My new computer has Virtumonde!

Yes that seems to have worked.

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

uninstall-man.jpg


5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
 
here it is:
Acrobat.com
Acrobat.com
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Reader 9
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
AMD Processor Driver
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Core FTP LE 2.1
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
Java(TM) 6 Update 10
Macromedia Dreamweaver 8
Macromedia Extension Manager
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB936181)
Panda Antivirus Pro 2009
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
XP Codec Pack
Click to expand...
 
Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
c:\windows\sqlexec32.exe
C:\winupdater.exe
C:\xcodec.exe
c:\windows\system32\luxecash354.dat

Folder::
c:\documents and settings\Jody\Application Data\LimeWire
C:\Program Files\LimeWire

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
here is the new one:
ComboFix 08-11-04.02 - Jody 2008-11-05 9:13:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1517 [GMT -6:00]
Running from: c:\documents and settings\Jody\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jody\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\sqlexec32.exe
c:\windows\system32\luxecash354.dat
C:\winupdater.exe
C:\xcodec.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jody\Application Data\LimeWire
c:\documents and settings\Jody\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Jody\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Jody\Application Data\LimeWire\downloads.dat
c:\documents and settings\Jody\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Jody\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Jody\Application Data\LimeWire\filters.props
c:\documents and settings\Jody\Application Data\LimeWire\gnutella.net
c:\documents and settings\Jody\Application Data\LimeWire\installation.props
c:\documents and settings\Jody\Application Data\LimeWire\library.dat
c:\documents and settings\Jody\Application Data\LimeWire\limewire.props
c:\documents and settings\Jody\Application Data\LimeWire\mojito.props
c:\documents and settings\Jody\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Jody\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Jody\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Jody\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Jody\Application Data\LimeWire\questions.props
c:\documents and settings\Jody\Application Data\LimeWire\responses.cache
c:\documents and settings\Jody\Application Data\LimeWire\simpp.xml
c:\documents and settings\Jody\Application Data\LimeWire\spam.dat
c:\documents and settings\Jody\Application Data\LimeWire\tables.props
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Jody\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Jody\Application Data\LimeWire\version.xml
c:\documents and settings\Jody\Application Data\LimeWire\versions.props
c:\windows\sqlexec32.exe
c:\windows\system32\luxecash354.dat
C:\winupdater.exe
C:\xcodec.exe
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-04 22:33 . 2008-11-04 22:33 <DIR> d-------- c:\windows\system32\QuickTime
2008-11-04 22:16 . 2008-11-04 22:16 <DIR> d-------- c:\windows\PrimoPDF4
2008-11-04 22:16 . 2008-11-04 22:16 <DIR> d-------- c:\program files\activePDF
2008-11-04 20:35 . 2008-11-04 20:35 <DIR> d-------- c:\program files\WebEx
2008-11-04 20:35 . 2008-11-04 20:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sage Software
2008-11-04 20:34 . 2008-11-04 20:34 <DIR> d-------- c:\program files\winsim
2008-11-04 20:34 . 2008-11-04 20:34 <DIR> d-------- c:\program files\Seagate Software
2008-11-04 20:34 . 2008-11-04 20:34 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2008-11-04 20:33 . 2008-11-04 20:35 <DIR> d-------- c:\program files\Simply Accounting Basic 2007
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> d-------- c:\program files\Common Files\Macromedia Shared
2008-11-04 13:51 . 2008-11-04 13:51 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-03 20:29 . 2008-11-03 20:29 <DIR> d-------- c:\program files\Trend Micro
2008-11-03 16:44 . 2008-11-03 16:44 1,664 --a------ c:\windows\system32\tmp.reg
