-01-26 20:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\winzs6
2008-01-21 09:44 . 2008-01-26 20:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\nui4
2008-01-21 09:44 . 2008-01-28 21:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01
2008-01-21 09:44 . 2008-01-21 09:44 <DIR> d-------- C:\WINDOWS\SYSTEM32\extz1
2008-01-21 09:44 . 2008-01-21 13:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\comz7
2008-01-21 09:44 . 2008-01-21 09:44 <DIR> d-------- C:\Temp\gTiis19
2008-01-21 09:44 . 2008-01-21 09:44 <DIR> d-------- C:\Temp\cXzz9
2008-01-20 23:04 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ykyqbria.dll
2008-01-20 23:04 . 2008-01-21 11:51 3,372 --a------ C:\WINDOWS\SYSTEM32\ykyqbria.xml
2008-01-20 21:17 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\pzntjcrb.dll
2008-01-20 21:17 . 2008-01-20 08:01 3,274 --a------ C:\WINDOWS\SYSTEM32\pzntjcrb.xml
2008-01-20 20:13 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\plmaoaru.dll
2008-01-20 20:13 . 2008-01-20 08:01 3,274 --a------ C:\WINDOWS\SYSTEM32\plmaoaru.xml
2008-01-20 17:55 . 2008-01-21 17:55 654 --ahs---- C:\WINDOWS\SYSTEM32\wggtvyiv.ini
2008-01-20 08:39 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\adjulaeu.dll
2008-01-20 08:39 . 2008-01-20 23:03 3,274 --a------ C:\WINDOWS\SYSTEM32\adjulaeu.xml
2008-01-19 17:54 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\rkxtkqce.dll
2008-01-19 17:54 . 2008-01-20 08:01 3,274 --a------ C:\WINDOWS\SYSTEM32\rkxtkqce.xml
2008-01-19 16:54 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\smlitnyv.dll
2008-01-19 16:54 . 2008-01-19 17:23 3,372 --a------ C:\WINDOWS\SYSTEM32\smlitnyv.xml
2008-01-19 16:25 . 2008-01-20 07:44 1,434 --ahs---- C:\WINDOWS\SYSTEM32\gofuarxq.ini
2008-01-19 11:14 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ppjoqylb.dll
2008-01-19 11:14 . 2008-01-19 11:03 3,372 --a------ C:\WINDOWS\SYSTEM32\ppjoqylb.xml
2008-01-18 22:15 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ietagacp.dll
2008-01-18 22:15 . 2008-01-19 11:03 3,372 --a------ C:\WINDOWS\SYSTEM32\ietagacp.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 01:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 00:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 00:30 --------- d-----w C:\Program Files\Java
2008-01-29 01:24 --------- d-----w C:\Documents and Settings\Matthew\Application Data\AdobeUM
2008-01-28 17:18 --------- d-----w C:\Program Files\iTunes
2008-01-28 17:18 --------- d-----w C:\Program Files\iPod
2008-01-28 17:17 --------- d-----w C:\Program Files\QuickTime
2008-01-28 16:56 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 18:15 --------- d-----w C:\Program Files\World of Warcraft
2008-01-12 01:29 --------- d-----w C:\Program Files\Valitec DataReady
2008-01-12 00:17 --------- d-----w C:\Program Files\Canon
2008-01-12 00:14 --------- d-----w C:\Program Files\ArcSoft
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-03 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-12-30 16:11 --------- d-----w C:\Documents and Settings\Nora\Application Data\Apple Computer
2007-12-30 14:46 --------- d-----w C:\Documents and Settings\Matthew\Application Data\Apple Computer
2007-12-29 02:44 --------- d-----w C:\Program Files\Avex
2007-12-23 21:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 20:33 --------- d-----w C:\Program Files\Wonderland Adventures
2007-12-23 20:31 --------- d-----w C:\Program Files\Wonderland Secret Worlds
2007-12-23 20:29 --------- d-----w C:\Program Files\Wonderland
2007-11-17 03:51 246 ----a-w C:\Program Files\Common Files\zyri
2007-04-16 21:34 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-23 03:23 57,824 -c--a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
2005-08-12 22:28 3,788,235 -c--a-w C:\Program Files\mwplugin.exe
2004-02-16 20:48 57,432 -c--a-w C:\Documents and Settings\Matthew\Application Data\GDIPFONTCACHEV1.DAT
2003-12-14 23:12 857,580 -c--a-w C:\Program Files\ShutterflyPluginInstall.EXE
2005-07-29 21:24 472 --sha-r C:\WINDOWS\TWljaGFlbA\nq53u3I5vE.vbs
.

 

[calmva]

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 18:52 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 14:20 2061816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-02-24 19:47:45 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 12:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 14:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2003-06-15 14:10:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 08:42:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-02-09 8:46:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 13:46:17
ComboFix2.txt 2008-02-08 21:58:31
.
2008-01-28 14:02:04 --- E O F ---


Here is the HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 8:47:53 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ign.com/"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm479YYUS
O8 - Extra context menu item: Boxtop - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kate\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Boxtop - {5D6F09DD-D9C3-42db-800A-EBF1E7EFCB0B} - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm (file missing) (HKCU)
O9 - Extra button: Boxtop - {629C5DAA-BABC-4d44-983D-97AFF415621C} - file://C:\Program Files\BoxTopsShoppingReminder\System\Temp\boxtopgmills_script0.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDDE3C-A447-4560-A84F-2A03995EF1AE}: NameServer = 192.168.0.1,192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

[Shaba]

Hi

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\lmpstiso.xml
C:\WINDOWS\SYSTEM32\pqwvsdfm.dll
C:\WINDOWS\SYSTEM32\zgtxzflh.xml
C:\WINDOWS\SYSTEM32\pqwvsdfm.xml
C:\WINDOWS\SYSTEM32\fnxxgmux.dll
C:\WINDOWS\SYSTEM32\fnxxgmux.xml
C:\WINDOWS\SYSTEM32\hhfzlomm.dll
C:\WINDOWS\SYSTEM32\hhfzlomm.xml
C:\WINDOWS\SYSTEM32\xdhmqvxl.dll
C:\WINDOWS\SYSTEM32\xdhmqvxl.xml
C:\WINDOWS\SYSTEM32\bkbjvzjz.dll
C:\WINDOWS\SYSTEM32\bkbjvzjz.xml
C:\WINDOWS\SYSTEM32\xchfzpvz.dll
C:\WINDOWS\SYSTEM32\xchfzpvz.xml
C:\WINDOWS\SYSTEM32\hdmivamu.dll
C:\WINDOWS\SYSTEM32\hdmivamu.xml
C:\WINDOWS\SYSTEM32\yqfajaaw.dll
C:\WINDOWS\SYSTEM32\yqfajaaw.xml
C:\WINDOWS\SYSTEM32\yqxtitho.dll
C:\WINDOWS\SYSTEM32\yqxtitho.xml
C:\WINDOWS\SYSTEM32\axzwwvea.dll
C:\WINDOWS\SYSTEM32\axzwwvea.xml
C:\WINDOWS\SYSTEM32\fjwldjbz.dll
C:\WINDOWS\SYSTEM32\fjwldjbz.xml
C:\WINDOWS\SYSTEM32\dduoereh.dll
C:\WINDOWS\SYSTEM32\dduoereh.xml
C:\WINDOWS\SYSTEM32\jlbkaazs.dll
C:\WINDOWS\SYSTEM32\jlbkaazs.xml
C:\WINDOWS\SYSTEM32\opmgspcz.dll
C:\WINDOWS\SYSTEM32\opmgspcz.xml
C:\WINDOWS\SYSTEM32\qvstwyuc.dll
C:\WINDOWS\SYSTEM32\qvstwyuc.xml
C:\WINDOWS\SYSTEM32\okhoynow.dll
C:\WINDOWS\SYSTEM32\okhoynow.xml
C:\WINDOWS\SYSTEM32\nbceqylu.dll
C:\WINDOWS\SYSTEM32\nbceqylu.xml
C:\WINDOWS\SYSTEM32\axywcsuu.dll
C:\WINDOWS\SYSTEM32\axywcsuu.xml
C:\WINDOWS\SYSTEM32\vkixfngo.ini
C:\WINDOWS\SYSTEM32\xfajnxag.dll
C:\WINDOWS\SYSTEM32\xfajnxag.xml
C:\WINDOWS\SYSTEM32\fnchhpkn.dll
C:\WINDOWS\SYSTEM32\fnchhpkn.xml
C:\WINDOWS\SYSTEM32\sbmnwshi.dll
C:\WINDOWS\SYSTEM32\sbmnwshi.xml
C:\WINDOWS\SYSTEM32\skugbfmf.ini
C:\WINDOWS\SYSTEM32\vzqifleb.dll
C:\WINDOWS\SYSTEM32\vzqifleb.xml
C:\WINDOWS\SYSTEM32\yytmkqcw.dll
C:\WINDOWS\SYSTEM32\yytmkqcw.xml
C:\WINDOWS\SYSTEM32\qlucvlil.ini
C:\WINDOWS\SYSTEM32\ktfkdtoe.dll
C:\WINDOWS\SYSTEM32\ktfkdtoe.xml
C:\WINDOWS\SYSTEM32\aoreigck.dll
C:\WINDOWS\SYSTEM32\aoreigck.xml
C:\WINDOWS\SYSTEM32\jvcwkdiq.ini
C:\WINDOWS\SYSTEM32\ufbsouuq.dll
C:\WINDOWS\SYSTEM32\ufbsouuq.xml
C:\WINDOWS\SYSTEM32\tzsrkyxv.dll
C:\WINDOWS\SYSTEM32\ittdghtv.dll
C:\WINDOWS\SYSTEM32\ittdghtv.xml
C:\WINDOWS\SYSTEM32\tzsrkyxv.xml
C:\WINDOWS\SYSTEM32\ykyqbria.dll
C:\WINDOWS\SYSTEM32\ykyqbria.xml
C:\WINDOWS\SYSTEM32\pzntjcrb.dll
C:\WINDOWS\SYSTEM32\pzntjcrb.xml
C:\WINDOWS\SYSTEM32\plmaoaru.dll
C:\WINDOWS\SYSTEM32\plmaoaru.xml
C:\WINDOWS\SYSTEM32\wggtvyiv.ini
C:\WINDOWS\SYSTEM32\adjulaeu.dll
C:\WINDOWS\SYSTEM32\adjulaeu.xml
C:\WINDOWS\SYSTEM32\rkxtkqce.dll
C:\WINDOWS\SYSTEM32\rkxtkqce.xml
C:\WINDOWS\SYSTEM32\smlitnyv.dll
C:\WINDOWS\SYSTEM32\smlitnyv.xml
C:\WINDOWS\SYSTEM32\gofuarxq.ini
C:\WINDOWS\SYSTEM32\ppjoqylb.dll
C:\WINDOWS\SYSTEM32\ppjoqylb.xml
C:\WINDOWS\SYSTEM32\ietagacp.dll
C:\WINDOWS\SYSTEM32\ietagacp.xml

