Please Help..Vundu?

V

Vince Vespertino

New member
I hope I have done all steps properly. Here is the HJT log, online scan log to follow in next post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:23 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131652608388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9918 bytes
 
Post #2 online scan results

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, September 20, 2007 3:41:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 20/09/2007
Kaspersky Anti-Virus database records: 421290
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 124531
Number of viruses found: 6
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 02:50:23

Infected Object Name / Virus Name / Last Action
C:\temp\Perflib_Perfdata_d5c.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\REPOSITORY\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\lhrhmwql.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\lgcgyflu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\fkgxxrot.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\qomkjhe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\SYSTEM32\vbadejsc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\rvtmketk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\siemknvj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\cxlmuhdq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\vgeflump.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\xxqcoqkc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\msobaobl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\yamcautw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\lcyxbjtl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\hcufnybl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\dolvrtcm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\vwvekjlj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\xujkwxrq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\uvwkwfds.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\fjwoeagv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\bxromcey.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\wxoaowyw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\matfsbio.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\whkieyxg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\lnyxocxh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\wmvblhyp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\nnundxdm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\fvlpvfwp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\WINDOWS\SYSTEM32\vxivehta.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\iksfvxpo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\qnvafkif.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\WINDOWS\SYSTEM32\BTIEIN.DLL_tobedeleted_old Infected: Trojan-Downloader.Win32.QDown.ad skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{82C2A490-1EDF-4421-AC00-EB2222DA4BB6}.bin Object is locked skipped
C:\WINDOWS\debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\minigolf_affiliate.exe/data0002 Infected: not-a-virus:AdWare.Win32.WinFetcher.d skipped
C:\WINDOWS\minigolf_affiliate.exe/data0004 Infected: not-a-virus:AdWare.Win32.WinFetcher.d skipped
C:\WINDOWS\minigolf_affiliate.exe NSIS: infected - 2 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-09-20_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\55215C35.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Gateway User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gateway User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gateway User\Local Settings\History\History.IE5\MSHist012007092020070921\index.dat Object is locked skipped
C:\Documents and Settings\Gateway User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gateway User\Local Settings\Temporary Internet Files\Content.IE5\KRQ729E1\asdfasd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\Documents and Settings\Gateway User\Local Settings\Temporary Internet Files\Content.IE5\KJJZQ41H\kmer[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\Documents and Settings\Gateway User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Gateway User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gateway User\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gateway User\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gateway User\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Gateway User\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\general\Local Settings\Temp\heowhdbd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\Documents and Settings\general\Local Settings\Temporary Internet Files\Content.IE5\8YWDFKZJ\kmer[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.md skipped
C:\Documents and Settings\general\Local Settings\Temporary Internet Files\Content.IE5\SN2FKFAL\asdfasd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.mh skipped
C:\System Volume Information\_restore{27F1EDDE-0C0D-46BF-9219-F01966222D60}\RP4\change.log Object is locked skipped
C:\Recycled\Dc1.exe/SpywareBot/SpywareBot.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.a skipped
C:\Recycled\Dc1.exe 7-Zip: infected - 1 skipped
C:\Recycled\Dc1.exe UPX: infected - 1 skipped
C:\Recycled\Dc1.exe PE_Patch.UPX: infected - 1 skipped

Scan process completed.
 
Hi

Rename HijackThis.exe file -> something.exe and post a fresh hjt log.
 
New HJT log

Hello and thank you for your assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:21 AM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\cwjvlkbu.dll",sitypnow
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131652608388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10102 bytes
 
Another new HJT log...

I made a mistake with the previous post. :oops: I realized that I only renamed the shortcut icon on the desktop and not the executable file itself. I've renamed the executable file and re-ran it to produce the following log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:36 AM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\something.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9BB8DFF7-29DD-482D-AB98-092DA2EAD221} - C:\WINDOWS\system32\fcyyy.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\qomkjhe.dll
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\system32\weiegbib.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\qysyhlrv.dll",sitypnow
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131652608388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O20 - Winlogon Notify: fcyyy - C:\WINDOWS\system32\fcyyy.dll
O20 - Winlogon Notify: qomkjhe - C:\WINDOWS\SYSTEM32\qomkjhe.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11214 bytes

Once again, thank you for your assistance!! :red:
 
Hi again

1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
 
cf log

Requested log:

ComboFix 07-09-21.2 - "Gateway User" 2007-09-22 10:50:53.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.164 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\fse
C:\WINDOWS\cookies.ini
C:\WINDOWS\DOWNLO~1.\temp
C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\SYSTEM32\adadwcpx.ini
C:\WINDOWS\system32\arxkghmm.dll
C:\WINDOWS\system32\bedrrgdl.dll
C:\WINDOWS\system32\bkwljutt.dll
C:\WINDOWS\system32\bxromcey.dll
C:\WINDOWS\system32\cjmnnceh.dll
C:\WINDOWS\SYSTEM32\ckqocqxx.ini
C:\WINDOWS\SYSTEM32\csjedabv.ini
C:\WINDOWS\system32\cxlmuhdq.dll
C:\WINDOWS\system32\dolvrtcm.dll
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\fjgettep.dll
C:\WINDOWS\system32\fjwoeagv.dll
C:\WINDOWS\system32\fkgxxrot.dll
C:\WINDOWS\system32\fvlpvfwp.dll
C:\WINDOWS\SYSTEM32\gxyeikhw.ini
C:\WINDOWS\system32\hcufnybl.dll
C:\WINDOWS\system32\heqgvfwd.dll
C:\WINDOWS\system32\hhfapvhd.dll
C:\WINDOWS\system32\hpbqmaiy.dll
C:\WINDOWS\system32\huhjntti.dll
C:\WINDOWS\system32\iksfvxpo.dll
C:\WINDOWS\system32\iskxbejt.dll
C:\WINDOWS\SYSTEM32\jljkevwv.ini
C:\WINDOWS\system32\lcyxbjtl.dll
C:\WINDOWS\system32\lgcgyflu.dll
C:\WINDOWS\system32\lhrhmwql.dll
C:\WINDOWS\system32\llclrdie.dll
C:\WINDOWS\system32\lnyxocxh.dll
C:\WINDOWS\system32\matfsbio.dll
C:\WINDOWS\SYSTEM32\mdxdnunn.ini
C:\WINDOWS\system32\mkhpvbbs.dll
C:\WINDOWS\system32\msobaobl.dll
C:\WINDOWS\system32\msrbwotx.dll
C:\WINDOWS\system32\nnundxdm.dll
C:\WINDOWS\SYSTEM32\oibsftam.ini
C:\WINDOWS\SYSTEM32\pettegjf.ini
C:\WINDOWS\SYSTEM32\pwfvplvf.ini
C:\WINDOWS\SYSTEM32\pyhlbvmw.ini
C:\WINDOWS\system32\qacuhsqy.dll
C:\WINDOWS\system32\qeatnqdw.dll
C:\WINDOWS\system32\qmflvsuq.dll
C:\WINDOWS\system32\qnvafkif.dll
C:\WINDOWS\system32\qomkjhe.dll
C:\WINDOWS\system32\qtwtaowo.dll
C:\WINDOWS\system32\qysyhlrv.dll
C:\WINDOWS\system32\ruttvguo.dll
C:\WINDOWS\system32\rvtmketk.dll
C:\WINDOWS\SYSTEM32\sdfwkwvu.ini
C:\WINDOWS\system32\siemknvj.dll
C:\WINDOWS\system32\uvwkwfds.dll
C:\WINDOWS\system32\vbadejsc.dll
C:\WINDOWS\system32\vgeflump.dll
C:\WINDOWS\SYSTEM32\vrlhysyq.ini
C:\WINDOWS\system32\vwvekjlj.dll
C:\WINDOWS\system32\vxivehta.dll
C:\WINDOWS\system32\weiegbib.dll
C:\WINDOWS\system32\whkieyxg.dll
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\wjjnhyae.dll
C:\WINDOWS\system32\wmvblhyp.dll
C:\WINDOWS\system32\wxoaowyw.dll
C:\WINDOWS\SYSTEM32\wywoaoxw.ini
C:\WINDOWS\system32\xpcwdada.dll
C:\WINDOWS\system32\xujkwxrq.dll
C:\WINDOWS\system32\xxqcoqkc.dll
C:\WINDOWS\system32\yamcautw.dll
C:\WINDOWS\SYSTEM32\yecmorxb.ini