2008-11-03 16:43 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-03 16:43 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-03 16:43 . 2008-09-08 22:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-11-03 16:43 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-03 16:43 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-03 16:43 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-03 16:43 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-03 16:43 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-03 16:43 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-03 16:43 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-03 16:43 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-03 12:14 . 2008-11-03 13:30 <DIR> d-------- C:\Temp
2008-11-03 09:32 . 2008-11-03 09:32 0 --a------ c:\windows\nsreg.dat
2008-11-03 09:03 . 2008-11-04 22:34 <DIR> d-------- c:\program files\Macromedia
2008-11-03 09:03 . 2008-11-03 09:06 <DIR> d-------- c:\program files\Common Files\Macromedia
2008-11-03 09:02 . 2008-11-04 22:33 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-02 23:26 . 2008-11-03 15:05 422 --a------ c:\windows\wininit.ini
2008-11-02 20:18 . 2008-11-03 12:18 <DIR> d-------- c:\program files\Bonjour
2008-11-02 18:16 . 2008-11-02 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2008-11-02 18:16 . 2002-01-05 04:10 57,344 --a------ c:\windows\system32\mfc70enu.dll
2008-11-02 18:09 . 2008-11-02 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-02 17:42 . 2008-11-02 17:42 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-02 17:02 . 2006-12-11 15:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
2008-11-02 16:43 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-02 16:43 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-02 16:40 . 2008-11-02 21:10 <DIR> d-------- c:\program files\CoreFTP
2008-11-02 16:40 . 2008-11-05 09:12 <DIR> d-------- c:\documents and settings\Jody\Application Data\CoreFTP
2008-11-02 15:59 . 2008-11-02 15:59 <DIR> d-------- c:\documents and settings\Jody\Contacts
2008-11-02 15:53 . 2008-11-02 15:57 <DIR> d-------- c:\program files\Windows Live
2008-11-02 15:53 . 2008-11-02 15:57 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-02 15:53 . 2008-11-02 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-02 15:50 . 2008-11-02 15:50 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-11-02 15:50 . 2003-12-11 11:15 626,960 -ra------ c:\windows\system32\hpvaut32.dll
2008-11-02 15:50 . 2003-12-11 11:15 487,424 -ra------ c:\windows\system32\hpvcp70.dll
2008-11-02 15:50 . 2003-12-11 11:15 344,064 -ra------ c:\windows\system32\hpvcr70.dll
2008-11-02 15:50 . 2003-12-11 11:15 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2008-11-02 15:48 . 2008-11-02 15:48 <DIR> d-------- c:\program files\Common Files\HP
2008-11-02 15:46 . 2004-02-26 00:18 51,056 -ra------ c:\windows\system32\drivers\hpzid412.sys
2008-11-02 15:46 . 2004-02-26 00:18 21,488 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-11-02 15:46 . 2004-02-26 00:18 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-11-02 15:46 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-02 15:46 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-02 15:44 . 2008-11-02 15:50 <DIR> d-------- c:\program files\HP
2008-11-02 15:43 . 2004-02-26 00:17 38,868 --------- c:\windows\hpomdl03.dat
2008-11-02 15:43 . 2008-11-02 15:51 29,385 --a------ c:\windows\hpoins03.dat
2008-11-02 15:22 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-02 15:22 . 2008-04-14 05:41 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-11-02 15:22 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-02 15:22 . 2008-04-14 00:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-11-02 15:22 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-02 15:22 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-02 15:18 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-02 15:18 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-02 15:18 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-02 15:18 . 2008-04-14 00:15 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-02 15:15 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-02 15:15 . 2008-04-14 00:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-10-31 11:12 . 2008-11-04 14:17 8,627 --a------ c:\windows\system32\PAV_FOG.OPC
2008-10-31 11:08 . 2008-10-31 11:08 <DIR> d-------- c:\windows\system32\PAV
2008-10-31 11:08 . 2008-10-31 11:08 <DIR> d-------- c:\program files\Panda Security
2008-10-31 11:08 . 2008-10-31 11:08 <DIR> d-------- c:\documents and settings\Jody\Application Data\Panda Security
2008-10-31 11:08 . 2008-10-31 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Panda Security
2008-10-31 11:08 . 2008-06-18 18:03 520,448 --a------ c:\windows\system32\PavSHook.dll
2008-10-31 11:08 . 2006-06-01 23:00 446,464 --------- c:\windows\system32\HHActiveX.dll
2008-10-31 11:08 . 2008-06-24 14:48 193,280 --a------ c:\windows\system32\TpUtil.dll
