Nasty Virues that I can't get rid of

M

MsBhelp

New member
So I got the Net Kernal 1256 virus/trojan and it slowed down my computer, added extra icons, added ~$5,000 .tmp files, and caused my computer to have 40 popups everytime I opened a broswer, and it was very sluggish. I think I deleted them with vundofix, and combofix. However I still get popups. Even after I have ran spybot, I also noticed I had virtumonde. I also noticed that my google searches have been redirected to rouge sites. Below you'll find my log files. TIA.

KASPERSKY ONLINE SCANNER REPORT
Friday, February 01, 2008 4:26:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/02/2008
Kaspersky Anti-Virus database records: 545342
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:


Scan Statistics:
Total number of scanned objects: 56120
Number of viruses found: 29
Number of infected objects: 78
Number of suspicious objects: 2
Duration of the scan process: 04:07:00

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sfloppyy.sys Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\mljgfdd.dll Infected: Trojan.Win32.BHO.auf skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\b147.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\User1\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\Documents and Settings\User1\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\User1\Local Settings\Temp\Perflib_Perfdata_4fc.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\History\History.IE5\MSHist012008020120080202\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\7EHSDR7N\rasesnet[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.edv skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\7EHSDR7N\4db3e14be68297b54dc897edcc80680f[1].zip/b147.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\7EHSDR7N\4db3e14be68297b54dc897edcc80680f[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\RP4K4NRR\!update-4495[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\QE7TXNLB\a8f5a020e4b833865a1034489887c8b9[1].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\QE7TXNLB\a8f5a020e4b833865a1034489887c8b9[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\QE7TXNLB\26453da423d82a5fc6fae941d05f1151[1].zip/b116.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\QE7TXNLB\26453da423d82a5fc6fae941d05f1151[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User1\Application Data\ѕystem\wucrtupd.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\User1\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe Infected: Trojan.Win32.Scapur.k skipped
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe NSIS: infected - 1 skipped
C:\Program Files\Yahoo!\Messenger\logs\client_User1.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_User1.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_User1.log Object is locked skipped
C:\Program Files\Insider\Insider.exe Infected: not-a-virus:AdWare.Win32.Insider.a skipped
C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP597\A0345269.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP597\A0345273.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP597\A0346255.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP599\A0347255.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP599\A0347256.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP600\A0351340.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP600\A0351365.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP600\A0351369.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP600\A0351370.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352403.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352408.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edx skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352409.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352413.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352414.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352415.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352416.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352417.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352418.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP602\A0352419.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP603\A0352451.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP603\A0352452.exe Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP603\A0352453.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP603\A0352455.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP603\A0352456.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP603\A0352457.exe Infected: Trojan.Win32.Agent.edq skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP603\A0352512.exe Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP604\A0352523.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP604\A0352529.dll Infected: Trojan.Win32.BHO.auf skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP604\A0352530.exe Infected: Trojan-Downloader.Win32.Adload.pr skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP604\A0352531.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP604\A0352532.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP604\A0352533.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP604\A0352534.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP604\A0352540.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP608\change.log Object is locked skipped
C:\FOUND.032\FILE0002.CHK Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\FOUND.032\FILE0041.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\FOUND.032\FILE0042.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\FOUND.033\FILE0003.CHK Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\avifnipw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\efeby.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.edx skipped
C:\VundoFix Backups\fnbrgrgg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\ghtwtdpr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\VundoFix Backups\ivybysbg.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\jukwksej.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\khfcyvv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\VundoFix Backups\kmlxdojw.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\nqselevc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\VundoFix Backups\ogdviytl.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\omyrgoma.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\VundoFix Backups\pmnkhge.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ivybysbg.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnkhge.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yrevbmql.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir Infected: Trojan.Win32.Zapchast.dt skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir Infected: Trojan.Win32.Agent.edq skipped

Scan process completed.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:20 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Common Files\??mantec\n?tepad.exe
C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [34c0bb71] rundll32.exe "C:\WINDOWS\system32\unkailyu.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8156] command /c del "C:\WINDOWS\system32\gluwawih.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3779] cmd /c del "C:\WINDOWS\system32\gluwawih.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5762] command /c del "C:\WINDOWS\system32\gluwawih.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5129] cmd /c del "C:\WINDOWS\system32\gluwawih.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4280] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3594] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Uayoxo] "C:\Program Files\Common Files\??mantec\n?tepad.exe"
O4 - HKCU\..\Run: [Wtai] "C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" -vt ndrv
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 6994 bytes
 