.
((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-22 10:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-22 08:03 11,840 --a------ C:\WINDOWS\SYSTEM32\ayrcwyob.dll
2007-09-20 17:36 11,840 --a------ C:\WINDOWS\SYSTEM32\faaijpyt.dll
2007-09-20 17:26 11,840 --a------ C:\WINDOWS\SYSTEM32\mmfmknta.dll
2007-09-20 17:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-20 16:08 <DIR> d-------- C:\WINDOWS\pss
2007-09-20 13:14 11,840 --a------ C:\WINDOWS\SYSTEM32\lwwxebvi.dll
2007-09-20 12:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-20 12:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-30 13:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-29 16:00 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-08-29 15:59 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\WholeSecurity
2007-08-28 14:41 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-08-27 21:16 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-26 19:23 <DIR> d--hs---- C:\FOUND.000
2007-08-26 08:29 16,384 --a------ C:\temp\Perflib_Perfdata_d08.dat
2007-08-26 01:02 2,193,958 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.ini2
2007-08-24 09:44 2,196,561 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.bak2
2007-08-23 12:04 297,568 --------- C:\WINDOWS\SYSTEM32\fcyyy.dll
2007-08-23 12:04 1,821,833 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.bak1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-28 14:42 2014 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-08-27 21:22 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-27 21:22 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-27 21:22 48776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-08-27 21:22 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-15 03:06 --------- d-------- C:\Program Files\MSXML 6.0
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2007-06-27 07:35 823808 --a------ C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
2000-09-29 18:58 271 ---hs---- C:\Program Files\desktop.ini
2000-09-29 18:58 23357 ---h----- C:\Program Files\folder.htt
2000-06-08 10:00 41520 -ra------ C:\WINDOWS\inf\USB Modem Driver\98\CCPORT.SYS
2000-06-08 10:00 22208 -ra------ C:\WINDOWS\inf\USB Modem Driver\98\usbser.sys
2006-04-20 01:18:02 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-04-20 01:17:58 104 --sh--r C:\WINDOWS\SYSTEM32\AAEC8C6ADD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AF61A55-3C23-4032-B7E8-4EF6275FCCC2}]
2007-08-23 12:04 297568 --------- C:\WINDOWS\system32\fcyyy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 14:19]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Norton eMail Protect"="C:\Program Files\Norton AntiVirus\POPROXY.EXE" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 19:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-25 22:00]
"FolderView"="C:\WINDOWS\system32\wxoakmwf.dll" [2007-09-22 11:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyy]
C:\WINDOWS\system32\fcyyy.dll 2007-08-23 12:04 297568 C:\WINDOWS\SYSTEM32\fcyyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"Norton eMail Protect"=C:\Program Files\Norton AntiVirus\POPROXY.EXE
"SandIcon"=C:\ImageMate CompactFlash USB\SandIcon.Exe
"HP CD-Writer"=C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
"PP6100b"=C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NvStartup
"nwiz"=nwiz.exe /install
"USB SECURITY DEVICE CoInstaller"=JupitCo.exe
"Zone Labs Client"=C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVMCTRAY.DLL,NvTaskbarInit

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 ICAM3NT5;Intel(r) PC Camera CS331;C:\WINDOWS\system32\Drivers\ICAM3D2.SYS

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-08-05 06:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-09-22 17:55:44 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-08-25 03:00:02 C:\WINDOWS\Tasks\Scan for Viruses.job"
- C:\Program Files\Norton AntiVirus\NAVW32.EXE
"2007-08-23 08:00:02 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2007-08-01 07:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
"2007-08-24 21:12:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-28 04:31:18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Gateway User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 11:00:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-22 11:04:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-22 11:04
.
--- E O F ---
 
hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:55 AM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {4AF61A55-3C23-4032-B7E8-4EF6275FCCC2} - C:\WINDOWS\system32\fcyyy.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\eaobxtiy.dll
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\system32\ixxcxyno.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131652608388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
O20 - Winlogon Notify: fcyyy - C:\WINDOWS\system32\fcyyy.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10405 bytes
 
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Don't run ATF yet. Will do it a bit later.


Start hjt, click do a system scan only, check:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\eaobxtiy.dll
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-08F6C4A0AEB6} - C:\WINDOWS\system32\ixxcxyno.dll
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)

Close browsers and other windows. Click fix checked.


