Smitfraud Help Request

[regeditnewb]

I ran spybot S&D and a bunch of spyware results came up, I selected fix problems and they were taken care of then I scanned my system again again and smitfraud came up. Thanks in advance for your help!

Here is the log from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:32:43, on 10/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mspaint.exe

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1224987278678
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1224993225546
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: jqxquo.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6626 bytes

 

[muuli]

Hi,

Welcome to the Safer Networking. My name is muuli. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.

Note: I am still in training at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

 

[regeditnewb]

I don't mind the wait thanks for helping me out!

 

[muuli]

Hi,

Step 1

Please produce uninstall list:

1. Open HijackThis.
2. Click on the Open the Misc Tools section button.
3. Look under System tools.
4. Click on the Open Uninstall Manager... button.
5. Click on the Save list... button.
6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
7. Notepad will open. Please post this log in your next reply.

Don't close HijackThis folder, you will need it at next step.

Step 2

Rename HijackThis.exe to regeditnewb.exe by doing the following;

• Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
• Right-click on the HijackThis.exe
• Choose from the pull-down menu; "Rename"
• And now Rename HijackThis.exe to regeditnewb.exe
• When you've renamed HijackThis, open HijackThis again.
• Take a fresh HijackThis log (click Do a system scan and save a log file)
• Post the fresh HijackThis log here.

Step 3

Please post a fresh HijackThis log and Uninstall list.

 

[regeditnewb]

I am trying to complete your step 1 but every time I click on save list, HijackThis closes. I just built this computer so there are not many files on it.

 

[regeditnewb]

Ok here is the uninstall list for step 1

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player
Advertisement Service
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Canon CanoScan Toolbox 4.1
forteManager
getPlus(R) for Adobe
GTOneCare
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
HP Deskjet 6900 series
HP Extended Capabilities 6.0
HP Imaging Device Functions 6.0
HP Photosmart Essential
HP Photosmart Premier Software 6.0
HP Solution Center and Imaging Support Tools 6.0
HP Update
Java 2 Runtime Environment, SE v1.4.2_15
Lock On: Modern Air Combat
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Protection Service
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Live OneCare Resources v2.5.2900.15
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v2.5.2900.15
Microsoft Windows OneCare Live v2.5.2900.15 Idcrl Install
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB936181)
Nero 7 Essentials
neroxml
NVIDIA Drivers
NVIDIA PhysX v8.09.04
PX Engine
Rail Simulator
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
System Requirements Lab
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VLC media player 0.9.4
Watchtower Library 2007 - English
Windows Internet Explorer 7
Windows Live OneCare
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver

and here is the step 2 log file and uninstall list

THis is the regeditnewb.exe log file for step 2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:28, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\regeditnewb.exe.exe

O2 - BHO: (no name) - {2852626D-C7FF-4619-A0AB-CCFC086D2718} - C:\WINDOWS\system32\ddcCtSIX.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\awttrspq.dll
O2 - BHO: (no name) - {9EF38382-E2EE-47D8-84B1-F84167811437} - (no file)
O2 - BHO: (no name) - {B4431AAB-4C67-4066-81BF-4A6C20CB558C} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1224987278678
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1224993225546
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: jqxquo.dll bbkpaw.dll
O20 - Winlogon Notify: awttrspq - C:\WINDOWS\SYSTEM32\awttrspq.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7152 bytes

and the uninstall list again

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player
Advertisement Service
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Canon CanoScan Toolbox 4.1
forteManager
getPlus(R) for Adobe
GTOneCare
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
HP Deskjet 6900 series
HP Extended Capabilities 6.0
HP Imaging Device Functions 6.0
HP Photosmart Essential
HP Photosmart Premier Software 6.0
HP Solution Center and Imaging Support Tools 6.0
HP Update
Java 2 Runtime Environment, SE v1.4.2_15
Lock On: Modern Air Combat
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Protection Service
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Live OneCare Resources v2.5.2900.15
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v2.5.2900.15
Microsoft Windows OneCare Live v2.5.2900.15 Idcrl Install
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB936181)
Nero 7 Essentials
neroxml
NVIDIA Drivers
NVIDIA PhysX v8.09.04
PX Engine
Rail Simulator
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Soft Data Fax Modem with SmartCP
Spybot - Search & Destroy
System Requirements Lab
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VLC media player 0.9.4
Watchtower Library 2007 - English
Windows Internet Explorer 7
Windows Live OneCare
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver

 

[muuli]

Hi,

Step 1

1. Right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
5. On the left hand side, click on Tools.
6. Check (tick) this box if it is not yet ticked: Resident.
7. You will notice that Resident is now added under Tools. Click on Resident.
8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
9. Exit Spybot Search & Destroy.
10. Restart your computer for the changes to take effect.

Step 2

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Step 3

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

 

[regeditnewb]

This is the Combofix log

ComboFix 08-11-01.01 - Durgut 2008-11-01 20:36:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1560 [GMT -4:00]
Running from: C:\Documents and Settings\Durgut\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Durgut\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\awttrspq.dll
C:\WINDOWS\system32\bbkpaw.dll
C:\WINDOWS\system32\beguuneu.exe
C:\WINDOWS\system32\ddcCtSIX.dll
C:\WINDOWS\system32\fccbaxuT.dll
C:\WINDOWS\system32\fkqruamb.dll
C:\WINDOWS\system32\ifjpvjsl.ini
C:\WINDOWS\system32\jobioybp.dll
C:\WINDOWS\system32\jpdpyexy.dll
C:\WINDOWS\system32\jqxquo.dll
C:\WINDOWS\system32\lglfkpks.dll
C:\WINDOWS\system32\lkpapbso.dll
C:\WINDOWS\system32\lsjvpjfi.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nswwba.dll
C:\WINDOWS\system32\osbpapkl.ini
C:\WINDOWS\system32\pbyoiboj.ini
C:\WINDOWS\system32\qemdoi.dll
C:\WINDOWS\system32\qgqeeswi.dll
C:\WINDOWS\system32\wqewrstf.dll
C:\WINDOWS\system32\XIStCcdd.ini
C:\WINDOWS\system32\XIStCcdd.ini2
C:\WINDOWS\system32\ynrkhaih.ini
C:\WINDOWS\system32\yxeypdpj.ini
C:\WINDOWS\Tasks\bvgphovq.job
C:\WINDOWS\Tasks\dppanlzj.job
C:\WINDOWS\Tasks\pdcdmhkx.job
C:\WINDOWS\Tasks\qnavyqvr.job
C:\WINDOWS\Tasks\ttyauscs.job
C:\WINDOWS\Tasks\xkfoygxg.job
C:\WINDOWS\Tasks\xzagrtge.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-10-31 22:33 . 2008-10-31 22:33 60,928 --ahs---- C:\WINDOWS\system32\xxyvUmnl.dll
2008-10-31 21:21 . 2008-10-31 21:21 60,928 --ahs---- C:\WINDOWS\system32\ssqNHbYP.dll
2008-10-31 12:24 . 2008-10-31 12:24 60,928 --ahs---- C:\WINDOWS\system32\hgGabyaa.dll
2008-10-30 18:18 . 2008-10-30 18:43 3,124 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-30 18:15 . 2008-10-30 18:15 60,928 --ahs---- C:\WINDOWS\system32\cbXNFywx.dll
2008-10-30 18:06 . 2008-10-30 18:06 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Malwarebytes
2008-10-30 18:06 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-30 18:06 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-30 18:05 . 2008-10-30 18:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-30 18:05 . 2008-10-30 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-30 17:38 . 2008-10-30 17:38 60,928 --ahs---- C:\WINDOWS\system32\rqRIxxyA.dll
2008-10-30 17:36 . 2008-10-30 17:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-30 13:39 . 2008-10-30 13:39 60,928 --ahs---- C:\WINDOWS\system32\byXOhiIA.dll
2008-10-30 13:08 . 2008-10-30 13:08 60,928 --ahs---- C:\WINDOWS\system32\yaywtQKE.dll
2008-10-30 12:56 . 2008-10-30 13:05 203 --a------ C:\WINDOWS\wininit.ini
2008-10-30 12:38 . 2008-10-30 12:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-30 12:38 . 2008-10-30 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-30 12:35 . 2008-10-30 12:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-30 12:12 . 2008-10-30 12:24 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-10-30 12:01 . 2008-10-30 12:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-28 21:16 . 2008-10-28 21:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-28 21:14 . 2008-10-29 06:42 <DIR> d-------- C:\Program Files\Google
2008-10-28 20:47 . 2008-10-28 21:02 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-10-28 19:39 . 2008-10-28 19:39 <DIR> d-------- C:\WINDOWS\Sun
2008-10-28 19:35 . 2008-10-28 19:35 <DIR> d-------- C:\Program Files\Java
2008-10-28 19:35 . 2008-10-28 19:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-28 19:35 . 2007-05-22 17:39 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-10-28 16:36 . 2008-10-28 16:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-10-28 16:34 . 2008-10-28 16:34 <DIR> d-------- C:\Program Files\NOS
2008-10-28 16:34 . 2008-10-28 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-28 15:55 . 2008-10-28 15:55 <DIR> d-------- C:\WINDOWS\7104189AC5924A56AC9E7C0CA135DA3C.TMP
2008-10-28 15:46 . 2008-10-28 19:33 <DIR> d-------- C:\Program Files\Rail Simulator
2008-10-28 15:16 . 2008-10-28 15:16 <DIR> d-------- C:\Program Files\Ubisoft