Hi MsBhelp

Rename HijackThis.exe to MsBhelp.exe and post back a fresh HijackThis log, please :)
 
I think I did it correctly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:41 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Insider\Insider.exe
C:\Program Files\Common Files\??mantec\n?tepad.exe
C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [34c0bb71] rundll32.exe "C:\WINDOWS\system32\hcbnjlxe.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Uayoxo] "C:\Program Files\Common Files\??mantec\n?tepad.exe"
O4 - HKCU\..\Run: [Wtai] "C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" -vt ndrv
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 6197 bytes
 
Hi

Unfortunately no; I think that you renamed desktop shortcut.

Rename HijackThis.exe to MsBhelp.exe by doing the following;

  • Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to MsBhelp.exe
  • When you've renamed HijackThis, open HijackThis again.
  • Take a fresh HijackThis log (click Do a system scan and save a log file)
  • Post the fresh HijackThis log here.
 
Ok, here it is. Sorry about that.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:19 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Common Files\??mantec\n?tepad.exe
C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\msbhelp.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: {cc335aea-0617-62b8-4f04-8c831da4f041} - {140f4ad1-38c8-40f4-8b26-7160aea533cc} - C:\WINDOWS\system32\grcfbdif.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6626808A-E950-4454-83E0-0CCCDB345568} - C:\WINDOWS\system32\efeby.dll (file missing)
O2 - BHO: (no name) - {8ed3f490-855b-49a7-81b7-738974cd820d} - C:\WINDOWS\system32\pwgohru.dll (file missing)
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\mljgfdd.dll
O2 - BHO: (no name) - {A1F721A9-B380-4380-AAD8-CDB2BF1C8A8F} - C:\WINDOWS\system32\pmkif.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gluwawih.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {C66EC8C2-BB81-4E76-A909-EF78019F6DE7} - C:\Program Files\Windows NT\vihypi83122.dll (file missing)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [34c0bb71] rundll32.exe "C:\WINDOWS\system32\hcbnjlxe.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Uayoxo] "C:\Program Files\Common Files\??mantec\n?tepad.exe"
O4 - HKCU\..\Run: [Wtai] "C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" -vt ndrv
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: gluwawih - gluwawih.dll (file missing)
O20 - Winlogon Notify: mljgfdd - C:\WINDOWS\SYSTEM32\mljgfdd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 7880 bytes
 
Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
Ok, I've done that but it seems like it triggered the Kernel 1256 errors to come back. The temp files are back and the two new fake windows icons are back on my desktop.


ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:00 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\msbhelp.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6626808A-E950-4454-83E0-0CCCDB345568} - C:\WINDOWS\system32\efeby.dll (file missing)
O2 - BHO: (no name) - {8ed3f490-855b-49a7-81b7-738974cd820d} - C:\WINDOWS\system32\pwgohru.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pagyihbo.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {C66EC8C2-BB81-4E76-A909-EF78019F6DE7} - C:\Program Files\Windows NT\vihypi83122.dll (file missing)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Uayoxo] "C:\Program Files\Common Files\??mantec\n?tepad.exe"
O4 - HKCU\..\Run: [Wtai] "C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" -vt ndrv
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: gluwawih - gluwawih.dll (file missing)
O20 - Winlogon Notify: pagyihbo - C:\WINDOWS\SYSTEM32\pagyihbo.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