Folder::
C:\WINDOWS\SYSTEM32\winzs6
C:\WINDOWS\SYSTEM32\nui4
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\extz1
C:\WINDOWS\SYSTEM32\comz7
C:\Temp\gTiis19
C:\Temp\cXzz9
C:\WINDOWS\SYSTEM32\E1E3E1E5E6E6E0
C:\Program Files\Common Files\zyri
C:\WINDOWS\TWljaGFlb

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[calmva]

Hi Shaba

Thanks for getting back to my thread so quickly. Here are the ComboFix and HJT logs.

ComboFix 08-02.05.3 - Matthew 2008-02-09 11:17:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT -5:00]
Running from: C:\Documents and Settings\Matthew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matthew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\SYSTEM32\adjulaeu.dll
C:\WINDOWS\SYSTEM32\adjulaeu.xml
C:\WINDOWS\SYSTEM32\aoreigck.dll
C:\WINDOWS\SYSTEM32\aoreigck.xml
C:\WINDOWS\SYSTEM32\axywcsuu.dll
C:\WINDOWS\SYSTEM32\axywcsuu.xml
C:\WINDOWS\SYSTEM32\axzwwvea.dll
C:\WINDOWS\SYSTEM32\axzwwvea.xml
C:\WINDOWS\SYSTEM32\bkbjvzjz.dll
C:\WINDOWS\SYSTEM32\bkbjvzjz.xml
C:\WINDOWS\SYSTEM32\dduoereh.dll
C:\WINDOWS\SYSTEM32\dduoereh.xml
C:\WINDOWS\SYSTEM32\fjwldjbz.dll
C:\WINDOWS\SYSTEM32\fjwldjbz.xml
C:\WINDOWS\SYSTEM32\fnchhpkn.dll
C:\WINDOWS\SYSTEM32\fnchhpkn.xml
C:\WINDOWS\SYSTEM32\fnxxgmux.dll
C:\WINDOWS\SYSTEM32\fnxxgmux.xml
C:\WINDOWS\SYSTEM32\gofuarxq.ini
C:\WINDOWS\SYSTEM32\hdmivamu.dll
C:\WINDOWS\SYSTEM32\hdmivamu.xml
C:\WINDOWS\SYSTEM32\hhfzlomm.dll
C:\WINDOWS\SYSTEM32\hhfzlomm.xml
C:\WINDOWS\SYSTEM32\ietagacp.dll
C:\WINDOWS\SYSTEM32\ietagacp.xml
C:\WINDOWS\SYSTEM32\ittdghtv.dll
C:\WINDOWS\SYSTEM32\ittdghtv.xml
C:\WINDOWS\SYSTEM32\jlbkaazs.dll
C:\WINDOWS\SYSTEM32\jlbkaazs.xml
C:\WINDOWS\SYSTEM32\jvcwkdiq.ini
C:\WINDOWS\SYSTEM32\ktfkdtoe.dll
C:\WINDOWS\SYSTEM32\ktfkdtoe.xml
C:\WINDOWS\SYSTEM32\lmpstiso.xml
C:\WINDOWS\SYSTEM32\nbceqylu.dll
C:\WINDOWS\SYSTEM32\nbceqylu.xml
C:\WINDOWS\SYSTEM32\okhoynow.dll
C:\WINDOWS\SYSTEM32\okhoynow.xml
C:\WINDOWS\SYSTEM32\opmgspcz.dll
C:\WINDOWS\SYSTEM32\opmgspcz.xml
C:\WINDOWS\SYSTEM32\plmaoaru.dll
C:\WINDOWS\SYSTEM32\plmaoaru.xml
C:\WINDOWS\SYSTEM32\ppjoqylb.dll
C:\WINDOWS\SYSTEM32\ppjoqylb.xml
C:\WINDOWS\SYSTEM32\pqwvsdfm.dll
C:\WINDOWS\SYSTEM32\pqwvsdfm.xml
C:\WINDOWS\SYSTEM32\pzntjcrb.dll
C:\WINDOWS\SYSTEM32\pzntjcrb.xml
C:\WINDOWS\SYSTEM32\qlucvlil.ini
C:\WINDOWS\SYSTEM32\qvstwyuc.dll
C:\WINDOWS\SYSTEM32\qvstwyuc.xml
C:\WINDOWS\SYSTEM32\rkxtkqce.dll
C:\WINDOWS\SYSTEM32\rkxtkqce.xml
C:\WINDOWS\SYSTEM32\sbmnwshi.dll
C:\WINDOWS\SYSTEM32\sbmnwshi.xml
C:\WINDOWS\SYSTEM32\skugbfmf.ini
C:\WINDOWS\SYSTEM32\smlitnyv.dll
C:\WINDOWS\SYSTEM32\smlitnyv.xml
C:\WINDOWS\SYSTEM32\tzsrkyxv.dll
C:\WINDOWS\SYSTEM32\tzsrkyxv.xml
C:\WINDOWS\SYSTEM32\ufbsouuq.dll
C:\WINDOWS\SYSTEM32\ufbsouuq.xml
C:\WINDOWS\SYSTEM32\vkixfngo.ini
C:\WINDOWS\SYSTEM32\vzqifleb.dll
C:\WINDOWS\SYSTEM32\vzqifleb.xml
C:\WINDOWS\SYSTEM32\wggtvyiv.ini
C:\WINDOWS\SYSTEM32\xchfzpvz.dll
C:\WINDOWS\SYSTEM32\xchfzpvz.xml
C:\WINDOWS\SYSTEM32\xdhmqvxl.dll
C:\WINDOWS\SYSTEM32\xdhmqvxl.xml
C:\WINDOWS\SYSTEM32\xfajnxag.dll
C:\WINDOWS\SYSTEM32\xfajnxag.xml
C:\WINDOWS\SYSTEM32\ykyqbria.dll
C:\WINDOWS\SYSTEM32\ykyqbria.xml
C:\WINDOWS\SYSTEM32\yqfajaaw.dll
C:\WINDOWS\SYSTEM32\yqfajaaw.xml
C:\WINDOWS\SYSTEM32\yqxtitho.dll
C:\WINDOWS\SYSTEM32\yqxtitho.xml
C:\WINDOWS\SYSTEM32\yytmkqcw.dll
C:\WINDOWS\SYSTEM32\yytmkqcw.xml
C:\WINDOWS\SYSTEM32\zgtxzflh.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\zyri\
C:\Temp\cXzz9
C:\Temp\gTiis19
C:\Temp\gTiis19\lTig.log
C:\WINDOWS\SYSTEM32\adjulaeu.dll
C:\WINDOWS\SYSTEM32\adjulaeu.xml
C:\WINDOWS\SYSTEM32\aoreigck.dll
C:\WINDOWS\SYSTEM32\aoreigck.xml
C:\WINDOWS\SYSTEM32\axywcsuu.dll
C:\WINDOWS\SYSTEM32\axywcsuu.xml
C:\WINDOWS\SYSTEM32\axzwwvea.dll
C:\WINDOWS\SYSTEM32\axzwwvea.xml
C:\WINDOWS\SYSTEM32\bkbjvzjz.dll
C:\WINDOWS\SYSTEM32\bkbjvzjz.xml
C:\WINDOWS\SYSTEM32\comz7
C:\WINDOWS\SYSTEM32\dduoereh.dll
C:\WINDOWS\SYSTEM32\dduoereh.xml
C:\WINDOWS\SYSTEM32\E1E3E1E5E6E6E0
C:\WINDOWS\SYSTEM32\E1E3E1E5E6E6E0\050705090A0A04
C:\WINDOWS\SYSTEM32\extz1
C:\WINDOWS\SYSTEM32\extz1\lovstadcom2.exe
C:\WINDOWS\SYSTEM32\fjwldjbz.dll
C:\WINDOWS\SYSTEM32\fjwldjbz.xml
C:\WINDOWS\SYSTEM32\fnchhpkn.dll
C:\WINDOWS\SYSTEM32\fnchhpkn.xml
C:\WINDOWS\SYSTEM32\fnxxgmux.dll
C:\WINDOWS\SYSTEM32\fnxxgmux.xml
C:\WINDOWS\SYSTEM32\gofuarxq.ini
C:\WINDOWS\SYSTEM32\hdmivamu.dll
C:\WINDOWS\SYSTEM32\hdmivamu.xml
C:\WINDOWS\SYSTEM32\hhfzlomm.dll
C:\WINDOWS\SYSTEM32\hhfzlomm.xml
C:\WINDOWS\SYSTEM32\ietagacp.dll
C:\WINDOWS\SYSTEM32\ietagacp.xml
C:\WINDOWS\SYSTEM32\ittdghtv.dll
C:\WINDOWS\SYSTEM32\ittdghtv.xml
C:\WINDOWS\SYSTEM32\jlbkaazs.dll
C:\WINDOWS\SYSTEM32\jlbkaazs.xml
C:\WINDOWS\SYSTEM32\jvcwkdiq.ini
C:\WINDOWS\SYSTEM32\ktfkdtoe.dll
C:\WINDOWS\SYSTEM32\ktfkdtoe.xml
C:\WINDOWS\SYSTEM32\lmpstiso.xml
C:\WINDOWS\SYSTEM32\nbceqylu.dll
C:\WINDOWS\SYSTEM32\nbceqylu.xml
C:\WINDOWS\SYSTEM32\nGpxx01
C:\WINDOWS\SYSTEM32\nui4
C:\WINDOWS\SYSTEM32\okhoynow.dll
C:\WINDOWS\SYSTEM32\okhoynow.xml
C:\WINDOWS\SYSTEM32\opmgspcz.dll
C:\WINDOWS\SYSTEM32\opmgspcz.xml
C:\WINDOWS\SYSTEM32\plmaoaru.dll
C:\WINDOWS\SYSTEM32\plmaoaru.xml
C:\WINDOWS\SYSTEM32\ppjoqylb.dll
C:\WINDOWS\SYSTEM32\ppjoqylb.xml
C:\WINDOWS\SYSTEM32\pqwvsdfm.dll
C:\WINDOWS\SYSTEM32\pqwvsdfm.xml
C:\WINDOWS\SYSTEM32\pzntjcrb.dll
C:\WINDOWS\SYSTEM32\pzntjcrb.xml
C:\WINDOWS\SYSTEM32\qlucvlil.ini
C:\WINDOWS\SYSTEM32\qvstwyuc.dll
C:\WINDOWS\SYSTEM32\qvstwyuc.xml
C:\WINDOWS\SYSTEM32\rkxtkqce.dll
C:\WINDOWS\SYSTEM32\rkxtkqce.xml
C:\WINDOWS\SYSTEM32\sbmnwshi.dll
C:\WINDOWS\SYSTEM32\sbmnwshi.xml
C:\WINDOWS\SYSTEM32\skugbfmf.ini
C:\WINDOWS\SYSTEM32\smlitnyv.dll
C:\WINDOWS\SYSTEM32\smlitnyv.xml
C:\WINDOWS\SYSTEM32\tzsrkyxv.dll
C:\WINDOWS\SYSTEM32\tzsrkyxv.xml
C:\WINDOWS\SYSTEM32\ufbsouuq.dll
C:\WINDOWS\SYSTEM32\ufbsouuq.xml
C:\WINDOWS\SYSTEM32\vkixfngo.ini
C:\WINDOWS\SYSTEM32\vzqifleb.dll
C:\WINDOWS\SYSTEM32\vzqifleb.xml
C:\WINDOWS\SYSTEM32\wggtvyiv.ini
C:\WINDOWS\SYSTEM32\winzs6
C:\WINDOWS\SYSTEM32\xchfzpvz.dll
C:\WINDOWS\SYSTEM32\xchfzpvz.xml
C:\WINDOWS\SYSTEM32\xdhmqvxl.dll
C:\WINDOWS\SYSTEM32\xdhmqvxl.xml
C:\WINDOWS\SYSTEM32\xfajnxag.dll
C:\WINDOWS\SYSTEM32\xfajnxag.xml
C:\WINDOWS\SYSTEM32\ykyqbria.dll
C:\WINDOWS\SYSTEM32\ykyqbria.xml
C:\WINDOWS\SYSTEM32\yqfajaaw.dll
C:\WINDOWS\SYSTEM32\yqfajaaw.xml
C:\WINDOWS\SYSTEM32\yqxtitho.dll
C:\WINDOWS\SYSTEM32\yqxtitho.xml
C:\WINDOWS\SYSTEM32\yytmkqcw.dll
C:\WINDOWS\SYSTEM32\yytmkqcw.xml
C:\WINDOWS\SYSTEM32\zgtxzflh.xml