2008-10-27 19:06 . 2008-10-27 19:06 <DIR> d-------- C:\Program Files\Watchtower
2008-10-26 22:10 . 2008-10-26 22:10 <DIR> d-------- C:\spoolerlogs
2008-10-26 21:43 . 2008-10-26 21:53 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\vlc
2008-10-26 21:42 . 2008-10-26 21:42 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-26 21:37 . 2008-10-31 14:37 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-10-26 21:30 . 2008-10-26 21:30 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Windows Search
2008-10-26 21:24 . 2008-10-26 21:24 60,928 --ahs---- C:\WINDOWS\system32\efcdCsQJ.dll
2008-10-26 21:24 . 2008-10-26 21:24 34,816 --a------ C:\WINDOWS\system32\prun.exe
2008-10-26 18:12 . 2008-10-26 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-10-26 18:11 . 2008-10-26 18:11 <DIR> d-------- C:\Program Files\LG Soft India
2008-10-26 18:11 . 2004-04-16 11:24 61,440 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-10-26 18:03 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-10-26 18:03 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-10-26 18:02 . 2008-10-26 18:02 <DIR> d-------- C:\WINDOWS\nview
2008-10-26 18:02 . 2008-10-07 13:33 453,152 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-10-26 18:02 . 2008-11-01 20:41 200,819 --a------ C:\WINDOWS\system32\nvapps.xml
2008-10-26 18:02 . 2008-10-07 13:33 18,477 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-10-26 12:46 . 2008-10-26 12:46 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-10-26 12:41 . 2008-10-26 12:41 <DIR> d-------- C:\NVIDIA
2008-10-26 12:41 . 2008-10-02 10:07 453,152 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-10-26 01:31 . 2008-10-26 01:31 <DIR> dr-h----- C:\Documents and Settings\Durgut\Application Data\SecuROM
2008-10-26 01:31 . 2008-10-28 15:40 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-10-26 01:24 . 2008-10-26 18:03 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-10-26 01:24 . 2008-10-28 15:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-26 01:24 . 2008-10-26 18:03 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-10-26 01:24 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-10-26 00:45 . 2008-10-26 00:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-10-26 00:17 . 2008-10-26 00:17 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\HP
2008-10-26 00:04 . 2008-10-26 00:04 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Canon
2008-10-26 00:04 . 2008-10-26 00:04 18,073 --a------ C:\WINDOWS\CSTBox.INI
2008-10-26 00:01 . 2008-10-26 00:01 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Image Zone Express
2008-10-25 23:50 . 2008-10-25 23:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-25 23:44 . 2007-04-09 13:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-10-25 23:44 . 2008-10-25 23:44 376 --a------ C:\WINDOWS\ODBC.INI
2008-10-25 23:42 . 2008-10-25 23:42 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-10-25 23:42 . 2008-10-26 00:04 <DIR> d-------- C:\Program Files\Microsoft Works
2008-10-25 23:42 . 2008-10-25 23:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-10-25 23:42 . 2008-10-25 23:42 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-10-25 23:41 . 2008-10-25 23:41 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-10-25 23:41 . 2007-11-27 22:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-10-25 23:41 . 2007-11-27 22:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-10-25 23:39 . 2008-10-26 18:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-25 23:39 . 2008-10-25 23:39 <DIR> dr-h----- C:\MSOCache
2008-10-25 23:39 . 2008-05-15 16:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-10-25 23:36 . 2008-10-31 14:26 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-10-25 23:36 . 2008-10-25 23:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-10-25 23:35 . 2008-10-25 23:35 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-10-25 23:35 . 2008-10-25 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-10-25 23:34 . 2008-10-25 23:35 <DIR> d-------- C:\Program Files\Common Files\HP
2008-10-25 23:32 . 2005-10-27 05:51 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-10-25 23:32 . 2005-10-14 22:42 37,376 --a------ C:\WINDOWS\system32\hpz3l43a.dll
2008-10-25 23:32 . 2008-10-25 23:32 732 --a------ C:\WINDOWS\hpntwksetup.ini
2008-10-25 23:32 . 2008-10-25 23:32 164 --a------ C:\WINDOWS\system32\AddPort.ini