--
End of file - 7268 bytes


ComboFix 08-02.05.3 - User1 2008-02-09 14:25:31.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.130 [GMT -6:00]
Running from: C:\Documents and Settings\User1\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sfloppyy.sys
C:\WINDOWS\system32\mljgfdd.dll
C:\WINDOWS\system32\pmkif.dll
C:\Documents and Settings\User1\Application Data\YSTEM~1
C:\Documents and Settings\User1\Application Data\YSTEM~1\?dobe\
C:\Documents and Settings\User1\Application Data\YSTEM~1\wucrtupd.exe
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mantec~1\n?tepad.exe
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\outerinfo
C:\Program Files\Temporary
C:\temp\tn3
C:\WINDOWS\b122.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\system32\aihapehh.dll
C:\WINDOWS\system32\bpcnpcem.dll
C:\WINDOWS\system32\cnxlcihk.ini
C:\WINDOWS\system32\doxoovgr.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sfloppyy.sys
C:\WINDOWS\system32\exljnbch.ini
C:\WINDOWS\system32\fikmp.ini
C:\WINDOWS\system32\fikmp.ini2
C:\WINDOWS\system32\grcfbdif.dll
C:\WINDOWS\system32\gwokbyof.dll
C:\WINDOWS\system32\hcbnjlxe.dll
C:\WINDOWS\system32\hdoxrvyf.dll
C:\WINDOWS\system32\hhepahia.ini
C:\WINDOWS\system32\inifpsav.dll
C:\WINDOWS\system32\khiclxnc.dll
C:\WINDOWS\system32\kiolqdni.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgfdd.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pagyihbo.dll
C:\WINDOWS\system32\pagyihbo.dll . . . . failed to delete
C:\WINDOWS\system32\pagyihbo.dllbox
C:\WINDOWS\system32\pmkif.dll
C:\WINDOWS\system32\quttuurw.dll
C:\WINDOWS\system32\rgvooxod.ini
C:\WINDOWS\system32\ssqqaslm.dll
C:\WINDOWS\system32\wruuttuq.ini
C:\WINDOWS\system32\xufwifou.dll
C:\WINDOWS\system32\xwnvcnpx.dll
C:\WINDOWS\system32\ymdfkwaa.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFLOPPYY
-------\sfloppyy


((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 )))))))))))))))))))))))))))))))
.

2008-02-09 14:37 . 2008-02-09 14:40 19,054 ---hs---- C:\WINDOWS\system32\pagyihbo.dllbox
2008-02-09 14:24 . 2008-02-09 14:32 163,904 --------- C:\WINDOWS\system32\pagyihbo.dll
2008-02-06 18:09 . 2008-02-06 18:09 <DIR> d--hs---- C:\FOUND.036
2008-02-05 22:38 . 2008-02-05 22:38 <DIR> d--hs---- C:\FOUND.035
2008-02-05 14:21 . 2008-02-06 17:50 714 ---hs---- C:\WINDOWS\system32\sdjpnexs.ini
2008-02-04 17:46 . 2008-02-04 17:46 <DIR> d--hs---- C:\FOUND.034
2008-02-04 14:20 . 2008-02-05 14:20 594 ---hs---- C:\WINDOWS\system32\cgegodpr.ini
2008-02-02 02:15 . 2008-02-02 02:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 14:21 . 2008-02-02 12:24 414 ---hs---- C:\WINDOWS\system32\uyliaknu.ini
2008-02-01 12:10 . 2008-02-01 12:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 01:55 . 2008-02-01 01:55 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-02-01 01:35 . 2008-02-09 14:35 12,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 01:35 . 2008-02-09 14:35 1,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 01:35 . 2008-02-09 14:35 1,100 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-01 01:35 . 2008-02-09 14:35 288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 01:29 . 2008-02-01 01:29 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 01:28 . 2008-02-01 01:28 <DIR> d-------- C:\KAV
2008-01-31 12:57 . 2008-01-31 12:57 <DIR> d-------- C:\VundoFix Backups
2008-01-31 12:05 . 2008-01-31 12:05 <DIR> d--hs---- C:\FOUND.033
2008-01-29 11:27 . 2008-01-29 11:27 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-29 11:27 . 2008-01-29 11:27 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-01-29 02:05 . 2008-01-29 02:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-29 02:05 . 2008-01-29 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 02:02 . 2008-01-29 02:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 17:49 . 2008-01-29 10:42 414 ---hs---- C:\WINDOWS\system32\xmderotv.ini
2008-01-28 17:43 . 2008-01-28 17:43 294 ---hs---- C:\WINDOWS\system32\egflybum.ini
2008-01-27 13:20 . 2008-01-27 13:20 354 ---hs---- C:\WINDOWS\system32\rfsfjpeg.ini
2008-01-26 15:31 . 2008-01-26 15:32 294 ---hs---- C:\WINDOWS\system32\jafvxeaw.ini
2008-01-26 15:26 . 2008-01-26 15:27 294 ---hs---- C:\WINDOWS\system32\bvrmahxy.ini
2008-01-24 02:24 . 2008-01-24 02:24 <DIR> d--hs---- C:\FOUND.032
2008-01-23 12:22 . 2008-01-23 12:22 <DIR> d--hs---- C:\FOUND.031
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\WINDOWS\system32\winzs6
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\WINDOWS\system32\nui4
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\WINDOWS\system32\extz1
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\WINDOWS\system32\comm7
2008-01-23 11:31 . 2008-01-23 11:31 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-21 19:26 . 2008-02-09 14:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-21 19:26 . 2008-01-21 19:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 19:24 . 2008-01-21 19:24 <DIR> d-------- C:\Program Files\iPod
2008-01-21 19:23 . 2008-01-21 19:23 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 19:18 . 2008-01-21 19:18 <DIR> d-------- C:\Program Files\QuickTime
2008-01-17 13:04 . 2008-01-17 13:04 <DIR> d--hs---- C:\FOUND.030
2008-01-16 13:31 . 2008-01-16 13:31 <DIR> d--hs---- C:\FOUND.029
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-10 02:08 . 2008-01-10 02:08 <DIR> d-------- C:\Documents and Settings\User1\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-23 07:33 --------- d-----w C:\Documents and Settings\User1\Application Data\LimeWire
2007-12-18 05:59 --------- d-----w C:\Program Files\eMusic Download Manager
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-01-17 22:23 19,000 ----a-w C:\Documents and Settings\User1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6626808A-E950-4454-83E0-0CCCDB345568}]
C:\WINDOWS\system32\efeby.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ed3f490-855b-49a7-81b7-738974cd820d}]
C:\WINDOWS\system32\pwgohru.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-09 14:32 163904 --------- C:\WINDOWS\system32\pagyihbo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C66EC8C2-BB81-4E76-A909-EF78019F6DE7}]
C:\Program Files\Windows NT\vihypi83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 10:49 307200]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 18:52 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968]
"Uayoxo"="C:\Program Files\Common Files\??mantec\n?tepad.exe" [ ]
"Wtai"="C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