.
((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 08:35 . 2004-08-04 02:56 388,608 --a------ C:\kmd.exe
2008-02-05 21:38 . 2003-02-24 19:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 19:30 . 2008-02-04 19:30 <DIR> d-------- C:\WINDOWS\Sun
2008-02-04 19:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-04 19:29 . 2008-02-04 19:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 16:39 . 2008-02-04 16:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-31 15:37 . 2008-01-04 16:58 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2008-01-31 15:37 . 2008-01-04 16:58 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-01-31 15:37 . 2008-01-04 16:58 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-01-29 18:27 . 2008-02-04 18:14 <DIR> d-------- C:\VundoFix Backups
2008-01-27 19:30 . 2008-01-27 19:31 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-18 21:00 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\dnfpaitc.dll
2008-01-18 21:00 . 2008-01-18 22:13 3,372 --a------ C:\WINDOWS\SYSTEM32\dnfpaitc.xml
2008-01-18 20:54 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\wdzqcehi.dll
2008-01-18 20:54 . 2008-01-18 20:38 3,274 --a------ C:\WINDOWS\SYSTEM32\wdzqcehi.xml
2008-01-18 20:31 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\hjsjkpyd.dll
2008-01-18 20:31 . 2008-01-18 20:38 3,274 --a------ C:\WINDOWS\SYSTEM32\hjsjkpyd.xml
2008-01-18 19:19 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\lrpjamzv.dll
2008-01-18 19:19 . 2008-01-18 19:28 3,274 --a------ C:\WINDOWS\SYSTEM32\lrpjamzv.xml
2008-01-18 16:26 . 2008-01-19 14:35 1,314 --ahs---- C:\WINDOWS\SYSTEM32\xypmvdwk.ini
2008-01-17 21:24 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\zytxgntz.dll
2008-01-17 21:24 . 2008-01-18 18:32 3,274 --a------ C:\WINDOWS\SYSTEM32\zytxgntz.xml
2008-01-17 16:26 . 2008-01-18 06:05 894 --ahs---- C:\WINDOWS\SYSTEM32\prjmvhot.ini
2008-01-16 21:23 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\vpuszaap.dll
2008-01-16 21:23 . 2008-01-16 20:21 3,274 --a------ C:\WINDOWS\SYSTEM32\vpuszaap.xml
2008-01-16 21:05 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fvgnxbgw.dll
2008-01-16 21:05 . 2008-01-17 19:47 3,274 --a------ C:\WINDOWS\SYSTEM32\fvgnxbgw.xml
2008-01-16 17:52 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\buldizkl.dll
2008-01-16 17:52 . 2008-01-16 20:21 3,274 --a------ C:\WINDOWS\SYSTEM32\buldizkl.xml
2008-01-16 16:38 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\crnfqzyc.dll
2008-01-16 16:38 . 2008-01-16 16:45 3,274 --a------ C:\WINDOWS\SYSTEM32\crnfqzyc.xml
2008-01-16 16:24 . 2008-01-17 16:24 774 --ahs---- C:\WINDOWS\SYSTEM32\smbydfvu.ini
2008-01-15 21:59 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\uhllabho.dll
2008-01-15 21:59 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\kgnqpuee.dll
2008-01-15 21:59 . 2008-01-16 15:06 3,274 --a------ C:\WINDOWS\SYSTEM32\uhllabho.xml
2008-01-15 21:59 . 2008-01-15 15:19 3,274 --a------ C:\WINDOWS\SYSTEM32\kgnqpuee.xml
2008-01-15 21:04 . 2008-01-15 21:04 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\ArcSoft
2008-01-15 21:03 . 2008-01-15 21:04 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Canon
2008-01-15 19:44 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\arusvxbk.dll
2008-01-15 19:44 . 2008-01-15 15:19 3,274 --a------ C:\WINDOWS\SYSTEM32\arusvxbk.xml
2008-01-15 16:24 . 2008-01-16 15:04 474 --ahs---- C:\WINDOWS\SYSTEM32\jhkmfija.ini
2008-01-15 14:50 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\mnnjwnak.dll
2008-01-15 14:50 . 2008-01-15 15:19 3,274 --a------ C:\WINDOWS\SYSTEM32\mnnjwnak.xml
2008-01-14 20:42 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\dczjbksl.dll
2008-01-14 20:42 . 2008-01-14 20:35 3,274 --a------ C:\WINDOWS\SYSTEM32\dczjbksl.xml
2008-01-14 20:24 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\qrrnlkdz.dll
2008-01-14 20:24 . 2008-01-14 20:35 3,274 --a------ C:\WINDOWS\SYSTEM32\qrrnlkdz.xml
2008-01-14 16:23 . 2008-01-14 21:01 1,794 --ahs---- C:\WINDOWS\SYSTEM32\uiipnpmq.ini
2008-01-13 21:11 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\njwxsfmk.dll
2008-01-13 21:11 . 2008-01-14 20:24 3,274 --a------ C:\WINDOWS\SYSTEM32\njwxsfmk.xml
2008-01-13 21:10 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ycxajlko.dll
2008-01-13 21:10 . 2008-01-13 18:55 3,274 --a------ C:\WINDOWS\SYSTEM32\ycxajlko.xml
2008-01-13 17:27 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\hotnbanp.dll
2008-01-13 17:27 . 2008-01-13 18:55 3,274 --a------ C:\WINDOWS\SYSTEM32\hotnbanp.xml
2008-01-13 16:23 . 2008-01-14 16:23 1,614 --ahs---- C:\WINDOWS\SYSTEM32\xamejtnm.ini
2008-01-12 22:08 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\xlpnrqfm.dll
2008-01-12 22:08 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\cxyhkurx.dll
2008-01-12 22:08 . 2008-01-12 21:44 3,275 --a------ C:\WINDOWS\SYSTEM32\xlpnrqfm.xml
2008-01-12 22:08 . 2008-01-13 11:05 3,274 --a------ C:\WINDOWS\SYSTEM32\cxyhkurx.xml
2008-01-12 21:47 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ezirwcco.dll
2008-01-12 21:47 . 2008-01-12 21:44 3,275 --a------ C:\WINDOWS\SYSTEM32\ezirwcco.xml
2008-01-12 16:24 . 2008-01-13 10:29 1,434 --ahs---- C:\WINDOWS\SYSTEM32\tbjugjxi.ini
2008-01-12 16:08 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\uahczjfu.dll
2008-01-12 16:08 . 2008-01-12 21:44 3,275 --a------ C:\WINDOWS\SYSTEM32\uahczjfu.xml
2008-01-11 22:47 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\twhoattf.dll
2008-01-11 22:47 . 2008-01-12 13:11 3,372 --a------ C:\WINDOWS\SYSTEM32\twhoattf.xml
2008-01-11 22:02 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\umbqvyto.dll
2008-01-11 22:02 . 2008-01-11 22:16 3,372 --a------ C:\WINDOWS\SYSTEM32\umbqvyto.xml
2008-01-11 21:59 . 2008-01-11 21:59 <DIR> d-------- C:\Documents and Settings\Matthew\Application Data\ArcSoft
2008-01-11 21:58 . 2008-01-11 21:59 <DIR> d-------- C:\Documents and Settings\Matthew\Application Data\Canon
2008-01-11 21:36 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fzagesxs.dll
2008-01-11 21:36 . 2008-01-11 19:17 3,372 --a------ C:\WINDOWS\SYSTEM32\fzagesxs.xml
2008-01-11 20:00 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\hfpbxvko.dll
2008-01-11 20:00 . 2008-01-11 19:17 3,372 --a------ C:\WINDOWS\SYSTEM32\hfpbxvko.xml
2008-01-11 19:42 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\wjmwhjcv.dll
2008-01-11 19:42 . 2008-01-11 19:17 3,372 --a------ C:\WINDOWS\SYSTEM32\wjmwhjcv.xml
2008-01-11 19:28 . 2008-01-11 19:31 36,363 --a------ C:\WINDOWS\CSTBox.INI
2008-01-11 19:20 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\yzcprmca.dll
2008-01-11 19:20 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\vafrqktv.dll
2008-01-11 19:20 . 2008-01-11 19:17 3,372 --a------ C:\WINDOWS\SYSTEM32\yzcprmca.xml
2008-01-11 19:20 . 2008-01-11 19:17 3,372 --a------ C:\WINDOWS\SYSTEM32\vafrqktv.xml
2008-01-11 19:10 . 2008-01-11 19:10 <DIR> d--h----- C:\CanoScan
2008-01-11 19:10 . 2005-02-24 19:14 274,432 --a------ C:\WINDOWS\SYSTEM32\CNQL1212.dll
2008-01-11 19:10 . 2005-02-02 09:20 57,344 --a------ C:\WINDOWS\SYSTEM32\CNQU111.DLL
2008-01-11 19:05 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\ntjlhjfe.dll
2008-01-11 19:05 . 2008-01-11 16:21 3,372 --a------ C:\WINDOWS\SYSTEM32\ntjlhjfe.xml
2008-01-11 16:26 . 2008-01-12 16:09 1,194 --ahs---- C:\WINDOWS\SYSTEM32\etlyiqyd.ini
2008-01-11 14:59 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fcpztwwn.dll
2008-01-11 14:59 . 2008-01-11 19:17 3,372 --a------ C:\WINDOWS\SYSTEM32\fcpztwwn.xml
2008-01-10 18:23 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\nybqxgke.dll
2008-01-10 18:23 . 2008-01-11 08:51 3,372 --a------ C:\WINDOWS\SYSTEM32\nybqxgke.xml
2008-01-10 17:39 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\omlkelqq.dll
2008-01-10 17:39 . 2008-01-10 16:20 3,274 --a------ C:\WINDOWS\SYSTEM32\omlkelqq.xml
2008-01-10 17:33 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\fldncsjm.dll
2008-01-10 17:33 . 2008-01-10 16:20 3,274 --a------ C:\WINDOWS\SYSTEM32\fldncsjm.xml
2008-01-10 16:23 . 2008-01-11 16:23 534 --ahs---- C:\WINDOWS\SYSTEM32\brorprdd.ini
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