2008-10-31 11:08 . 2007-02-08 11:53 107,568 --a------ c:\windows\system32\SYSTOOLS.DLL
2008-10-31 11:08 . 2008-06-18 18:03 87,296 --a------ c:\windows\system32\PavLspHook.dll
2008-10-31 11:08 . 2008-04-28 17:35 84,024 --a------ c:\windows\system32\drivers\pavdrv51.sys
2008-10-31 11:08 . 2008-03-18 16:58 58,672 --a------ c:\windows\system32\avldr.dll
2008-10-31 11:08 . 2008-06-18 18:03 55,552 --a------ c:\windows\system32\pavipc.dll
2008-10-31 11:08 . 2007-03-15 19:38 54,832 --a------ c:\windows\system32\pavcpl.cpl
2008-10-31 11:08 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-10-31 11:08 . 2008-10-31 11:08 249 --a------ c:\windows\system32\PavCPL.dat
2008-10-31 11:07 . 2008-10-31 11:07 <DIR> d-------- c:\program files\Common Files\Panda Security
2008-10-31 11:07 . 2008-02-07 12:03 179,640 --a------ c:\windows\system32\drivers\PavProc.sys
2008-10-31 11:07 . 2008-03-04 15:59 41,144 --a------ c:\windows\system32\drivers\ShlDrv51.sys
2008-10-31 10:59 . 2008-11-03 12:24 <DIR> d-------- c:\program files\Microsoft IntelliType Pro
2008-10-31 10:59 . 2008-11-03 12:24 <DIR> d-------- c:\program files\Microsoft IntelliPoint
2008-10-31 10:45 . 2007-07-30 19:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-31 10:45 . 2007-07-30 19:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-31 09:46 . 2007-04-09 13:23 28,040 --a------ c:\windows\system32\mdimon.dll
2008-10-31 09:46 . 2008-11-04 23:48 980 --a------ c:\windows\ODBC.INI
2008-10-31 09:45 . 2008-10-31 09:45 <DIR> d-------- c:\program files\Common Files\L&H
2008-10-31 09:44 . 2008-10-31 09:44 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-10-31 09:43 . 2008-10-31 09:45 <DIR> d-------- c:\windows\SHELLNEW
2008-10-31 09:43 . 2008-10-31 09:44 <DIR> d-------- c:\program files\Microsoft Works
2008-10-31 09:42 . 2008-10-31 09:42 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-31 09:41 . 2008-10-31 09:41 <DIR> d-------- c:\program files\TheWeatherNetwork
2008-10-31 09:40 . 2008-10-31 09:40 <DIR> d-------- c:\program files\XP Codec Pack
2008-10-31 09:38 . 2008-10-31 09:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-31 09:38 . 2008-10-31 09:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 09:36 . 2008-10-31 09:36 <DIR> d-------- c:\program files\Lavasoft
2008-10-31 09:36 . 2008-10-31 09:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-31 09:36 . 2008-10-31 09:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 09:34 . 2008-10-31 09:34 <DIR> d-------- c:\windows\system32\Adobe
2008-10-31 09:34 . 2008-08-06 15:27 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-10-31 09:34 . 2008-08-06 15:29 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-10-31 09:33 . 2008-10-31 09:33 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-31 09:32 . 2008-11-03 01:00 <DIR> d-------- c:\program files\Common Files\Adobe
2008-10-31 09:31 . 2008-10-31 10:03 <DIR> d-------- c:\program files\NOS
2008-10-31 09:31 . 2008-10-31 10:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-10-31 09:30 . 2008-10-31 09:30 <DIR> d-------- c:\windows\Sun
2008-10-31 09:30 . 2008-10-31 09:30 <DIR> d-------- c:\program files\Java
2008-10-31 09:30 . 2008-10-31 09:30 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-31 09:30 . 2008-10-31 09:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-31 08:39 . 2008-10-31 08:39 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-31 08:32 . 2008-10-31 08:32 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-10-31 08:31 . 2008-10-31 08:31 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-31 08:31 . 2008-10-31 08:31 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-31 08:27 . 2008-06-13 05:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2008-10-31 08:27 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-31 08:25 . 2008-10-31 10:15 <DIR> d--h----- c:\windows\$hf_mig$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 02:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 15:02 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-30 22:44 16,608 ----a-w c:\windows\gdrv.sys
2008-10-30 22:44 --------- d-----w c:\program files\Realtek
2008-10-30 22:42 319,488 ----a-w c:\windows\HideWin.exe
2008-10-30 22:41 --------- d-----w c:\program files\AMD
2008-10-30 22:41 --------- d-----w c:\documents and settings\Jody\Application Data\InstallShield
2008-10-30 22:26 --------- d-----w c:\program files\microsoft frontpage
2008-09-23 23:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-26 05:51 16,851,456 ----a-w c:\windows\RTHDCPL.EXE
2008-08-19 05:26 77,824 ----a-w c:\windows\SOUNDMAN.EXE
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-07 03:38 9,728 ----a-r c:\windows\system32\RtNicProp32.dll