C:\Documents and Settings\User1\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE [2002-09-11 13:30:58 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-25 13:31:04 118784]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gluwawih]
gluwawih.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pagyihbo]
pagyihbo.dll 2008-02-09 14:32 163904 C:\WINDOWS\system32\pagyihbo.dll

S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 23:42:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-09 14:40:35
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pagyihbo.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\pagyihbo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-02-09 14:43:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-09 20:43:26
ComboFix2.txt 2008-02-01 01:00:20
.
2008-02-02 01:10:07 --- E O F ---
 
Hi

Yes, we are not done yet.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WINDOWS\system32\pagyihbo.dllbox
C:\WINDOWS\system32\pagyihbo.dll
C:\WINDOWS\system32\sdjpnexs.ini
C:\WINDOWS\system32\cgegodpr.ini
C:\WINDOWS\system32\uyliaknu.ini
C:\WINDOWS\system32\xmderotv.ini
C:\WINDOWS\system32\egflybum.ini
C:\WINDOWS\system32\rfsfjpeg.ini
C:\WINDOWS\system32\jafvxeaw.ini
C:\WINDOWS\system32\bvrmahxy.ini

Folder::
C:\Program Files\Dot1XCfg

Driver::
MSControlService

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6626808A-E950-4454-83E0-0CCCDB345568}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ed3f490-855b-49a7-81b7-738974cd820d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C66EC8C2-BB81-4E76-A909-EF78019F6DE7}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uayoxo"=-
"Wtai"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gluwawih]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pagyihbo]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Ok, not sure if this worked. During combo fixes reboot, my screen went black and I manually rebooted my computer. During that the system scan came on. Combo fix did finish the log and I did another HJT log.