 

[calmva]

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 01:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 00:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 00:30 --------- d-----w C:\Program Files\Java
2008-01-29 01:24 --------- d-----w C:\Documents and Settings\Matthew\Application Data\AdobeUM
2008-01-28 17:18 --------- d-----w C:\Program Files\iTunes
2008-01-28 17:18 --------- d-----w C:\Program Files\iPod
2008-01-28 17:17 --------- d-----w C:\Program Files\QuickTime
2008-01-28 16:56 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 00:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-01-27 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 18:15 --------- d-----w C:\Program Files\World of Warcraft
2008-01-12 01:29 --------- d-----w C:\Program Files\Valitec DataReady
2008-01-12 00:17 --------- d-----w C:\Program Files\Canon
2008-01-12 00:14 --------- d-----w C:\Program Files\ArcSoft
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-01-03 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-12-30 16:11 --------- d-----w C:\Documents and Settings\Nora\Application Data\Apple Computer
2007-12-30 14:46 --------- d-----w C:\Documents and Settings\Matthew\Application Data\Apple Computer
2007-12-29 02:44 --------- d-----w C:\Program Files\Avex
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\zwqhyvve.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\zduqhude.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\yyfuemqq.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\ywtibvce.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\wydbnxrn.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\vidjhscl.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\vahoiiid.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\uizokpge.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\ugddhyzg.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\tywxoimh.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\tccpwxfw.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\svogpint.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\sabidcnl.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\rrqjhaoh.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\rjbqacvg.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\qntqcyln.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\pzxkyoyt.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\pruubfyz.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\olgxfzyq.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\olewswwu.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\nvlxxdql.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\nmbthcje.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\nkslvvon.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\lpwstuyo.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\ljsijsna.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\kgjnhzeu.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\jweoeoxv.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\jlpvpujd.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\iycgukbf.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\hvibctly.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\hmnurwnx.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\gqsldgpa.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\fzskievo.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\fwlyfbho.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\fevloggu.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\estxdllt.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\eqxxnivp.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\egpwkkho.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\dwzgikwd.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\ddpzsvpg.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\chzbldxh.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\bhqszzqf.dll
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\bebbgwda.dll
2007-12-23 21:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 20:33 --------- d-----w C:\Program Files\Wonderland Adventures
2007-12-23 20:31 --------- d-----w C:\Program Files\Wonderland Secret Worlds
2007-12-23 20:29 --------- d-----w C:\Program Files\Wonderland
2007-11-17 03:51 246 ----a-w C:\Program Files\Common Files\zyri
2007-04-16 21:34 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-23 03:23 57,824 -c--a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
2005-08-12 22:28 3,788,235 -c--a-w C:\Program Files\mwplugin.exe
2004-02-16 20:48 57,432 -c--a-w C:\Documents and Settings\Matthew\Application Data\GDIPFONTCACHEV1.DAT
2003-12-14 23:12 857,580 -c--a-w C:\Program Files\ShutterflyPluginInstall.EXE
1998-08-24 16:09 10,000 -c--a-w C:\WINDOWS\INF\unregpn.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\TWljaGFlbA\nq53u3I5vE.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 18:52 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 14:20 2061816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-02-24 19:47:45 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 12:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 14:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2003-06-15 14:10:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 11:20:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-02-09 11:21:18

The HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:17 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ign.com/"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm479YYUS
O8 - Extra context menu item: Boxtop - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kate\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Boxtop - {5D6F09DD-D9C3-42db-800A-EBF1E7EFCB0B} - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm (file missing) (HKCU)
O9 - Extra button: Boxtop - {629C5DAA-BABC-4d44-983D-97AFF415621C} - file://C:\Program Files\BoxTopsShoppingReminder\System\Temp\boxtopgmills_script0.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDDE3C-A447-4560-A84F-2A03995EF1AE}: NameServer = 192.168.0.1,192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

[Shaba]