2008-10-25 23:31 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-10-25 23:31 . 2005-03-14 12:03 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-10-25 23:31 . 2005-03-14 12:05 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-10-25 23:31 . 2005-03-08 11:55 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-10-25 23:31 . 2007-08-09 03:27 73,728 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-10-25 23:31 . 2005-03-14 13:39 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-10-25 23:31 . 2005-03-08 11:55 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-10-25 23:31 . 2008-04-13 14:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-10-25 23:31 . 2008-04-13 14:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-10-25 23:30 . 2008-10-26 00:15 <DIR> d-------- C:\Program Files\HP
2008-10-25 23:30 . 2008-10-25 23:36 104,464 --a------ C:\WINDOWS\HPFins09.dat
2008-10-25 23:30 . 2005-11-01 05:29 3,732 --------- C:\WINDOWS\hpfmdl09.dat
2008-10-25 23:25 . 2008-04-13 14:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-10-25 23:25 . 2008-04-13 14:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-10-25 23:24 . 2008-10-25 23:24 <DIR> d-------- C:\Program Files\Canon
2008-10-25 23:21 . 2008-10-25 23:21 <DIR> d--h----- C:\CanoScan
2008-10-25 23:21 . 2002-05-24 03:04 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL
2008-10-25 23:21 . 2003-09-17 17:36 339,968 --a------ C:\WINDOWS\system32\N124UFW.dll
2008-10-25 23:21 . 2002-09-12 01:07 36,864 --a------ C:\WINDOWS\system32\CNQU70.DLL
2008-10-25 23:15 . 2008-10-25 23:15 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-10-25 23:15 . 2008-10-25 23:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-25 23:15 . 2008-10-25 23:15 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-10-25 23:15 . 2008-10-25 23:15 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Windows Desktop Search
2008-10-25 23:15 . 2008-03-07 13:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-10-25 23:15 . 2008-03-07 13:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-10-25 23:15 . 2008-03-07 13:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-10-25 23:14 . 2008-10-26 12:43 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-25 23:14 . 2008-10-25 23:14 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-10-25 23:13 . 2008-10-25 23:13 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-10-25 23:10 . 2008-10-25 23:10 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-25 23:10 . 2008-10-25 23:10 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-10-25 23:09 . 2008-04-13 20:11 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-10-25 23:03 . 2008-10-25 23:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-25 22:59 . 2008-09-15 08:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-25 22:59 . 2008-09-08 06:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-25 22:59 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-25 22:58 . 2008-08-14 06:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-25 22:58 . 2008-08-14 06:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-25 22:58 . 2008-08-14 05:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-28 19:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-27 17:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-26 01:55 --------- d-----w C:\Program Files\Realtek
2008-10-26 01:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-10-26 01:53 --------- d-----w C:\Documents and Settings\Durgut\Application Data\ATI
2008-10-26 01:48 --------- d-----w C:\Program Files\ATI Technologies
2008-10-26 01:39 558,142 ----a-w C:\WINDOWS\java\Packages\CNBFZP7V.ZIP
2008-10-26 01:39 155,995 ----a-w C:\WINDOWS\java\Packages\F7TVDJFZ.ZIP
2008-10-26 01:39 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-25 17:51 115,328 ----a-w C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-04 13:31 288,024 ----a-w C:\WINDOWS\system32\PhysXCplUI.exe
2008-08-29 12:57 70,936 ----a-w C:\WINDOWS\system32\PhysXLoader.dll
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-01 1629744]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-01 1057328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-08-08 67112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe" [2007-05-22 32881]
"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-10-07 C:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jqxquo.dll bbkpaw.dll nswwba.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^forteManager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\forteManager.lnk
backup=C:\WINDOWS\pss\forteManager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=