ComboFix 08-02.05.3 - User1 2008-02-11 13:01:34.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.232 [GMT -6:00]
Running from: C:\Documents and Settings\User1\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\pagyihbo.dll
C:\WINDOWS\system32\pagyihbo.dllbox
C:\WINDOWS\system32\windows

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-09 14:22 . 2004-08-04 02:56 388,608 --a------ C:\kmd.exe
2008-02-06 18:09 . 2008-02-06 18:09 <DIR> d--hs---- C:\FOUND.036
2008-02-05 22:38 . 2008-02-05 22:38 <DIR> d--hs---- C:\FOUND.035
2008-02-05 14:21 . 2008-02-06 17:50 714 ---hs---- C:\WINDOWS\system32\sdjpnexs.ini
2008-02-04 17:46 . 2008-02-04 17:46 <DIR> d--hs---- C:\FOUND.034
2008-02-04 14:20 . 2008-02-05 14:20 594 ---hs---- C:\WINDOWS\system32\cgegodpr.ini
2008-02-02 02:15 . 2008-02-02 02:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 14:21 . 2008-02-02 12:24 414 ---hs---- C:\WINDOWS\system32\uyliaknu.ini
2008-02-01 12:10 . 2008-02-01 12:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 01:55 . 2008-02-01 01:55 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-02-01 01:35 . 2008-02-11 13:06 12,320 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 01:35 . 2008-02-11 13:06 1,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 01:35 . 2008-02-11 13:06 1,100 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-01 01:35 . 2008-02-11 13:06 288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 01:29 . 2008-02-01 01:29 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 01:28 . 2008-02-01 01:28 <DIR> d-------- C:\KAV
2008-01-31 12:57 . 2008-01-31 12:57 <DIR> d-------- C:\VundoFix Backups
2008-01-31 12:05 . 2008-01-31 12:05 <DIR> d--hs---- C:\FOUND.033
2008-01-29 11:27 . 2008-01-29 11:27 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-29 11:27 . 2008-01-29 11:27 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-01-29 02:05 . 2008-01-29 02:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-29 02:05 . 2008-01-29 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 02:02 . 2008-01-29 02:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 17:49 . 2008-01-29 10:42 414 ---hs---- C:\WINDOWS\system32\xmderotv.ini
2008-01-28 17:43 . 2008-01-28 17:43 294 ---hs---- C:\WINDOWS\system32\egflybum.ini
2008-01-27 13:20 . 2008-01-27 13:20 354 ---hs---- C:\WINDOWS\system32\rfsfjpeg.ini
2008-01-26 15:31 . 2008-01-26 15:32 294 ---hs---- C:\WINDOWS\system32\jafvxeaw.ini
2008-01-26 15:26 . 2008-01-26 15:27 294 ---hs---- C:\WINDOWS\system32\bvrmahxy.ini
2008-01-24 02:24 . 2008-01-24 02:24 <DIR> d--hs---- C:\FOUND.032
2008-01-23 12:22 . 2008-01-23 12:22 <DIR> d--hs---- C:\FOUND.031
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\WINDOWS\system32\winzs6
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\WINDOWS\system32\nui4
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\WINDOWS\system32\extz1
2008-01-23 11:32 . 2008-01-23 11:32 <DIR> d-------- C:\WINDOWS\system32\comm7
2008-01-23 11:31 . 2008-01-23 11:31 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-21 19:26 . 2008-02-09 14:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-21 19:26 . 2008-01-21 19:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 19:24 . 2008-01-21 19:24 <DIR> d-------- C:\Program Files\iPod
2008-01-21 19:23 . 2008-01-21 19:23 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 19:18 . 2008-01-21 19:18 <DIR> d-------- C:\Program Files\QuickTime
2008-01-17 13:04 . 2008-01-17 13:04 <DIR> d--hs---- C:\FOUND.030
2008-01-16 13:31 . 2008-01-16 13:31 <DIR> d--hs---- C:\FOUND.029

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 08:08 --------- d-----w C:\Documents and Settings\User1\Application Data\Move Networks
2007-12-23 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-23 07:33 --------- d-----w C:\Documents and Settings\User1\Application Data\LimeWire
2007-12-18 05:59 --------- d-----w C:\Program Files\eMusic Download Manager
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-01-17 22:23 19,000 ----a-w C:\Documents and Settings\User1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6626808A-E950-4454-83E0-0CCCDB345568}]
C:\WINDOWS\system32\efeby.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ed3f490-855b-49a7-81b7-738974cd820d}]
C:\WINDOWS\system32\pwgohru.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C66EC8C2-BB81-4E76-A909-EF78019F6DE7}]
C:\Program Files\Windows NT\vihypi83122.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 10:49 307200]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 18:52 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968]
"Uayoxo"="C:\Program Files\Common Files\??mantec\n?tepad.exe" [ ]
"Wtai"="C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