Hi

It looks like that you a huge amount of infected files and we remove some of them older ones come visible.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\zwqhyvve.dll
C:\WINDOWS\SYSTEM32\zduqhude.dll
C:\WINDOWS\SYSTEM32\yyfuemqq.dll
C:\WINDOWS\SYSTEM32\ywtibvce.dll
C:\WINDOWS\SYSTEM32\wydbnxrn.dll
C:\WINDOWS\SYSTEM32\vidjhscl.dll
C:\WINDOWS\SYSTEM32\vahoiiid.dll
C:\WINDOWS\SYSTEM32\uizokpge.dll
C:\WINDOWS\SYSTEM32\ugddhyzg.dll
C:\WINDOWS\SYSTEM32\tywxoimh.dll
C:\WINDOWS\SYSTEM32\tccpwxfw.dll
C:\WINDOWS\SYSTEM32\svogpint.dll
C:\WINDOWS\SYSTEM32\sabidcnl.dll
C:\WINDOWS\SYSTEM32\rrqjhaoh.dll
C:\WINDOWS\SYSTEM32\rjbqacvg.dll
C:\WINDOWS\SYSTEM32\qntqcyln.dll
C:\WINDOWS\SYSTEM32\pzxkyoyt.dll
C:\WINDOWS\SYSTEM32\pruubfyz.dll
C:\WINDOWS\SYSTEM32\olgxfzyq.dll
C:\WINDOWS\SYSTEM32\olewswwu.dll
C:\WINDOWS\SYSTEM32\nvlxxdql.dll
C:\WINDOWS\SYSTEM32\nmbthcje.dll
C:\WINDOWS\SYSTEM32\nkslvvon.dll
C:\WINDOWS\SYSTEM32\lpwstuyo.dll
C:\WINDOWS\SYSTEM32\ljsijsna.dll
C:\WINDOWS\SYSTEM32\kgjnhzeu.dll
C:\WINDOWS\SYSTEM32\jweoeoxv.dll
C:\WINDOWS\SYSTEM32\jlpvpujd.dll
C:\WINDOWS\SYSTEM32\iycgukbf.dll
C:\WINDOWS\SYSTEM32\hvibctly.dll
C:\WINDOWS\SYSTEM32\hmnurwnx.dll
C:\WINDOWS\SYSTEM32\gqsldgpa.dll
C:\WINDOWS\SYSTEM32\fzskievo.dll
C:\WINDOWS\SYSTEM32\fwlyfbho.dll
C:\WINDOWS\SYSTEM32\fevloggu.dll
C:\WINDOWS\SYSTEM32\estxdllt.dll
C:\WINDOWS\SYSTEM32\eqxxnivp.dll
C:\WINDOWS\SYSTEM32\egpwkkho.dll
C:\WINDOWS\SYSTEM32\dwzgikwd.dll
C:\WINDOWS\SYSTEM32\ddpzsvpg.dll
C:\WINDOWS\SYSTEM32\chzbldxh.dll
C:\WINDOWS\SYSTEM32\bhqszzqf.dll
C:\WINDOWS\SYSTEM32\dnfpaitc.dll
C:\WINDOWS\SYSTEM32\dnfpaitc.xml
C:\WINDOWS\SYSTEM32\wdzqcehi.dll
C:\WINDOWS\SYSTEM32\wdzqcehi.xml
C:\WINDOWS\SYSTEM32\hjsjkpyd.dll
C:\WINDOWS\SYSTEM32\hjsjkpyd.xml
C:\WINDOWS\SYSTEM32\lrpjamzv.dll
C:\WINDOWS\SYSTEM32\lrpjamzv.xml
C:\WINDOWS\SYSTEM32\xypmvdwk.ini
C:\WINDOWS\SYSTEM32\zytxgntz.dll
C:\WINDOWS\SYSTEM32\prjmvhot.ini
C:\WINDOWS\SYSTEM32\vpuszaap.dll
C:\WINDOWS\SYSTEM32\vpuszaap.xml
C:\WINDOWS\SYSTEM32\fvgnxbgw.dll
C:\WINDOWS\SYSTEM32\fvgnxbgw.xml
C:\WINDOWS\SYSTEM32\buldizkl.dll
C:\WINDOWS\SYSTEM32\buldizkl.xml
C:\WINDOWS\SYSTEM32\crnfqzyc.dll
C:\WINDOWS\SYSTEM32\crnfqzyc.xml
C:\WINDOWS\SYSTEM32\smbydfvu.ini
C:\WINDOWS\SYSTEM32\uhllabho.dll
C:\WINDOWS\SYSTEM32\kgnqpuee.dll
C:\WINDOWS\SYSTEM32\uhllabho.xml
C:\WINDOWS\SYSTEM32\kgnqpuee.xml
C:\WINDOWS\SYSTEM32\arusvxbk.dll
C:\WINDOWS\SYSTEM32\arusvxbk.xml
C:\WINDOWS\SYSTEM32\jhkmfija.ini
C:\WINDOWS\SYSTEM32\mnnjwnak.dll
C:\WINDOWS\SYSTEM32\mnnjwnak.xml
C:\WINDOWS\SYSTEM32\dczjbksl.dll
C:\WINDOWS\SYSTEM32\dczjbksl.xml
C:\WINDOWS\SYSTEM32\qrrnlkdz.dll
C:\WINDOWS\SYSTEM32\qrrnlkdz.xml
C:\WINDOWS\SYSTEM32\uiipnpmq.ini
C:\WINDOWS\SYSTEM32\njwxsfmk.dll
C:\WINDOWS\SYSTEM32\njwxsfmk.xml
C:\WINDOWS\SYSTEM32\ycxajlko.dll
C:\WINDOWS\SYSTEM32\ycxajlko.xml
C:\WINDOWS\SYSTEM32\hotnbanp.dll
C:\WINDOWS\SYSTEM32\hotnbanp.xml
C:\WINDOWS\SYSTEM32\xamejtnm.ini
C:\WINDOWS\SYSTEM32\xlpnrqfm.dll
C:\WINDOWS\SYSTEM32\cxyhkurx.dll
C:\WINDOWS\SYSTEM32\xlpnrqfm.xml
C:\WINDOWS\SYSTEM32\cxyhkurx.xml
C:\WINDOWS\SYSTEM32\ezirwcco.dll
C:\WINDOWS\SYSTEM32\ezirwcco.xml
C:\WINDOWS\SYSTEM32\tbjugjxi.ini
C:\WINDOWS\SYSTEM32\uahczjfu.dll
C:\WINDOWS\SYSTEM32\uahczjfu.xml
C:\WINDOWS\SYSTEM32\twhoattf.dll
C:\WINDOWS\SYSTEM32\twhoattf.xml
C:\WINDOWS\SYSTEM32\umbqvyto.dll
C:\WINDOWS\SYSTEM32\umbqvyto.xml
C:\WINDOWS\SYSTEM32\fzagesxs.dll
C:\WINDOWS\SYSTEM32\fzagesxs.xml
C:\WINDOWS\SYSTEM32\hfpbxvko.dll
C:\WINDOWS\SYSTEM32\hfpbxvko.xml
C:\WINDOWS\SYSTEM32\wjmwhjcv.dll
C:\WINDOWS\SYSTEM32\wjmwhjcv.xml
C:\WINDOWS\SYSTEM32\yzcprmca.dll
C:\WINDOWS\SYSTEM32\vafrqktv.dll
C:\WINDOWS\SYSTEM32\yzcprmca.xml
C:\WINDOWS\SYSTEM32\vafrqktv.xml
C:\WINDOWS\SYSTEM32\ntjlhjfe.dll
C:\WINDOWS\SYSTEM32\ntjlhjfe.xml
C:\WINDOWS\SYSTEM32\etlyiqyd.ini
C:\WINDOWS\SYSTEM32\fcpztwwn.dll
C:\WINDOWS\SYSTEM32\fcpztwwn.xml
C:\WINDOWS\SYSTEM32\nybqxgke.dll
C:\WINDOWS\SYSTEM32\nybqxgke.xml
C:\WINDOWS\SYSTEM32\omlkelqq.dll
C:\WINDOWS\SYSTEM32\omlkelqq.xml
C:\WINDOWS\SYSTEM32\fldncsjm.dll
C:\WINDOWS\SYSTEM32\fldncsjm.xml
C:\WINDOWS\SYSTEM32\brorprdd.ini
C:\Program Files\Common Files\zyri

Folder::
C:\WINDOWS\TWljaGFlbA

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[calmva]

Hi Shaba,

Thank you for your patience. This is the computer my children use so I have not been as attentive to keeping it as clean as I should. I will now and hope for some advise in helping me do this when we get these problems resolved. Here are the logs.

Thanks again!