2008-08-06 07:51 1,200,128 ----a-w c:\windows\RtlUpd.exe
2008-08-06 07:51 1,200,128 ----a-w c:\windows\RtkUpd.exe
2008-04-14 12:00 305,674 --sha-r c:\windows\system32\hdqdaseqgylvi.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-04_14.05.55.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-02 05:00:00 270,336 ------w c:\windows\Crystal\crxf_pdf.dll
+ 2006-06-02 05:00:00 180,275 ------w c:\windows\Crystal\crxf_rtf.dll
+ 2006-06-02 05:00:00 28,672 ------w c:\windows\Crystal\u2ddisk.dll
+ 2006-06-02 05:00:00 40,960 ------w c:\windows\Crystal\u2dmapi.dll
+ 2005-08-31 10:31:28 120,464 ----a-w c:\windows\Downloaded Installations\Macromedia Flash 8\FL_Client_Installer.exe
+ 2005-04-04 20:49:16 2,003,176 ----a-w c:\windows\Downloaded Installations\Macromedia Flash 8\WindowsInstaller-KB884016-v2-x86.exe
+ 2008-11-05 04:34:57 65,536 ----a-r c:\windows\Installer\{2BD5C305-1B27-4D41-B690-7A61172D2FEB}\ARPPRODUCTICONFL8.exe
+ 2008-11-05 04:33:52 53,248 ----a-r c:\windows\Installer\{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}\ARPPRODUCTICONFLV1.exe
+ 2008-11-05 04:16:39 473,600 ----a-w c:\windows\PrimoPDF4\uninstall.exe
+ 2006-05-20 19:22:00 184,897 ----a-w c:\windows\system32\atasnt40.dll
+ 2006-06-02 05:00:00 622,592 ------w c:\windows\system32\Crpaig80.dll
+ 2006-06-02 05:00:00 5,034,041 ------w c:\windows\system32\crpe32.dll
+ 2006-06-02 05:00:00 66,560 ------w c:\windows\system32\crwrap32.dll
+ 2006-05-20 19:44:46 51,392 ----a-w c:\windows\system32\drivers\atnt40k.sys
+ 2006-06-02 05:00:00 40,448 ------w c:\windows\system32\dsofile.dll
+ 2006-06-02 05:00:00 17,920 ------w c:\windows\system32\Implode.dll
+ 2005-11-14 04:35:14 39,424 ----a-w c:\windows\system32\JETCOMP.exe
- 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2005-08-27 20:08:06 1,398,408 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2005-11-14 04:35:04 344,064 ----a-w c:\windows\system32\msexch35.dll
+ 2005-11-14 04:35:06 252,688 ----a-w c:\windows\system32\msexcl35.dll
+ 2005-11-14 04:35:06 1,050,896 ----a-w c:\windows\system32\msjet35.dll
+ 2005-11-14 04:35:10 139,264 ----a-w c:\windows\system32\msjint35.dll
+ 2005-11-14 04:35:06 1,238,288 ----a-w c:\windows\system32\msjt4jlt.dll
+ 2005-11-14 04:35:14 24,848 ----a-w c:\windows\system32\msjter35.dll
+ 2005-11-14 04:35:06 168,720 ----a-w c:\windows\system32\msltus35.dll
+ 2005-11-14 04:35:08 250,128 ----a-w c:\windows\system32\mspdox35.dll
+ 2005-11-14 04:35:08 262,144 ----a-w c:\windows\system32\msrd2x35.dll
+ 2005-11-14 04:35:14 415,504 ----a-w c:\windows\system32\msrepl35.dll
+ 2005-11-14 04:35:14 44,304 ----a-w c:\windows\system32\msrpfs35.dll
+ 2005-11-14 04:35:08 166,672 ----a-w c:\windows\system32\mstext35.dll
+ 2005-11-14 04:35:08 294,912 ----a-w c:\windows\system32\msxbse35.dll
+ 2005-11-14 04:39:54 72,704 ----a-w c:\windows\system32\odbctl32.dll
+ 2006-06-02 05:00:00 188,416 ------w c:\windows\system32\P2smon.dll
+ 2006-06-02 05:00:00 303,104 ------w c:\windows\system32\p2sodbc.dll
- 2008-11-04 19:57:44 63,732 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-05 14:19:43 63,732 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-04 19:57:44 406,658 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-05 14:19:43 406,658 ----a-w c:\windows\system32\perfh009.dat
+ 2005-08-05 14:52:14 1,642,496 ----a-w c:\windows\system32\QuickTime\MMxptResources.dll
- 2006-08-31 16:46:24 106,256 ----a-w c:\windows\system32\spool\drivers\w32x86\3\ps5ui.dll
+ 2006-11-06 23:55:04 106,256 ----a-w c:\windows\system32\spool\drivers\w32x86\3\ps5ui.dll
- 2006-08-31 16:46:26 383,248 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pscript5.dll
+ 2006-11-06 23:55:05 383,248 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pscript5.dll
- 2006-08-31 16:46:24 106,256 ----a-w c:\windows\system32\spool\drivers\w32x86\ps5ui.dll
+ 2006-11-06 23:55:04 106,256 ----a-w c:\windows\system32\spool\drivers\w32x86\ps5ui.dll
- 2006-08-31 16:46:26 383,248 ----a-w c:\windows\system32\spool\drivers\w32x86\pscript5.dll
+ 2006-11-06 23:55:05 383,248 ----a-w c:\windows\system32\spool\drivers\w32x86\pscript5.dll
+ 2005-11-14 04:40:12 89,360 ----a-w c:\windows\system32\VB5DB.DLL
+ 2005-11-14 04:35:14 368,912 ----a-w c:\windows\system32\VBAR332.DLL
+ 2008-11-05 14:15:30 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_480.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye" [X]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-25 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 16:58 58672 c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nkpuoq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\WINDOWS\\system32\\hdqdaseqgylvi.exe"=