C:\Documents and Settings\User1\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE [2002-09-11 13:30:58 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-25 13:31:04 118784]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gluwawih]
gluwawih.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 23:42:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 13:27:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-02-11 13:31:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 19:31:16
ComboFix3.txt 2008-02-01 01:00:20
ComboFix2.txt 2008-02-09 20:43:36
.
2008-02-02 01:10:07 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:50 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\msbhelp.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6626808A-E950-4454-83E0-0CCCDB345568} - C:\WINDOWS\system32\efeby.dll (file missing)
O2 - BHO: (no name) - {8ed3f490-855b-49a7-81b7-738974cd820d} - C:\WINDOWS\system32\pwgohru.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {C66EC8C2-BB81-4E76-A909-EF78019F6DE7} - C:\Program Files\Windows NT\vihypi83122.dll (file missing)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Uayoxo] "C:\Program Files\Common Files\??mantec\n?tepad.exe"
O4 - HKCU\..\Run: [Wtai] "C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" -vt ndrv
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: gluwawih - gluwawih.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6995 bytes
 
Hi

No it did not work 100 %

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {6626808A-E950-4454-83E0-0CCCDB345568} - C:\WINDOWS\system32\efeby.dll (file missing)
O2 - BHO: (no name) - {8ed3f490-855b-49a7-81b7-738974cd820d} - C:\WINDOWS\system32\pwgohru.dll (file missing)
O2 - BHO: (no name) - {C66EC8C2-BB81-4E76-A909-EF78019F6DE7} - C:\Program Files\Windows NT\vihypi83122.dll (file missing)
O4 - HKCU\..\Run: [Uayoxo] "C:\Program Files\Common Files\??mantec\n?tepad.exe"
O4 - HKCU\..\Run: [Wtai] "C:\DOCUME~1\User1\APPLIC~1\YSTEM~1\wucrtupd.exe" -vt ndrv

Close all windows incluiding browser and press fix checked.

Reboot.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    C:\WINDOWS\system32\sdjpnexs.ini
C:\WINDOWS\system32\cgegodpr.ini
C:\WINDOWS\system32\uyliaknu.ini
C:\Program Files\Dot1XCfg
C:\WINDOWS\system32\xmderotv.ini
C:\WINDOWS\system32\egflybum.ini
C:\WINDOWS\system32\rfsfjpeg.ini
C:\WINDOWS\system32\jafvxeaw.ini
C:\WINDOWS\system32\bvrmahxy.ini
C:\WINDOWS\system32\winzs6
C:\WINDOWS\system32\nui4
C:\WINDOWS\system32\extz1
C:\WINDOWS\system32\comm7
C:\WINDOWS\system32\nGpxx01
  • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run combofix

Post:

- a fresh HijackThis log
- combofix report
- otmoveit2 report
 
Here you go!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:27 PM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\msbhelp.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: gluwawih - gluwawih.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6394 bytes