ComboFix 08-02.05.3 - Matthew 2008-02-09 11:52:10.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639 [GMT -5:00]
Running from: C:\Documents and Settings\Matthew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matthew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\Common Files\zyri
C:\WINDOWS\SYSTEM32\arusvxbk.dll
C:\WINDOWS\SYSTEM32\arusvxbk.xml
C:\WINDOWS\SYSTEM32\bhqszzqf.dll
C:\WINDOWS\SYSTEM32\brorprdd.ini
C:\WINDOWS\SYSTEM32\buldizkl.dll
C:\WINDOWS\SYSTEM32\buldizkl.xml
C:\WINDOWS\SYSTEM32\chzbldxh.dll
C:\WINDOWS\SYSTEM32\crnfqzyc.dll
C:\WINDOWS\SYSTEM32\crnfqzyc.xml
C:\WINDOWS\SYSTEM32\cxyhkurx.dll
C:\WINDOWS\SYSTEM32\cxyhkurx.xml
C:\WINDOWS\SYSTEM32\dczjbksl.dll
C:\WINDOWS\SYSTEM32\dczjbksl.xml
C:\WINDOWS\SYSTEM32\ddpzsvpg.dll
C:\WINDOWS\SYSTEM32\dnfpaitc.dll
C:\WINDOWS\SYSTEM32\dnfpaitc.xml
C:\WINDOWS\SYSTEM32\dwzgikwd.dll
C:\WINDOWS\SYSTEM32\egpwkkho.dll
C:\WINDOWS\SYSTEM32\eqxxnivp.dll
C:\WINDOWS\SYSTEM32\estxdllt.dll
C:\WINDOWS\SYSTEM32\etlyiqyd.ini
C:\WINDOWS\SYSTEM32\ezirwcco.dll
C:\WINDOWS\SYSTEM32\ezirwcco.xml
C:\WINDOWS\SYSTEM32\fcpztwwn.dll
C:\WINDOWS\SYSTEM32\fcpztwwn.xml
C:\WINDOWS\SYSTEM32\fevloggu.dll
C:\WINDOWS\SYSTEM32\fldncsjm.dll
C:\WINDOWS\SYSTEM32\fldncsjm.xml
C:\WINDOWS\SYSTEM32\fvgnxbgw.dll
C:\WINDOWS\SYSTEM32\fvgnxbgw.xml
C:\WINDOWS\SYSTEM32\fwlyfbho.dll
C:\WINDOWS\SYSTEM32\fzagesxs.dll
C:\WINDOWS\SYSTEM32\fzagesxs.xml
C:\WINDOWS\SYSTEM32\fzskievo.dll
C:\WINDOWS\SYSTEM32\gqsldgpa.dll
C:\WINDOWS\SYSTEM32\hfpbxvko.dll
C:\WINDOWS\SYSTEM32\hfpbxvko.xml
C:\WINDOWS\SYSTEM32\hjsjkpyd.dll
C:\WINDOWS\SYSTEM32\hjsjkpyd.xml
C:\WINDOWS\SYSTEM32\hmnurwnx.dll
C:\WINDOWS\SYSTEM32\hotnbanp.dll
C:\WINDOWS\SYSTEM32\hotnbanp.xml
C:\WINDOWS\SYSTEM32\hvibctly.dll
C:\WINDOWS\SYSTEM32\iycgukbf.dll
C:\WINDOWS\SYSTEM32\jhkmfija.ini
C:\WINDOWS\SYSTEM32\jlpvpujd.dll
C:\WINDOWS\SYSTEM32\jweoeoxv.dll
C:\WINDOWS\SYSTEM32\kgjnhzeu.dll
C:\WINDOWS\SYSTEM32\kgnqpuee.dll
C:\WINDOWS\SYSTEM32\kgnqpuee.xml
C:\WINDOWS\SYSTEM32\ljsijsna.dll
C:\WINDOWS\SYSTEM32\lpwstuyo.dll
C:\WINDOWS\SYSTEM32\lrpjamzv.dll
C:\WINDOWS\SYSTEM32\lrpjamzv.xml
C:\WINDOWS\SYSTEM32\mnnjwnak.dll
C:\WINDOWS\SYSTEM32\mnnjwnak.xml
C:\WINDOWS\SYSTEM32\njwxsfmk.dll
C:\WINDOWS\SYSTEM32\njwxsfmk.xml
C:\WINDOWS\SYSTEM32\nkslvvon.dll
C:\WINDOWS\SYSTEM32\nmbthcje.dll
C:\WINDOWS\SYSTEM32\ntjlhjfe.dll
C:\WINDOWS\SYSTEM32\ntjlhjfe.xml
C:\WINDOWS\SYSTEM32\nvlxxdql.dll
C:\WINDOWS\SYSTEM32\nybqxgke.dll
C:\WINDOWS\SYSTEM32\nybqxgke.xml
C:\WINDOWS\SYSTEM32\olewswwu.dll
C:\WINDOWS\SYSTEM32\olgxfzyq.dll
C:\WINDOWS\SYSTEM32\omlkelqq.dll
C:\WINDOWS\SYSTEM32\omlkelqq.xml
C:\WINDOWS\SYSTEM32\prjmvhot.ini
C:\WINDOWS\SYSTEM32\pruubfyz.dll
C:\WINDOWS\SYSTEM32\pzxkyoyt.dll
C:\WINDOWS\SYSTEM32\qntqcyln.dll
C:\WINDOWS\SYSTEM32\qrrnlkdz.dll
C:\WINDOWS\SYSTEM32\qrrnlkdz.xml
C:\WINDOWS\SYSTEM32\rjbqacvg.dll
C:\WINDOWS\SYSTEM32\rrqjhaoh.dll
C:\WINDOWS\SYSTEM32\sabidcnl.dll
C:\WINDOWS\SYSTEM32\smbydfvu.ini
C:\WINDOWS\SYSTEM32\svogpint.dll
C:\WINDOWS\SYSTEM32\tbjugjxi.ini
C:\WINDOWS\SYSTEM32\tccpwxfw.dll
C:\WINDOWS\SYSTEM32\twhoattf.dll
C:\WINDOWS\SYSTEM32\twhoattf.xml
C:\WINDOWS\SYSTEM32\tywxoimh.dll
C:\WINDOWS\SYSTEM32\uahczjfu.dll
C:\WINDOWS\SYSTEM32\uahczjfu.xml
C:\WINDOWS\SYSTEM32\ugddhyzg.dll
C:\WINDOWS\SYSTEM32\uhllabho.dll
C:\WINDOWS\SYSTEM32\uhllabho.xml
C:\WINDOWS\SYSTEM32\uiipnpmq.ini
C:\WINDOWS\SYSTEM32\uizokpge.dll
C:\WINDOWS\SYSTEM32\umbqvyto.dll
C:\WINDOWS\SYSTEM32\umbqvyto.xml
C:\WINDOWS\SYSTEM32\vafrqktv.dll
C:\WINDOWS\SYSTEM32\vafrqktv.xml
C:\WINDOWS\SYSTEM32\vahoiiid.dll
C:\WINDOWS\SYSTEM32\vidjhscl.dll
C:\WINDOWS\SYSTEM32\vpuszaap.dll
C:\WINDOWS\SYSTEM32\vpuszaap.xml
C:\WINDOWS\SYSTEM32\wdzqcehi.dll
C:\WINDOWS\SYSTEM32\wdzqcehi.xml
C:\WINDOWS\SYSTEM32\wjmwhjcv.dll
C:\WINDOWS\SYSTEM32\wjmwhjcv.xml
C:\WINDOWS\SYSTEM32\wydbnxrn.dll
C:\WINDOWS\SYSTEM32\xamejtnm.ini
C:\WINDOWS\SYSTEM32\xlpnrqfm.dll
C:\WINDOWS\SYSTEM32\xlpnrqfm.xml
C:\WINDOWS\SYSTEM32\xypmvdwk.ini
C:\WINDOWS\SYSTEM32\ycxajlko.dll
C:\WINDOWS\SYSTEM32\ycxajlko.xml
C:\WINDOWS\SYSTEM32\ywtibvce.dll
C:\WINDOWS\SYSTEM32\yyfuemqq.dll
C:\WINDOWS\SYSTEM32\yzcprmca.dll
C:\WINDOWS\SYSTEM32\yzcprmca.xml
C:\WINDOWS\SYSTEM32\zduqhude.dll
C:\WINDOWS\SYSTEM32\zwqhyvve.dll
C:\WINDOWS\SYSTEM32\zytxgntz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\zyri
C:\WINDOWS\SYSTEM32\arusvxbk.dll
C:\WINDOWS\SYSTEM32\arusvxbk.xml
C:\WINDOWS\SYSTEM32\bhqszzqf.dll
C:\WINDOWS\SYSTEM32\brorprdd.ini
C:\WINDOWS\SYSTEM32\buldizkl.dll
C:\WINDOWS\SYSTEM32\buldizkl.xml
C:\WINDOWS\SYSTEM32\chzbldxh.dll
C:\WINDOWS\SYSTEM32\crnfqzyc.dll
C:\WINDOWS\SYSTEM32\crnfqzyc.xml
C:\WINDOWS\SYSTEM32\cxyhkurx.dll
C:\WINDOWS\SYSTEM32\cxyhkurx.xml
C:\WINDOWS\SYSTEM32\dczjbksl.dll
C:\WINDOWS\SYSTEM32\dczjbksl.xml
C:\WINDOWS\SYSTEM32\ddpzsvpg.dll
C:\WINDOWS\SYSTEM32\dnfpaitc.dll
C:\WINDOWS\SYSTEM32\dnfpaitc.xml
C:\WINDOWS\SYSTEM32\dwzgikwd.dll
C:\WINDOWS\SYSTEM32\egpwkkho.dll
C:\WINDOWS\SYSTEM32\eqxxnivp.dll
C:\WINDOWS\SYSTEM32\estxdllt.dll
C:\WINDOWS\SYSTEM32\etlyiqyd.ini
C:\WINDOWS\SYSTEM32\ezirwcco.dll
C:\WINDOWS\SYSTEM32\ezirwcco.xml
C:\WINDOWS\SYSTEM32\fcpztwwn.dll
C:\WINDOWS\SYSTEM32\fcpztwwn.xml
C:\WINDOWS\SYSTEM32\fevloggu.dll
C:\WINDOWS\SYSTEM32\fldncsjm.dll
C:\WINDOWS\SYSTEM32\fldncsjm.xml
C:\WINDOWS\SYSTEM32\fvgnxbgw.dll
C:\WINDOWS\SYSTEM32\fvgnxbgw.xml
C:\WINDOWS\SYSTEM32\fwlyfbho.dll
C:\WINDOWS\SYSTEM32\fzagesxs.dll
C:\WINDOWS\SYSTEM32\fzagesxs.xml
C:\WINDOWS\SYSTEM32\fzskievo.dll
C:\WINDOWS\SYSTEM32\gqsldgpa.dll
C:\WINDOWS\SYSTEM32\hfpbxvko.dll
C:\WINDOWS\SYSTEM32\hfpbxvko.xml
C:\WINDOWS\SYSTEM32\hjsjkpyd.dll
C:\WINDOWS\SYSTEM32\hjsjkpyd.xml
C:\WINDOWS\SYSTEM32\hmnurwnx.dll
C:\WINDOWS\SYSTEM32\hotnbanp.dll
C:\WINDOWS\SYSTEM32\hotnbanp.xml
C:\WINDOWS\SYSTEM32\hvibctly.dll
C:\WINDOWS\SYSTEM32\iycgukbf.dll
C:\WINDOWS\SYSTEM32\jhkmfija.ini
C:\WINDOWS\SYSTEM32\jlpvpujd.dll
C:\WINDOWS\SYSTEM32\jweoeoxv.dll
C:\WINDOWS\SYSTEM32\kgjnhzeu.dll
C:\WINDOWS\SYSTEM32\kgnqpuee.dll
C:\WINDOWS\SYSTEM32\kgnqpuee.xml
C:\WINDOWS\SYSTEM32\ljsijsna.dll
C:\WINDOWS\SYSTEM32\lpwstuyo.dll
C:\WINDOWS\SYSTEM32\lrpjamzv.dll
C:\WINDOWS\SYSTEM32\lrpjamzv.xml
C:\WINDOWS\SYSTEM32\mnnjwnak.dll
C:\WINDOWS\SYSTEM32\mnnjwnak.xml
C:\WINDOWS\SYSTEM32\njwxsfmk.dll
C:\WINDOWS\SYSTEM32\njwxsfmk.xml
C:\WINDOWS\SYSTEM32\nkslvvon.dll
C:\WINDOWS\SYSTEM32\nmbthcje.dll
C:\WINDOWS\SYSTEM32\ntjlhjfe.dll
C:\WINDOWS\SYSTEM32\ntjlhjfe.xml
C:\WINDOWS\SYSTEM32\nvlxxdql.dll
C:\WINDOWS\SYSTEM32\nybqxgke.dll
C:\WINDOWS\SYSTEM32\nybqxgke.xml
C:\WINDOWS\SYSTEM32\olewswwu.dll
C:\WINDOWS\SYSTEM32\olgxfzyq.dll
C:\WINDOWS\SYSTEM32\omlkelqq.dll
C:\WINDOWS\SYSTEM32\omlkelqq.xml
C:\WINDOWS\SYSTEM32\prjmvhot.ini
C:\WINDOWS\SYSTEM32\pruubfyz.dll
C:\WINDOWS\SYSTEM32\pzxkyoyt.dll
C:\WINDOWS\SYSTEM32\qntqcyln.dll
C:\WINDOWS\SYSTEM32\qrrnlkdz.dll
C:\WINDOWS\SYSTEM32\qrrnlkdz.xml
C:\WINDOWS\SYSTEM32\rjbqacvg.dll
C:\WINDOWS\SYSTEM32\rrqjhaoh.dll
C:\WINDOWS\SYSTEM32\sabidcnl.dll
C:\WINDOWS\SYSTEM32\smbydfvu.ini
C:\WINDOWS\SYSTEM32\svogpint.dll
C:\WINDOWS\SYSTEM32\tbjugjxi.ini
C:\WINDOWS\SYSTEM32\tccpwxfw.dll
C:\WINDOWS\SYSTEM32\twhoattf.dll
C:\WINDOWS\SYSTEM32\twhoattf.xml
C:\WINDOWS\SYSTEM32\tywxoimh.dll
C:\WINDOWS\SYSTEM32\uahczjfu.dll
C:\WINDOWS\SYSTEM32\uahczjfu.xml
C:\WINDOWS\SYSTEM32\ugddhyzg.dll
C:\WINDOWS\SYSTEM32\uhllabho.dll
C:\WINDOWS\SYSTEM32\uhllabho.xml
C:\WINDOWS\SYSTEM32\uiipnpmq.ini
C:\WINDOWS\SYSTEM32\uizokpge.dll
C:\WINDOWS\SYSTEM32\umbqvyto.dll
C:\WINDOWS\SYSTEM32\umbqvyto.xml
C:\WINDOWS\SYSTEM32\vafrqktv.dll
C:\WINDOWS\SYSTEM32\vafrqktv.xml
C:\WINDOWS\SYSTEM32\vahoiiid.dll
C:\WINDOWS\SYSTEM32\vidjhscl.dll
C:\WINDOWS\SYSTEM32\vpuszaap.dll
C:\WINDOWS\SYSTEM32\vpuszaap.xml
C:\WINDOWS\SYSTEM32\wdzqcehi.dll
C:\WINDOWS\SYSTEM32\wdzqcehi.xml
C:\WINDOWS\SYSTEM32\wjmwhjcv.dll
C:\WINDOWS\SYSTEM32\wjmwhjcv.xml
C:\WINDOWS\SYSTEM32\wydbnxrn.dll
C:\WINDOWS\SYSTEM32\xamejtnm.ini
C:\WINDOWS\SYSTEM32\xlpnrqfm.dll
C:\WINDOWS\SYSTEM32\xlpnrqfm.xml
C:\WINDOWS\SYSTEM32\xypmvdwk.ini
C:\WINDOWS\SYSTEM32\ycxajlko.dll
C:\WINDOWS\SYSTEM32\ycxajlko.xml
C:\WINDOWS\SYSTEM32\ywtibvce.dll
C:\WINDOWS\SYSTEM32\yyfuemqq.dll
C:\WINDOWS\SYSTEM32\yzcprmca.dll
C:\WINDOWS\SYSTEM32\yzcprmca.xml
C:\WINDOWS\SYSTEM32\zduqhude.dll
C:\WINDOWS\SYSTEM32\zwqhyvve.dll
C:\WINDOWS\SYSTEM32\zytxgntz.dll
C:\WINDOWS\TWljaGFlbA
C:\WINDOWS\TWljaGFlbA\nq53u3I5vE.vbs