R0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot.sys [2008-06-19 28544]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda [ ]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-10-31 152984]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2008-02-07 179640]
R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe [2008-06-25 28928]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys [ ]
R3 PavSRK.sys;PavSRK.sys;c:\windows\system32\PavSRK.sys [ ]
R3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
panda REG_MULTI_SZ Gwmsrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4515c0a2-a6d5-11dd-af6d-001fd09d591c}]
\Shell\AutoRun\command - J:\Menu.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 09:15:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-05 9:16:14
ComboFix-quarantined-files.txt 2008-11-05 15:15:51
ComboFix2.txt 2008-11-04 20:06:19

Pre-Run: 488,846,110,720 bytes free
Post-Run: 488,913,666,048 bytes free

341 --- E O F --- 2008-11-04 19:51:43
Click to expand...
 
the new HJ file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:33 AM, on 05/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\webgurl.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1225463169140
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/...jc.cab&File=jinstall-6u10-windows-i586-jc.cab
O20 - AppInit_DLLs: nkpuoq.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

--
End of file - 7703 bytes
Click to expand...
 
Open HijackThis, click do a system scan only and checkmark these:

O20 - AppInit_DLLs: nkpuoq.dll

Close all windows including browser and press fix checked.

Reboot.

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
 
here is the kasFile:

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, November 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, November 05, 2008 06:58:48
Records in database: 1369853
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 87673
Threat name: 5
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 00:35:31


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\cor704836.exe.vir Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Qoobox\Quarantine\C\WINDOWS\ee3362.exe.vir Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Qoobox\Quarantine\C\WINDOWS\eo4.exe.vir Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Qoobox\Quarantine\C\WINDOWS\h288.exe.vir Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Qoobox\Quarantine\C\WINDOWS\j414.exe.vir Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Qoobox\Quarantine\C\WINDOWS\lik02.exe.vir Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Qoobox\Quarantine\C\WINDOWS\ndxq3074.exe.vir Infected: Trojan-Downloader.Win32.Agent.ante 1
C:\Qoobox\Quarantine\C\WINDOWS\sqlexec32.exe.vir Infected: Trojan.Win32.VB.gfg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ahhyscsq.dll.vir Infected: Trojan.Win32.Monder.xys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jnfmvd.dll.vir Infected: Trojan.Win32.Monder.xys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\spqbmbuj.dll.vir Infected: Trojan.Win32.Monderb.wlw 1
C:\Qoobox\Quarantine\C\WINDOWS\tj85.exe.vir Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\WINDOWS\system32\hdqdaseqgylvi.exe Infected: Trojan.Win32.VB.gfg 1

The selected area was scanned.
Click to expand...

and the new HJ log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:47 PM, on 05/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\webgurl.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1225463169140
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/...jc.cab&File=jinstall-6u10-windows-i586-jc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

--
End of file - 7833 bytes
Click to expand...
 
Empty this folder:

C:\Qoobox\Quarantine

Delete this:

C:\WINDOWS\system32\hdqdaseqgylvi.exe

Empty Recycle Bin.

Still problems?
 
as i was looking through sonme of the folders, i noticed some file folders were blue? In the list there is blue text, naming the file? Thats not normal is it?
 
Those are hidden folders which are now visible.

We will hide them later.

Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\hdqdaseqgylvi.exe

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
okay , here is the new comboFix File:
ComboFix 08-11-06.01 - Jody 2008-11-07 9:03:04.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1495 [GMT -6:00]
Running from: c:\documents and settings\Jody\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jody\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\hdqdaseqgylvi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hdqdaseqgylvi.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-05 20:58 . 2008-11-05 20:58 <DIR> d-------- c:\program files\MSECache
2008-11-04 22:33 . 2008-11-04 22:33 <DIR> d-------- c:\windows\system32\QuickTime
2008-11-04 22:16 . 2008-11-04 22:16 <DIR> d-------- c:\windows\PrimoPDF4
2008-11-04 22:16 . 2008-11-04 22:16 <DIR> d-------- c:\program files\activePDF
2008-11-04 20:35 . 2008-11-04 20:35 <DIR> d-------- c:\program files\WebEx
2008-11-04 20:35 . 2008-11-04 20:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sage Software
2008-11-04 20:34 . 2008-11-04 20:34 <DIR> d-------- c:\program files\winsim
2008-11-04 20:34 . 2008-11-04 20:34 <DIR> d-------- c:\program files\Seagate Software
2008-11-04 20:34 . 2008-11-04 20:34 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2008-11-04 20:33 . 2008-11-04 20:35 <DIR> d-------- c:\program files\Simply Accounting Basic 2007
2008-11-04 19:04 . 2008-11-04 19:04 <DIR> d-------- c:\program files\Common Files\Macromedia Shared
2008-11-04 13:51 . 2008-11-04 13:51 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-03 20:29 . 2008-11-03 20:29 <DIR> d-------- c:\program files\Trend Micro
2008-11-03 16:44 . 2008-11-03 16:44 1,664 --a------ c:\windows\system32\tmp.reg
2008-11-03 16:43 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-03 16:43 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-03 16:43 . 2008-09-08 22:38 88,576 --a------ c:\windows\system32\AntiXPVSTFix.exe
2008-11-03 16:43 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-03 16:43 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-03 16:43 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-03 16:43 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-03 16:43 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-03 16:43 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-03 16:43 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-03 16:43 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-03 12:14 . 2008-11-03 13:30 <DIR> d-------- C:\Temp
2008-11-03 09:32 . 2008-11-03 09:32 0 --a------ c:\windows\nsreg.dat
2008-11-03 09:03 . 2008-11-06 13:02 <DIR> d-------- c:\program files\Macromedia
2008-11-03 09:03 . 2008-11-06 13:02 <DIR> d-------- c:\program files\Common Files\Macromedia
2008-11-03 09:02 . 2008-11-04 22:33 <DIR> d-------- c:\windows\Downloaded Installations
2008-11-02 23:26 . 2008-11-03 15:05 422 --a------ c:\windows\wininit.ini
2008-11-02 20:18 . 2008-11-03 12:18 <DIR> d-------- c:\program files\Bonjour
2008-11-02 18:16 . 2008-11-02 18:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2008-11-02 18:16 . 2002-01-05 04:10 57,344 --a------ c:\windows\system32\mfc70enu.dll
2008-11-02 18:09 . 2008-11-02 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-02 17:42 . 2008-11-02 17:42 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-02 17:02 . 2006-12-11 15:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
2008-11-02 16:43 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-02 16:43 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-02 16:40 . 2008-11-02 21:10 <DIR> d-------- c:\program files\CoreFTP
2008-11-02 16:40 . 2008-11-07 01:46 <DIR> d-------- c:\documents and settings\Jody\Application Data\CoreFTP
2008-11-02 15:59 . 2008-11-02 15:59 <DIR> d-------- c:\documents and settings\Jody\Contacts
2008-11-02 15:53 . 2008-11-02 15:57 <DIR> d-------- c:\program files\Windows Live
2008-11-02 15:53 . 2008-11-02 15:57 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-11-02 15:53 . 2008-11-02 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-02 15:50 . 2008-11-02 15:50 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-11-02 15:50 . 2003-12-11 11:15 626,960 -ra------ c:\windows\system32\hpvaut32.dll
2008-11-02 15:50 . 2003-12-11 11:15 487,424 -ra------ c:\windows\system32\hpvcp70.dll
2008-11-02 15:50 . 2003-12-11 11:15 344,064 -ra------ c:\windows\system32\hpvcr70.dll
2008-11-02 15:50 . 2003-12-11 11:15 44,544 -ra------ c:\windows\system32\MSXML4a.dll
2008-11-02 15:48 . 2008-11-02 15:48 <DIR> d-------- c:\program files\Common Files\HP
2008-11-02 15:46 . 2004-02-26 00:18 51,056 -ra------ c:\windows\system32\drivers\hpzid412.sys
2008-11-02 15:46 . 2004-02-26 00:18 21,488 -ra------ c:\windows\system32\drivers\HPZius12.sys
2008-11-02 15:46 . 2004-02-26 00:18 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-11-02 15:46 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-02 15:46 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-02 15:44 . 2008-11-02 15:50 <DIR> d-------- c:\program files\HP
2008-11-02 15:43 . 2004-02-26 00:17 38,868 --------- c:\windows\hpomdl03.dat
2008-11-02 15:43 . 2008-11-02 15:51 29,385 --a------ c:\windows\hpoins03.dat
2008-11-02 15:22 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-11-02 15:22 . 2008-04-14 05:41 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2008-11-02 15:22 . 2008-04-14 00:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-02 15:22 . 2008-04-14 00:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-11-02 15:22 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-02 15:22 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-02 15:18 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-02 15:18 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-02 15:18 . 2008-04-14 00:15 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-02 15:18 . 2008-04-14 00:15 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-02 15:15 . 2008-04-14 00:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-11-02 15:15 . 2008-04-14 00:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-10-31 11:12 . 2008-11-06 13:16 8,627 --a------ c:\windows\system32\PAV_FOG.OPC