ComboFix 08-02.05.3 - User1 2008-02-12 14:21:08.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.136 [GMT -6:00]
Running from: C:\Documents and Settings\User1\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-12 14:19 . 2008-02-12 14:19 <DIR> d-------- C:\_OTMoveIt
2008-02-11 12:58 . 2004-08-04 02:56 388,608 --a------ C:\kmd.exe
2008-02-06 18:09 . 2008-02-06 18:09 <DIR> d--hs---- C:\FOUND.036
2008-02-05 22:38 . 2008-02-05 22:38 <DIR> d--hs---- C:\FOUND.035
2008-02-04 17:46 . 2008-02-04 17:46 <DIR> d--hs---- C:\FOUND.034
2008-02-02 02:15 . 2008-02-02 02:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 12:10 . 2008-02-01 12:10 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-01 01:35 . 2008-02-11 13:06 14,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-01 01:35 . 2008-02-11 13:06 1,220 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-01 01:35 . 2008-02-11 13:06 1,100 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-01 01:35 . 2008-02-11 13:06 288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-01 01:29 . 2008-02-01 01:29 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-01 01:28 . 2008-02-01 01:28 <DIR> d-------- C:\KAV
2008-01-31 12:57 . 2008-01-31 12:57 <DIR> d-------- C:\VundoFix Backups
2008-01-31 12:05 . 2008-01-31 12:05 <DIR> d--hs---- C:\FOUND.033
2008-01-29 11:27 . 2008-01-29 11:27 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-29 11:27 . 2008-01-29 11:27 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-01-29 02:05 . 2008-01-29 02:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-29 02:05 . 2008-01-29 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-29 02:02 . 2008-01-29 02:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-24 02:24 . 2008-01-24 02:24 <DIR> d--hs---- C:\FOUND.032
2008-01-23 12:22 . 2008-01-23 12:22 <DIR> d--hs---- C:\FOUND.031
2008-01-21 19:26 . 2008-02-11 13:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-21 19:26 . 2008-01-21 19:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-21 19:24 . 2008-01-21 19:24 <DIR> d-------- C:\Program Files\iPod
2008-01-21 19:23 . 2008-01-21 19:23 <DIR> d-------- C:\Program Files\iTunes
2008-01-21 19:18 . 2008-01-21 19:18 <DIR> d-------- C:\Program Files\QuickTime
2008-01-17 13:04 . 2008-01-17 13:04 <DIR> d--hs---- C:\FOUND.030
2008-01-16 13:31 . 2008-01-16 13:31 <DIR> d--hs---- C:\FOUND.029

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 08:08 --------- d-----w C:\Documents and Settings\User1\Application Data\Move Networks
2007-12-23 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-23 07:33 --------- d-----w C:\Documents and Settings\User1\Application Data\LimeWire
2007-12-18 05:59 --------- d-----w C:\Program Files\eMusic Download Manager
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-14 07:26 450,560 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2007-01-17 22:23 19,000 ----a-w C:\Documents and Settings\User1\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 10:49 307200]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 18:52 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

C:\Documents and Settings\User1\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE [2002-09-11 13:30:58 299008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-25 13:31:04 118784]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gluwawih]
gluwawih.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-02-11 23:42:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 14:23:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-12 14:24:16
ComboFix-quarantined-files.txt 2008-02-12 20:24:10
ComboFix4.txt 2008-02-01 01:00:20
ComboFix3.txt 2008-02-09 20:43:36
ComboFix2.txt 2008-02-11 19:31:24
.
2008-02-02 01:10:07 --- E O F ---
[Custom Input]
< C:\WINDOWS\system32\sdjpnexs.ini >
C:\WINDOWS\system32\sdjpnexs.ini moved successfully.
< C:\WINDOWS\system32\cgegodpr.ini >
C:\WINDOWS\system32\cgegodpr.ini moved successfully.
< C:\WINDOWS\system32\uyliaknu.ini >
C:\WINDOWS\system32\uyliaknu.ini moved successfully.
< C:\Program Files\Dot1XCfg >
C:\Program Files\Dot1XCfg moved successfully.
< C:\WINDOWS\system32\xmderotv.ini >
C:\WINDOWS\system32\xmderotv.ini moved successfully.
< C:\WINDOWS\system32\egflybum.ini >
C:\WINDOWS\system32\egflybum.ini moved successfully.
< C:\WINDOWS\system32\rfsfjpeg.ini >
C:\WINDOWS\system32\rfsfjpeg.ini moved successfully.
< C:\WINDOWS\system32\jafvxeaw.ini >
C:\WINDOWS\system32\jafvxeaw.ini moved successfully.
< C:\WINDOWS\system32\bvrmahxy.ini >
C:\WINDOWS\system32\bvrmahxy.ini moved successfully.
< C:\WINDOWS\system32\winzs6 >
C:\WINDOWS\system32\winzs6 moved successfully.
< C:\WINDOWS\system32\nui4 >
C:\WINDOWS\system32\nui4 moved successfully.
< C:\WINDOWS\system32\extz1 >
C:\WINDOWS\system32\extz1 moved successfully.
< C:\WINDOWS\system32\comm7 >
C:\WINDOWS\system32\comm7 moved successfully.
< C:\WINDOWS\system32\nGpxx01 >
C:\WINDOWS\system32\nGpxx01 moved successfully.