 

[calmva]

((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 11:15 . 2004-08-04 02:56 388,608 --a------ C:\kmd.exe
2008-02-05 21:38 . 2003-02-24 19:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 19:30 . 2008-02-04 19:30 <DIR> d-------- C:\WINDOWS\Sun
2008-02-04 19:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-04 19:29 . 2008-02-04 19:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 16:39 . 2008-02-04 16:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-31 15:37 . 2008-01-04 16:58 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2008-01-31 15:37 . 2008-01-04 16:58 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-01-31 15:37 . 2008-01-04 16:58 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-01-29 18:27 . 2008-02-04 18:14 <DIR> d-------- C:\VundoFix Backups
2008-01-27 19:30 . 2008-01-27 19:31 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-17 21:24 . 2008-01-18 18:32 3,274 --a------ C:\WINDOWS\SYSTEM32\zytxgntz.xml
2008-01-15 21:04 . 2008-01-15 21:04 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\ArcSoft
2008-01-15 21:03 . 2008-01-15 21:04 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Canon
2008-01-11 21:59 . 2008-01-11 21:59 <DIR> d-------- C:\Documents and Settings\Matthew\Application Data\ArcSoft
2008-01-11 21:58 . 2008-01-11 21:59 <DIR> d-------- C:\Documents and Settings\Matthew\Application Data\Canon
2008-01-11 19:28 . 2008-01-11 19:31 36,363 --a------ C:\WINDOWS\CSTBox.INI
2008-01-11 19:10 . 2008-01-11 19:10 <DIR> d--h----- C:\CanoScan
2008-01-11 19:10 . 2005-02-24 19:14 274,432 --a------ C:\WINDOWS\SYSTEM32\CNQL1212.dll
2008-01-11 19:10 . 2005-02-02 09:20 57,344 --a------ C:\WINDOWS\SYSTEM32\CNQU111.DLL
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts
2008-01-10 08:30 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\bovtdjgr.dll
2008-01-10 08:30 . 2008-01-10 16:20 3,274 --a------ C:\WINDOWS\SYSTEM32\bovtdjgr.xml
2008-01-09 22:29 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\sbwvgqxg.dll
2008-01-09 22:29 . 2008-01-10 08:10 3,274 --a------ C:\WINDOWS\SYSTEM32\sbwvgqxg.xml
2008-01-09 19:29 . 2007-12-24 21:38 98,368 --a------ C:\WINDOWS\SYSTEM32\kpbvbyvp.dll
2008-01-09 19:29 . 2008-01-09 20:38 3,274 --a------ C:\WINDOWS\SYSTEM32\kpbvbyvp.xml
2008-01-09 16:19 . 2008-01-10 08:08 594 --ahs---- C:\WINDOWS\SYSTEM32\dkvbwasy.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 01:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 00:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 00:30 --------- d-----w C:\Program Files\Java
2008-01-29 01:24 --------- d-----w C:\Documents and Settings\Matthew\Application Data\AdobeUM
2008-01-28 17:18 --------- d-----w C:\Program Files\iTunes
2008-01-28 17:18 --------- d-----w C:\Program Files\iPod
2008-01-28 17:17 --------- d-----w C:\Program Files\QuickTime
2008-01-28 16:56 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 00:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-01-27 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 18:15 --------- d-----w C:\Program Files\World of Warcraft
2008-01-12 01:29 --------- d-----w C:\Program Files\Valitec DataReady
2008-01-12 00:17 --------- d-----w C:\Program Files\Canon
2008-01-12 00:14 --------- d-----w C:\Program Files\ArcSoft
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-01-03 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-12-30 16:11 --------- d-----w C:\Documents and Settings\Nora\Application Data\Apple Computer
2007-12-30 14:46 --------- d-----w C:\Documents and Settings\Matthew\Application Data\Apple Computer
2007-12-29 02:44 --------- d-----w C:\Program Files\Avex
2007-12-25 02:38 98,368 ----a-w C:\WINDOWS\SYSTEM32\bebbgwda.dll
2007-12-23 21:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 20:33 --------- d-----w C:\Program Files\Wonderland Adventures
2007-12-23 20:31 --------- d-----w C:\Program Files\Wonderland Secret Worlds
2007-12-23 20:29 --------- d-----w C:\Program Files\Wonderland
2007-04-16 21:34 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-23 03:23 57,824 -c--a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
2005-08-12 22:28 3,788,235 -c--a-w C:\Program Files\mwplugin.exe
2004-02-16 20:48 57,432 -c--a-w C:\Documents and Settings\Matthew\Application Data\GDIPFONTCACHEV1.DAT
2003-12-14 23:12 857,580 -c--a-w C:\Program Files\ShutterflyPluginInstall.EXE
1998-08-24 16:09 10,000 -c--a-w C:\WINDOWS\INF\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 18:52 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 14:20 2061816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-02-24 19:47:45 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 12:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 14:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2003-06-15 14:10:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 11:53:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-02-09 11:54:06
ComboFix-quarantined-files.txt 2008-02-09 16:53:40
ComboFix2.txt 2008-02-09 16:21:19
ComboFix3.txt 2008-02-09 13:46:20
ComboFix4.txt 2008-02-08 21:58:31
.
2008-01-28 14:02:04 --- E O F ---


Here is the HJL:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:45 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ign.com/"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm479YYUS
O8 - Extra context menu item: Boxtop - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kate\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Boxtop - {5D6F09DD-D9C3-42db-800A-EBF1E7EFCB0B} - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm (file missing) (HKCU)
O9 - Extra button: Boxtop - {629C5DAA-BABC-4d44-983D-97AFF415621C} - file://C:\Program Files\BoxTopsShoppingReminder\System\Temp\boxtopgmills_script0.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDDE3C-A447-4560-A84F-2A03995EF1AE}: NameServer = 192.168.0.1,192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

[Shaba]

Hi

Looks like that those file are almost gone

And yes you will get some tips after we get you clean.