2008-10-31 11:08 . 2008-10-31 11:08 <DIR> d-------- c:\windows\system32\PAV
2008-10-31 11:08 . 2008-10-31 11:08 <DIR> d-------- c:\program files\Panda Security
2008-10-31 11:08 . 2008-10-31 11:08 <DIR> d-------- c:\documents and settings\Jody\Application Data\Panda Security
2008-10-31 11:08 . 2008-10-31 11:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Panda Security
2008-10-31 11:08 . 2008-06-18 18:03 520,448 --a------ c:\windows\system32\PavSHook.dll
2008-10-31 11:08 . 2006-06-01 23:00 446,464 --------- c:\windows\system32\HHActiveX.dll
2008-10-31 11:08 . 2008-06-24 14:48 193,280 --a------ c:\windows\system32\TpUtil.dll
2008-10-31 11:08 . 2007-02-08 11:53 107,568 --a------ c:\windows\system32\SYSTOOLS.DLL
2008-10-31 11:08 . 2008-06-18 18:03 87,296 --a------ c:\windows\system32\PavLspHook.dll
2008-10-31 11:08 . 2008-04-28 17:35 84,024 --a------ c:\windows\system32\drivers\pavdrv51.sys
2008-10-31 11:08 . 2008-03-18 16:58 58,672 --a------ c:\windows\system32\avldr.dll
2008-10-31 11:08 . 2008-06-18 18:03 55,552 --a------ c:\windows\system32\pavipc.dll
2008-10-31 11:08 . 2007-03-15 19:38 54,832 --a------ c:\windows\system32\pavcpl.cpl
2008-10-31 11:08 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-10-31 11:08 . 2008-10-31 11:08 249 --a------ c:\windows\system32\PavCPL.dat
2008-10-31 11:07 . 2008-10-31 11:07 <DIR> d-------- c:\program files\Common Files\Panda Security
2008-10-31 11:07 . 2008-02-07 12:03 179,640 --a------ c:\windows\system32\drivers\PavProc.sys
2008-10-31 11:07 . 2008-03-04 15:59 41,144 --a------ c:\windows\system32\drivers\ShlDrv51.sys
2008-10-31 10:59 . 2008-11-03 12:24 <DIR> d-------- c:\program files\Microsoft IntelliType Pro
2008-10-31 10:59 . 2008-11-03 12:24 <DIR> d-------- c:\program files\Microsoft IntelliPoint
2008-10-31 10:45 . 2007-07-30 19:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-31 10:45 . 2007-07-30 19:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-31 09:46 . 2007-04-09 13:23 28,040 --a------ c:\windows\system32\mdimon.dll
2008-10-31 09:46 . 2008-11-05 13:22 1,288 --a------ c:\windows\ODBC.INI
2008-10-31 09:45 . 2008-10-31 09:45 <DIR> d-------- c:\program files\Common Files\L&H
2008-10-31 09:44 . 2008-10-31 09:44 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-10-31 09:43 . 2008-10-31 09:45 <DIR> d-------- c:\windows\SHELLNEW
2008-10-31 09:43 . 2008-10-31 09:44 <DIR> d-------- c:\program files\Microsoft Works
2008-10-31 09:42 . 2008-10-31 09:42 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-31 09:41 . 2008-10-31 09:41 <DIR> d-------- c:\program files\TheWeatherNetwork
2008-10-31 09:40 . 2008-10-31 09:40 <DIR> d-------- c:\program files\XP Codec Pack
2008-10-31 09:38 . 2008-10-31 09:40 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-31 09:38 . 2008-10-31 09:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-31 09:36 . 2008-10-31 09:36 <DIR> d-------- c:\program files\Lavasoft
2008-10-31 09:36 . 2008-10-31 09:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-31 09:36 . 2008-10-31 09:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-31 09:34 . 2008-10-31 09:34 <DIR> d-------- c:\windows\system32\Adobe
2008-10-31 09:34 . 2008-08-06 15:27 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-10-31 09:34 . 2008-08-06 15:29 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-10-31 09:33 . 2008-10-31 09:33 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-31 09:32 . 2008-11-03 01:00 <DIR> d-------- c:\program files\Common Files\Adobe
2008-10-31 09:31 . 2008-10-31 10:03 <DIR> d-------- c:\program files\NOS
2008-10-31 09:31 . 2008-10-31 10:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2008-10-31 09:30 . 2008-10-31 09:30 <DIR> d-------- c:\windows\Sun
2008-10-31 09:30 . 2008-10-31 09:30 <DIR> d-------- c:\program files\Java
2008-10-31 09:30 . 2008-10-31 09:30 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-31 09:30 . 2008-10-31 09:30 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-31 08:39 . 2008-10-31 08:39 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-31 08:32 . 2008-10-31 08:32 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-10-31 08:31 . 2008-10-31 08:31 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-31 08:31 . 2008-10-31 08:31 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-10-31 08:27 . 2008-06-13 05:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2008-10-31 08:27 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 19:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 15:02 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-30 22:44 16,608 ----a-w c:\windows\gdrv.sys
2008-10-30 22:44 --------- d-----w c:\program files\Realtek
2008-10-30 22:42 319,488 ----a-w c:\windows\HideWin.exe
2008-10-30 22:41 --------- d-----w c:\program files\AMD
2008-10-30 22:41 --------- d-----w c:\documents and settings\Jody\Application Data\InstallShield
2008-10-30 22:26 --------- d-----w c:\program files\microsoft frontpage
2008-09-23 23:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-26 05:51 16,851,456 ----a-w c:\windows\RTHDCPL.EXE
2008-08-19 05:26 77,824 ----a-w c:\windows\SOUNDMAN.EXE
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-08-07 03:38 9,728 ----a-r c:\windows\system32\RtNicProp32.dll
.