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Files::
C:\WINDOWS\SYSTEM32\ayrcwyob.dll
C:\WINDOWS\SYSTEM32\faaijpyt.dll
C:\WINDOWS\SYSTEM32\mmfmknta.dll
C:\WINDOWS\SYSTEM32\lwwxebvi.dll
C:\WINDOWS\SYSTEM32\yyycf.ini2
C:\WINDOWS\SYSTEM32\yyycf.bak2
C:\WINDOWS\SYSTEM32\fcyyy.dll
C:\WINDOWS\SYSTEM32\yyycf.bak1
C:\WINDOWS\system32\wxoakmwf.dll
C:\WINDOWS\system32\eaobxtiy.dll
C:\WINDOWS\system32\ixxcxyno.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AF61A55-3C23-4032-B7E8-4EF6275FCCC2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FolderView"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyy]


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.



Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Don't select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the
    Save Scan Report
    button before you did hit the
    Apply all Actions
    button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.


Post
-AVG Anti-Spyware log
-a fresh HJT log.
 
Newest Logs per request

ComboFix 07-09-21.2 - "Gateway User" 2007-09-22 14:19:53.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.126 [GMT -7:00]
Command switches used :: C:\Documents and Settings\Gateway User\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\axikefjc.ini
C:\WINDOWS\system32\cjfekixa.dll
C:\WINDOWS\SYSTEM32\fwmkaoxw.ini
C:\WINDOWS\system32\ixxcxyno.dll
C:\WINDOWS\system32\wxoakmwf.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-22 14:06 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-22 11:08 11,840 --a------ C:\WINDOWS\SYSTEM32\eaobxtiy.dll
2007-09-22 10:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-22 08:03 11,840 --a------ C:\WINDOWS\SYSTEM32\ayrcwyob.dll
2007-09-20 17:36 11,840 --a------ C:\WINDOWS\SYSTEM32\faaijpyt.dll
2007-09-20 17:26 11,840 --a------ C:\WINDOWS\SYSTEM32\mmfmknta.dll
2007-09-20 17:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-20 16:08 <DIR> d-------- C:\WINDOWS\pss
2007-09-20 13:14 11,840 --a------ C:\WINDOWS\SYSTEM32\lwwxebvi.dll
2007-09-20 12:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-20 12:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-30 13:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-29 16:00 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-08-29 15:59 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\WholeSecurity
2007-08-28 14:41 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-08-27 21:16 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-26 19:23 <DIR> d--hs---- C:\FOUND.000
2007-08-26 01:02 2,193,958 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.ini2
2007-08-24 09:44 2,196,561 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.bak2
2007-08-23 12:04 297,568 --------- C:\WINDOWS\SYSTEM32\fcyyy.dll
2007-08-23 12:04 1,821,833 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.bak1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-28 14:42 2014 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-08-27 21:22 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-27 21:22 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-27 21:22 48776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-08-27 21:22 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-15 03:06 --------- d-------- C:\Program Files\MSXML 6.0
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2007-06-27 07:35 823808 --a------ C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
2000-09-29 18:58 271 ---hs---- C:\Program Files\desktop.ini
2000-09-29 18:58 23357 ---h----- C:\Program Files\folder.htt
2000-06-08 10:00 41520 -ra------ C:\WINDOWS\inf\USB Modem Driver\98\CCPORT.SYS
2000-06-08 10:00 22208 -ra------ C:\WINDOWS\inf\USB Modem Driver\98\usbser.sys
2006-04-20 01:18:02 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-04-20 01:17:58 104 --sh--r C:\WINDOWS\SYSTEM32\AAEC8C6ADD.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-22_110251.08 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 16,384 2007-09-22 21:27:28 C:\WINDOWS\TEMP\Perflib_Perfdata_66c.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D39D78C-7928-419C-9BD7-4DFD5777A2EF}]
2007-08-23 12:04 297568 --------- C:\WINDOWS\system32\fcyyy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}]
2007-09-22 14:29 70208 --a------ C:\WINDOWS\system32\gjpilpny.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 14:19]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Norton eMail Protect"="C:\Program Files\Norton AntiVirus\POPROXY.EXE" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 19:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-25 22:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyy]
C:\WINDOWS\system32\fcyyy.dll 2007-08-23 12:04 297568 C:\WINDOWS\SYSTEM32\fcyyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"Norton eMail Protect"=C:\Program Files\Norton AntiVirus\POPROXY.EXE
"SandIcon"=C:\ImageMate CompactFlash USB\SandIcon.Exe
"HP CD-Writer"=C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
"PP6100b"=C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NvStartup
"nwiz"=nwiz.exe /install
"USB SECURITY DEVICE CoInstaller"=JupitCo.exe
"Zone Labs Client"=C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVMCTRAY.DLL,NvTaskbarInit