OTMoveIt2 v1.0.19 log created on 02122008_141923
 
Hi

Open HijackThis, click do a system scan only and checkmark this:

O20 - Winlogon Notify: gluwawih - gluwawih.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report
 
sorry for the delay

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 11:06:54 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 565273
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 36832
Number of viruses found: 23
Number of infected objects: 96
Number of suspicious objects: 2
Duration of the scan process: 01:56:27

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D28281B4-6F1D-4BBA-83BE-A5A0DF564AF3}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\History\History.IE5\MSHist012008021420080215\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User1\Local Settings\Temp\Perflib_Perfdata_280.dat Object is locked skipped
C:\Documents and Settings\User1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User1\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_User1.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_User1.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_User1.log Object is locked skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP610\A0353038.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP610\A0353061.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP610\A0353062.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP613\A0356073.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP613\A0358073.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358127.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358128.exe Infected: not-a-virus:AdWare.Win32.Insider.a skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358130.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358131.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358132.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358133.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358134.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358135.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358136.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358137.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358138.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358139.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gip skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358140.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358143.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358144.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358151.EXE Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358155.SYS Infected: Rootkit.Win32.Agent.to skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0358228.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP617\A0359228.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP620\change.log Object is locked skipped
C:\System Volume Information\_restore{47597587-21DB-4D2B-B644-2809A8848C80}\RP609\A0353011.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\_OTMoveIt\MovedFiles\02122008_141923\WINDOWS\system32\nGpxx01\nGpxx011065.exe Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\FOUND.032\FILE0002.CHK Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\FOUND.032\FILE0009.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\FOUND.032\FILE0010.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\FOUND.032\FILE0041.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\FOUND.032\FILE0042.CHK Infected: not-a-virus:AdWare.Win32.Virtumonde.edz skipped
C:\FOUND.033\FILE0003.CHK Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\avifnipw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\axwsihiy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\bhhnilxo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\dderjopx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\dsammlol.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\efeby.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.edx skipped
C:\VundoFix Backups\fnbrgrgg.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ftqrhmbn.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\fynlilnq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\fytqhchs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ghtwtdpr.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\VundoFix Backups\ivybysbg.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\jukwksej.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\khfcyvv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\VundoFix Backups\kmlxdojw.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\nqselevc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\ogdviytl.exe.bad Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\VundoFix Backups\omyrgoma.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\VundoFix Backups\pmnkhge.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\VundoFix Backups\pqcwyyns.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\qjfpfghq.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\sjrakldj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\uxjlgebs.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\xivpvcai.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\yxhamrvb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.hql skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\sfloppyy.sys.vir Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ivybysbg.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fcyyy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnkhge.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dxb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yrevbmql.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aihapehh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bpcnpcem.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\doxoovgr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\grcfbdif.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gwokbyof.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hcbnjlxe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hdoxrvyf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\inifpsav.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\khiclxnc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gip skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kiolqdni.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\quttuurw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqqaslm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xufwifou.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xwnvcnpx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ymdfkwaa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\windows.vir Infected: Trojan.Win32.Zapchast.dt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pagyihbo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\b147.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir Infected: Trojan.Win32.Agent.edq skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\MANTEC~1\nоtepad.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\Program Files\Insider\Insider.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.a skipped
C:\QooBox\Quarantine\C\Documents and Settings\User1\Application Data\YSTEM~1\wucrtupd.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\QooBox\Quarantine\catchme2008-02-09_143836.72.zip/mljgfdd.dll Infected: Trojan.Win32.BHO.auf skipped
C:\QooBox\Quarantine\catchme2008-02-09_143836.72.zip/pagyihbo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-09_143836.72.zip/pmkif.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-09_143836.72.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\catchme2008-02-11_132651.15.zip/pagyihbo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-02-11_132651.15.zip ZIP: infected - 1 skipped

Scan process completed.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:00 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\msbhelp.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Franklin Covey\Planner\PalmOS\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6448 bytes
 
Hi

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\_OTMoveIt\MovedFiles\
C:\VundoFix Backups\
C:\QooBox\Quarantine

Delete these:

C:\FOUND.032\FILE0002.CHK
C:\FOUND.032\FILE0009.CHK
C:\FOUND.032\FILE0010.CHK
C:\FOUND.032\FILE0041.CHK
C:\FOUND.032\FILE0042.CHK
C:\FOUND.033\FILE0003.CHK

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
 
You must log in or register to reply here.
Back
Top