((((((((((((((((((((((((((((( snapshot_2008-11-05_ 9.15.42.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-27 02:12:56 396,592 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MOC.EXE
+ 2007-05-08 17:10:18 16,874,376 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MSO.DLL
+ 2007-03-22 00:56:50 8,425,856 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OARTCONV.DLL
+ 2006-10-27 21:18:34 1,658,152 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OGL.DLL
+ 2007-05-10 15:04:28 846,248 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OICE.EXE
+ 2007-05-10 16:11:42 1,767,256 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PPCNV.DLL
+ 2007-03-22 01:00:06 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PXBCOM.EXE
+ 2007-03-22 00:58:40 4,145,520 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12CNV.DLL
+ 2007-03-22 00:58:46 24,416 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12EXE.EXE
+ 2007-05-10 16:25:40 14,677,368 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE
+ 2007-09-15 03:45:58 16,901,168 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\MSO.DLL
+ 2007-08-29 06:19:24 1,654,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\OGL.DLL
+ 2007-08-24 11:00:34 1,767,768 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PPCNV.DLL
+ 2007-08-24 11:00:48 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PXBCOM.EXE
+ 2007-10-03 02:00:06 14,708,760 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\XL12CNV.EXE
+ 2008-11-06 14:59:03 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-11-03 16:14:12 240,736 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-06 13:59:05 259,840 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-11-05 14:19:43 63,732 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-07 13:57:50 63,732 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-05 14:19:43 406,658 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-07 13:57:50 406,658 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-07 13:53:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_250.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye" [X]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="=" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-25 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2008-03-18 16:58 58672 c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 pavboot;Panda boot driver;c:\windows\system32\Drivers\pavboot.sys [2008-06-19 28544]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys [2008-03-04 41144]
R2 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda [ ]
R2 JavaQuickStarterService;Java Quick Starter;c:\program files\Java\jre6\bin\jqs.exe [2008-10-31 152984]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2008-02-07 179640]
R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe [2008-06-25 28928]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys [ ]
R3 PavSRK.sys;PavSRK.sys;c:\windows\system32\PavSRK.sys [ ]
R3 PavTPK.sys;PavTPK.sys;c:\windows\system32\PavTPK.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
panda REG_MULTI_SZ Gwmsrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4515c0a2-a6d5-11dd-af6d-001fd09d591c}]
\Shell\AutoRun\command - J:\Menu.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 09:04:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-07 9:05:29
ComboFix-quarantined-files.txt 2008-11-07 15:05:06
ComboFix2.txt 2008-11-05 15:16:15
ComboFix3.txt 2008-11-04 20:06:19

Pre-Run: 488,162,635,776 bytes free
Post-Run: 488,267,780,096 bytes free

254 --- E O F --- 2008-11-06 14:59:03
Click to expand...

and the HJ file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:06 AM, on 07/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2009\WebProxy.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\AVENGINE.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\psimreal.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\avciman.exe
C:\Program Files\Panda Security\Panda Antivirus Pro 2009\Upgrader.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\webgurl.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1225463169140
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/...jc.cab&File=jinstall-6u10-windows-i586-jc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2009\TPSrv.exe

--
End of file - 8156 bytes
 
No, things seems to be great ! I know you must hear this a lot but I just want to say thank you. To do what you do with no questions asked is amazing and to help others with these issues and ask nothing in return. I have read in the forums and done the research on how to avoid this issue again and I have not taken it lightly. You have no idea how stressed i was and how close i was to a meltdown over this. Thank you so very much.

You have been so helpful.:)

J
 
Glad to hear that :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

It looks like that your Panda has only antivirus. If so, please install one firewall from below.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

    Malwarebytes' Anti-Malware Setup Guide

    Malwarebytes' Anti-Malware Scanning Guide

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean! :bigthumb:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top