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 ICAM3NT5;Intel(r) PC Camera CS331;C:\WINDOWS\system32\Drivers\ICAM3D2.SYS

*Newly Created Service* - AVGASCLN
*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-08-05 06:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-09-22 21:24:38 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-08-25 03:00:02 C:\WINDOWS\Tasks\Scan for Viruses.job"
- C:\Program Files\Norton AntiVirus\NAVW32.EXE
"2007-08-23 08:00:02 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2007-08-01 07:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
"2007-08-24 21:12:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-28 04:31:18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Gateway User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 14:27:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-22 14:31:53 - machine was rebooted
C:\ComboFix2.txt ... 2007-09-22 11:04
C:\ComboFix-quarantined-files.txt ... 2007-09-22 14:31
.
--- E O F ---
 
AVG log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:43:06 PM 9/22/2007

+ Scan result:



HKLM\SOFTWARE\WildMedia -> Adware.MidAddle : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WildMedia\LicenseStores -> Adware.MidAddle : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\BTIEIN.DLL_tobedeleted_old -> Downloader.QDown.ad : Cleaned with backup (quarantined).


::Report end
 
HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:33 PM, on 9/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {2D39D78C-7928-419C-9BD7-4DFD5777A2EF} - C:\WINDOWS\system32\fcyyy.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\qvjrjaoe.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\tndkolma.dll",sitypnow
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131652608388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: fcyyy - C:\WINDOWS\system32\fcyyy.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10273 bytes
 
Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Files::
C:\WINDOWS\system32\eaobxtiy.dll
C:\WINDOWS\SYSTEM32\ayrcwyob.dll
C:\WINDOWS\SYSTEM32\faaijpyt.dll
C:\WINDOWS\SYSTEM32\mmfmknta.dll
C:\WINDOWS\SYSTEM32\lwwxebvi.dll
C:\WINDOWS\SYSTEM32\yyycf.ini2
C:\WINDOWS\SYSTEM32\yyycf.bak2
C:\WINDOWS\SYSTEM32\fcyyy.dll
C:\WINDOWS\SYSTEM32\yyycf.bak1
C:\WINDOWS\system32\gjpilpny.dll
C:\WINDOWS\system32\qvjrjaoe.dll
C:\WINDOWS\system32\tndkolma.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D39D78C-7928-419C-9BD7-4DFD5777A2EF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FolderView"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyy]


Save this as
CFScript


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log with a fresh hjt log.
 
New CF Log

ComboFix 07-09-21.2 - "Gateway User" 2007-09-23 13:47:17.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.151 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\SYSTEM32\amlokdnt.ini
C:\WINDOWS\system32\getsrjwm.dll
C:\WINDOWS\system32\gjpilpny.dll
C:\WINDOWS\system32\ljxuxwic.dll
C:\WINDOWS\SYSTEM32\mwjrsteg.ini
C:\WINDOWS\system32\tndkolma.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-23 to 2007-09-23 )))))))))))))))))))))))))))))))
.