Next let's find out what those files are:

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\SYSTEM32\sbwvgqxg.dll
C:\WINDOWS\SYSTEM32\sbwvgqxg.xml

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

 

[calmva]

Hi Shaba,

Here are the results from Jotti. The second file came up with nothing

Thanks
calmva


C:\WINDOWS\SYSTEM32\sbwvgqxg.dll
Service load:
0% 100%
File: sbwvgqxg.dll
Status:
INFECTED/MALWARE
MD5: 5d2c75b8206e729e4e499754e6ade3de
Packers detected:
-
Bit9 reports:
Scanner results
Scan taken on 10 Feb 2008 05:02:32 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Vundo.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Generic9.APEB
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found DLOADER.Trojan (probable variant)
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Virtumonde.JLF
Panda Antivirus
Found Trj/Agent.HMV
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing



C:\WINDOWS\SYSTEM32\sbwvgqxg.xml
Service load:
0% 100%
File: sbwvgqxg.xml
Status:
OK
MD5: 1794754cd10d44e7330854b8ca253e2b
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 10 Feb 2008 05:08:39 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

 

[Shaba]

Hi

They look like badly detected vundo; we need samples:

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\SYSTEM32\sbwvgqxg.dll
C:\WINDOWS\SYSTEM32\sbwvgqxg.xml

Go to spykiller

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

After that, please reply to this thread and we'll continue

 

[calmva]

Hi Shaba

I have uploaded the files to Spykiller as requested

Calmva

 

[Shaba]

Hi

Thanks for the files

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\zytxgntz.xml
C:\WINDOWS\SYSTEM32\bovtdjgr.dll
C:\WINDOWS\SYSTEM32\bovtdjgr.xml
C:\WINDOWS\SYSTEM32\sbwvgqxg.dll
C:\WINDOWS\SYSTEM32\sbwvgqxg.xml
C:\WINDOWS\SYSTEM32\kpbvbyvp.dll
C:\WINDOWS\SYSTEM32\kpbvbyvp.xml
C:\WINDOWS\SYSTEM32\dkvbwasy.ini
C:\WINDOWS\SYSTEM32\bebbgwda.dll

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[calmva]

Hi Shaba

The files are below. Thanks!

ComboFix 08-02.05.3 - Matthew 2008-02-10 8:17:19.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.574 [GMT -5:00]
Running from: C:\Documents and Settings\Matthew\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matthew\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\SYSTEM32\bebbgwda.dll
C:\WINDOWS\SYSTEM32\bovtdjgr.dll
C:\WINDOWS\SYSTEM32\bovtdjgr.xml
C:\WINDOWS\SYSTEM32\dkvbwasy.ini
C:\WINDOWS\SYSTEM32\kpbvbyvp.dll
C:\WINDOWS\SYSTEM32\kpbvbyvp.xml
C:\WINDOWS\SYSTEM32\sbwvgqxg.dll
C:\WINDOWS\SYSTEM32\sbwvgqxg.xml
C:\WINDOWS\SYSTEM32\zytxgntz.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\bebbgwda.dll
C:\WINDOWS\SYSTEM32\bovtdjgr.dll
C:\WINDOWS\SYSTEM32\bovtdjgr.xml
C:\WINDOWS\SYSTEM32\dkvbwasy.ini
C:\WINDOWS\SYSTEM32\kpbvbyvp.dll
C:\WINDOWS\SYSTEM32\kpbvbyvp.xml
C:\WINDOWS\SYSTEM32\sbwvgqxg.dll
C:\WINDOWS\SYSTEM32\sbwvgqxg.xml
C:\WINDOWS\SYSTEM32\zytxgntz.xml

.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 08:16 . 2008-02-10 08:18 53,248 --a------ C:\WINDOWS\PSEXESVC.EXE
2008-02-09 11:51 . 2004-08-04 02:56 388,608 --a------ C:\kmd.exe
2008-02-05 21:38 . 2003-02-24 19:50 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-04 20:29 . 2008-02-04 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-04 19:30 . 2008-02-04 19:30 <DIR> d-------- C:\WINDOWS\Sun
2008-02-04 19:30 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-04 19:29 . 2008-02-04 19:29 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 16:39 . 2008-02-04 16:39 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-31 15:37 . 2008-01-04 16:58 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
2008-01-31 15:37 . 2008-01-04 16:58 120,056 --------- C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-01-31 15:37 . 2008-01-04 16:58 118,520 --------- C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-01-29 18:27 . 2008-02-04 18:14 <DIR> d-------- C:\VundoFix Backups
2008-01-27 19:30 . 2008-01-27 19:31 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-15 21:04 . 2008-01-15 21:04 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\ArcSoft
2008-01-15 21:03 . 2008-01-15 21:04 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Canon
2008-01-11 21:59 . 2008-01-11 21:59 <DIR> d-------- C:\Documents and Settings\Matthew\Application Data\ArcSoft
2008-01-11 21:58 . 2008-01-11 21:59 <DIR> d-------- C:\Documents and Settings\Matthew\Application Data\Canon
2008-01-11 19:28 . 2008-01-11 19:31 36,363 --a------ C:\WINDOWS\CSTBox.INI
2008-01-11 19:10 . 2008-01-11 19:10 <DIR> d--h----- C:\CanoScan
2008-01-11 19:10 . 2005-02-24 19:14 274,432 --a------ C:\WINDOWS\SYSTEM32\CNQL1212.dll
2008-01-11 19:10 . 2005-02-02 09:20 57,344 --a------ C:\WINDOWS\SYSTEM32\CNQU111.DLL
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\SYSTEM32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\SYSTEM32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 01:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-05 01:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-05 00:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 00:30 --------- d-----w C:\Program Files\Java
2008-01-29 01:24 --------- d-----w C:\Documents and Settings\Matthew\Application Data\AdobeUM
2008-01-28 17:18 --------- d-----w C:\Program Files\iTunes
2008-01-28 17:18 --------- d-----w C:\Program Files\iPod
2008-01-28 17:17 --------- d-----w C:\Program Files\QuickTime
2008-01-28 16:56 --------- d-----w C:\Program Files\Yahoo!
2008-01-27 00:58 12,632 ----a-w C:\WINDOWS\SYSTEM32\lsdelete.exe
2008-01-27 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-26 18:15 --------- d-----w C:\Program Files\World of Warcraft
2008-01-12 01:29 --------- d-----w C:\Program Files\Valitec DataReady
2008-01-12 00:17 --------- d-----w C:\Program Files\Canon
2008-01-12 00:14 --------- d-----w C:\Program Files\ArcSoft
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\SYSTEM32\DivXsm.exe
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\SYSTEM32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\SYSTEM32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\SYSTEM32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\SYSTEM32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\SYSTEM32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\SYSTEM32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\SYSTEM32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\SYSTEM32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\SYSTEM32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\SYSTEM32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\SYSTEM32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\SYSTEM32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\SYSTEM32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\SYSTEM32\DivXWMPExtType.dll
2008-01-03 21:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-12-30 16:11 --------- d-----w C:\Documents and Settings\Nora\Application Data\Apple Computer
2007-12-30 14:46 --------- d-----w C:\Documents and Settings\Matthew\Application Data\Apple Computer
2007-12-29 02:44 --------- d-----w C:\Program Files\Avex
2007-12-23 21:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-23 20:33 --------- d-----w C:\Program Files\Wonderland Adventures
2007-12-23 20:31 --------- d-----w C:\Program Files\Wonderland Secret Worlds
2007-12-23 20:29 --------- d-----w C:\Program Files\Wonderland
2007-04-16 21:34 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-12-23 03:23 57,824 -c--a-w C:\Documents and Settings\Michael\Application Data\GDIPFONTCACHEV1.DAT
2005-08-12 22:28 3,788,235 -c--a-w C:\Program Files\mwplugin.exe
2004-02-16 20:48 57,432 -c--a-w C:\Documents and Settings\Matthew\Application Data\GDIPFONTCACHEV1.DAT
2003-12-14 23:12 857,580 -c--a-w C:\Program Files\ShutterflyPluginInstall.EXE
1998-08-24 16:09 10,000 -c--a-w C:\WINDOWS\INF\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 18:52 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 14:20 2061816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-10-06 14:16 5058560]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-02-24 19:47:45 45056]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 10:11]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-10-10 05:18]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-10-10 05:18]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 12:30:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 14:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
"2003-06-15 14:10:19 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 08:18:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-02-10 8:19:04
ComboFix-quarantined-files.txt 2008-02-10 13:18:38
ComboFix2.txt 2008-02-09 16:54:07
ComboFix3.txt 2008-02-09 16:21:19
ComboFix4.txt 2008-02-09 13:46:20
ComboFix5.txt 2008-02-08 21:58:31
.
2008-01-28 14:02:04 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:19:34 AM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.ign.com/"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matthew\Application Data\Mozilla\Profiles\default\33wvs93d.slt\prefs.js)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Search - ?p=ZRxdm479YYUS
O8 - Extra context menu item: Boxtop - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Kate\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Boxtop - {5D6F09DD-D9C3-42db-800A-EBF1E7EFCB0B} - file://C:\Program Files\BoxTops_Shopping_Reminder\Sy150\Tp150\scri150a.htm (file missing) (HKCU)
O9 - Extra button: Boxtop - {629C5DAA-BABC-4d44-983D-97AFF415621C} - file://C:\Program Files\BoxTopsShoppingReminder\System\Temp\boxtopgmills_script0.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46EDDE3C-A447-4560-A84F-2A03995EF1AE}: NameServer = 192.168.0.1,192.168.1.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

[Shaba]

Hi

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.