2007-09-23 13:56 11,840 --a------ C:\WINDOWS\SYSTEM32\klkqxqhs.dll
2007-09-23 13:44 11,840 --a------ C:\WINDOWS\SYSTEM32\lowkpywb.dll
2007-09-22 14:35 11,840 --a------ C:\WINDOWS\SYSTEM32\qvjrjaoe.dll
2007-09-22 14:06 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-22 11:08 11,840 --a------ C:\WINDOWS\SYSTEM32\eaobxtiy.dll
2007-09-22 10:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-22 08:03 11,840 --a------ C:\WINDOWS\SYSTEM32\ayrcwyob.dll
2007-09-20 17:36 11,840 --a------ C:\WINDOWS\SYSTEM32\faaijpyt.dll
2007-09-20 17:26 11,840 --a------ C:\WINDOWS\SYSTEM32\mmfmknta.dll
2007-09-20 17:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-20 16:08 <DIR> d-------- C:\WINDOWS\pss
2007-09-20 13:14 11,840 --a------ C:\WINDOWS\SYSTEM32\lwwxebvi.dll
2007-09-20 12:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-20 12:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-30 13:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-29 16:00 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-08-29 15:59 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\WholeSecurity
2007-08-28 14:41 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-08-27 21:16 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-26 19:23 <DIR> d--hs---- C:\FOUND.000
2007-08-26 01:02 2,194,085 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.ini2
2007-08-24 09:44 2,196,561 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.bak2
2007-08-23 12:04 297,568 --------- C:\WINDOWS\SYSTEM32\fcyyy.dll
2007-08-23 12:04 1,821,833 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.bak1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-28 14:42 2014 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-08-27 21:22 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-27 21:22 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-27 21:22 48776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-08-27 21:22 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-15 03:06 --------- d-------- C:\Program Files\MSXML 6.0
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2007-06-27 07:35 823808 --a------ C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
2000-09-29 18:58 271 ---hs---- C:\Program Files\desktop.ini
2000-09-29 18:58 23357 ---h----- C:\Program Files\folder.htt
2000-06-08 10:00 41520 -ra------ C:\WINDOWS\inf\USB Modem Driver\98\CCPORT.SYS
2000-06-08 10:00 22208 -ra------ C:\WINDOWS\inf\USB Modem Driver\98\usbser.sys
2006-04-20 01:18:02 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-04-20 01:17:58 104 --sh--r C:\WINDOWS\SYSTEM32\AAEC8C6ADD.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-22_110251.08 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 16,384 2007-09-23 20:55:48 C:\WINDOWS\TEMP\Perflib_Perfdata_49c.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B527323-064D-4A2C-A7DD-40D4B39454D2}]
2007-08-23 12:04 297568 --------- C:\WINDOWS\system32\fcyyy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E64F0381-0053-4842-B3E5-08F6C4A0AEB6}]
2007-09-23 13:58 70208 --a------ C:\WINDOWS\system32\qurbyswk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 14:19]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Norton eMail Protect"="C:\Program Files\Norton AntiVirus\POPROXY.EXE" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 19:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-25 22:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyy]
C:\WINDOWS\system32\fcyyy.dll 2007-08-23 12:04 297568 C:\WINDOWS\SYSTEM32\fcyyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"Norton eMail Protect"=C:\Program Files\Norton AntiVirus\POPROXY.EXE
"SandIcon"=C:\ImageMate CompactFlash USB\SandIcon.Exe
"HP CD-Writer"=C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
"PP6100b"=C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NvStartup
"nwiz"=nwiz.exe /install
"USB SECURITY DEVICE CoInstaller"=JupitCo.exe
"Zone Labs Client"=C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVMCTRAY.DLL,NvTaskbarInit

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 ICAM3NT5;Intel(r) PC Camera CS331;C:\WINDOWS\system32\Drivers\ICAM3D2.SYS

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-08-05 06:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-09-23 00:29:02 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-08-25 03:00:02 C:\WINDOWS\Tasks\Scan for Viruses.job"
- C:\Program Files\Norton AntiVirus\NAVW32.EXE
"2007-08-23 08:00:02 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2007-08-01 07:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
"2007-08-24 21:12:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-28 04:31:18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Gateway User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 13:56:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-23 14:00:28 - machine was rebooted
C:\ComboFix3.txt ... 2007-09-22 11:04
C:\ComboFix2.txt ... 2007-09-22 14:31
C:\ComboFix-quarantined-files.txt ... 2007-09-23 14:00
.
--- E O F ---
 
Newest HJT LOg

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:18 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9B527323-064D-4A2C-A7DD-40D4B39454D2} - C:\WINDOWS\system32\fcyyy.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [FolderView] rundll32.exe "C:\WINDOWS\system32\cyjkfjbc.dll",sitypnow
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131652608388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: fcyyy - C:\WINDOWS\system32\fcyyy.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10165 bytes
 
Hi

It looks like you didn't run Combofix with that txt file as I instructed in my previous post. Could you try again, please?
 
CF log redo

Hello,

I was pretty certian that I ran the the Combofix with the newest text you sent. Please pardon my mistake.

ComboFix 07-09-21.2 - "Gateway User" 2007-09-24 6:58:42.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.175 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SYSTEM32\cbjfkjyc.ini
C:\WINDOWS\system32\cyjkfjbc.dll
C:\WINDOWS\system32\qurbyswk.dll

.
((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.

2007-09-23 13:56 11,840 --a------ C:\WINDOWS\SYSTEM32\klkqxqhs.dll
2007-09-23 13:44 11,840 --a------ C:\WINDOWS\SYSTEM32\lowkpywb.dll
2007-09-22 14:35 11,840 --a------ C:\WINDOWS\SYSTEM32\qvjrjaoe.dll
2007-09-22 14:06 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-09-22 11:08 11,840 --a------ C:\WINDOWS\SYSTEM32\eaobxtiy.dll
2007-09-22 10:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-22 08:03 11,840 --a------ C:\WINDOWS\SYSTEM32\ayrcwyob.dll
2007-09-20 17:36 11,840 --a------ C:\WINDOWS\SYSTEM32\faaijpyt.dll
2007-09-20 17:26 11,840 --a------ C:\WINDOWS\SYSTEM32\mmfmknta.dll
2007-09-20 17:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-20 16:08 <DIR> d-------- C:\WINDOWS\pss
2007-09-20 13:14 11,840 --a------ C:\WINDOWS\SYSTEM32\lwwxebvi.dll
2007-09-20 12:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-09-20 12:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-30 13:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-29 16:00 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-08-29 15:59 <DIR> d-------- C:\DOCUME~1\GATEWA~1\APPLIC~1\WholeSecurity
2007-08-28 14:41 <DIR> d-------- C:\Program Files\RogueRemover PRO
2007-08-27 21:16 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-26 19:23 <DIR> d--hs---- C:\FOUND.000
2007-08-26 01:02 1,826,273 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.ini2
2007-08-24 09:44 2,196,561 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.bak2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-28 14:42 2014 -r-h----- C:\WINDOWS\system32\drivers\hosts
2007-08-27 21:22 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-27 21:22 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-27 21:22 48776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-08-27 21:22 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-08-24 00:05 1821833 ---hs---- C:\WINDOWS\SYSTEM32\yyycf.bak1
2007-08-23 12:04 297568 --------- C:\WINDOWS\SYSTEM32\fcyyy.dll
2007-08-15 03:06 --------- d-------- C:\Program Files\MSXML 6.0
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
2007-07-19 00:00 3583488 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
2007-07-12 16:31 765952 --a------ C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2007-06-27 07:35 823808 --a------ C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
2007-06-27 07:35 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
2007-06-27 00:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
2000-09-29 18:58 271 ---hs---- C:\Program Files\desktop.ini
2000-09-29 18:58 23357 ---h----- C:\Program Files\folder.htt
2000-06-08 10:00 41520 -ra------ C:\WINDOWS\inf\USB Modem Driver\98\CCPORT.SYS
2000-06-08 10:00 22208 -ra------ C:\WINDOWS\inf\USB Modem Driver\98\usbser.sys
2006-04-20 01:18:02 3,766 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2006-04-20 01:17:58 104 --sh--r C:\WINDOWS\SYSTEM32\AAEC8C6ADD.sys
.

((((((((((((((((((((((((((((( snapshot_2007-09-22_110251.08 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 16,384 2007-09-24 14:06:04 C:\WINDOWS\TEMP\Perflib_Perfdata_710.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E644E54-1763-4647-9F9A-FD5A8A4634FA}]
2007-08-23 12:04 297568 --------- C:\WINDOWS\system32\fcyyy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-23 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 14:19]
"nwiz"="nwiz.exe" [2003-07-28 14:19 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Norton eMail Protect"="C:\Program Files\Norton AntiVirus\POPROXY.EXE" []
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 19:05]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-06-25 22:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Printing Migration"=rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyy]
C:\WINDOWS\system32\fcyyy.dll 2007-08-23 12:04 297568 C:\WINDOWS\SYSTEM32\fcyyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"Norton eMail Protect"=C:\Program Files\Norton AntiVirus\POPROXY.EXE
"SandIcon"=C:\ImageMate CompactFlash USB\SandIcon.Exe
"HP CD-Writer"=C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
"PP6100b"=C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NvStartup
"nwiz"=nwiz.exe /install
"USB SECURITY DEVICE CoInstaller"=JupitCo.exe
"Zone Labs Client"=C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVMCTRAY.DLL,NvTaskbarInit

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S3 ICAM3NT5;Intel(r) PC Camera CS331;C:\WINDOWS\system32\Drivers\ICAM3D2.SYS

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-08-05 06:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-09-24 14:03:20 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
"2007-08-25 03:00:02 C:\WINDOWS\Tasks\Scan for Viruses.job"
- C:\Program Files\Norton AntiVirus\NAVW32.EXE
"2007-08-23 08:00:02 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
- C:\WINDOWS\DEFRAG.EXE
"2007-08-01 07:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
"2007-08-24 21:12:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-08-28 04:31:18 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Gateway User.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 07:06:31
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-24 7:10:09 - machine was rebooted
C:\ComboFix3.txt ... 2007-09-22 14:31
C:\ComboFix-quarantined-files.txt ... 2007-09-24 07:10
C:\ComboFix2.txt ... 2007-09-23 14:00
.
--- E O F ---
 
newest HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:22 AM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {2E644E54-1763-4647-9F9A-FD5A8A4634FA} - C:\WINDOWS\system32\fcyyy.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131652608388
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: fcyyy - C:\WINDOWS\system32\fcyyy.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 10010 bytes
 
Hi

I'm not sure what's wrong but still it didn't work. Maybe we'll try another method.


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

Code: 
REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E644E54-1763-4647-9F9A-FD5A8A4634FA}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyy]

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)



* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says:
Paste List of Files/Folders to be Moved
, copy and paste next part:

C:\WINDOWS\SYSTEM32\klkqxqhs.dll
C:\WINDOWS\SYSTEM32\lowkpywb.dll
C:\WINDOWS\SYSTEM32\qvjrjaoe.dll
C:\WINDOWS\SYSTEM32\eaobxtiy.dll
C:\WINDOWS\SYSTEM32\ayrcwyob.dll
C:\WINDOWS\SYSTEM32\faaijpyt.dll
C:\WINDOWS\SYSTEM32\mmfmknta.dll
C:\WINDOWS\SYSTEM32\lwwxebvi.dll
C:\WINDOWS\SYSTEM32\yyycf.ini2
C:\WINDOWS\SYSTEM32\yyycf.bak2
C:\WINDOWS\SYSTEM32\yyycf.bak1
C:\WINDOWS\SYSTEM32\fcyyy.dll

Then click the MoveIt button below.
In case you get a
Bad Image
error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply with a new hijackthis log.
 
New Logs

Hello,

I did exactly as you asked and am posting the results. However, when using the Moveit application, the log states that the file "fcyyy.dll" will be moved on reboot. I checked the subfolder after the reboot and file still remains. :sad: I executed the entire process again with the same results.:mad: I will post both Moveit logs and the latest HJT Log.

Logs:

DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\klkqxqhs.dll
C:\WINDOWS\SYSTEM32\klkqxqhs.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\klkqxqhs.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\lowkpywb.dll
C:\WINDOWS\SYSTEM32\lowkpywb.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\lowkpywb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\qvjrjaoe.dll
C:\WINDOWS\SYSTEM32\qvjrjaoe.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\qvjrjaoe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\eaobxtiy.dll
C:\WINDOWS\SYSTEM32\eaobxtiy.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\eaobxtiy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\ayrcwyob.dll
C:\WINDOWS\SYSTEM32\ayrcwyob.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\ayrcwyob.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\faaijpyt.dll
C:\WINDOWS\SYSTEM32\faaijpyt.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\faaijpyt.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\mmfmknta.dll
C:\WINDOWS\SYSTEM32\mmfmknta.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\mmfmknta.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\lwwxebvi.dll
C:\WINDOWS\SYSTEM32\lwwxebvi.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\lwwxebvi.dll moved successfully.
C:\WINDOWS\SYSTEM32\yyycf.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\yyycf.bak2 moved successfully.
C:\WINDOWS\SYSTEM32\yyycf.bak1 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\fcyyy.dll
C:\WINDOWS\SYSTEM32\fcyyy.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\fcyyy.dll scheduled to be moved on reboot.

Created on 09/25/2007 11:37:49


Next Moveit log:

File/Folder C:\WINDOWS\SYSTEM32\klkqxqhs.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\lowkpywb.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\qvjrjaoe.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\eaobxtiy.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\ayrcwyob.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\faaijpyt.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\mmfmknta.dll not found.
File/Folder C:\WINDOWS\SYSTEM32\lwwxebvi.dll not found.
C:\WINDOWS\SYSTEM32\yyycf.ini2 moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\yyycf.bak2 not found.
File/Folder C:\WINDOWS\SYSTEM32\yyycf.bak1 not found.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\fcyyy.dll
C:\WINDOWS\SYSTEM32\fcyyy.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\fcyyy.dll scheduled to be moved on reboot.

Created on 09/25/2007 11:47:25
 
You must log in or register to reply here.
Back
Top