R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-08-08 28200]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S3 LGDDCDevice;LGDDCDevice;C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys [2007-12-24 14336]
S3 LGII2CDevice;LGII2CDevice;C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys [2007-12-24 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

BHO-{6475158B-3925-4F4C-8769-38D646234314} - C:\WINDOWS\system32\ddcCtSIX.dll
BHO-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\awttrspq.dll
BHO-{9EF38382-E2EE-47D8-84B1-F84167811437} - (no file)
BHO-{B4431AAB-4C67-4066-81BF-4A6C20CB558C} - (no file)
BHO-{e45ecfde-8563-4120-866c-4216f5008263} - C:\WINDOWS\system32\nswwba.dll
ShellExecuteHooks-{9E91EF7B-6846-45C3-A8AB-67CF7C900783} - C:\WINDOWS\system32\awttrspq.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Durgut\Application Data\Mozilla\Firefox\Profiles\nluq2h0q.default\
FF -: plugin - C:\Program Files\Java\j2re1.4.2_15\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_15\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_15\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_15\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_15\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_15\bin\NPJPI142_15.dll
FF -: plugin - C:\Program Files\Java\j2re1.4.2_15\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-01 20:41:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-11-01 20:43:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-02 00:43:15

Pre-Run: 142,687,838,208 bytes free
Post-Run: 142,628,040,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

314 --- E O F --- 2008-10-26 03:22:07


And this is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:23, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\regeditnewb.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1224987278678
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1224993225546
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: jqxquo.dll bbkpaw.dll nswwba.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6506 bytes

 

[muuli]

Hi,

Step 1

Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\system32\xxyvUmnl.dll
C:\WINDOWS\system32\ssqNHbYP.dll
C:\WINDOWS\system32\hgGabyaa.dll
C:\WINDOWS\system32\cbXNFywx.dll
C:\WINDOWS\system32\rqRIxxyA.dll
C:\WINDOWS\system32\byXOhiIA.dll
C:\WINDOWS\system32\yaywtQKE.dll
C:\WINDOWS\7104189AC5924A56AC9E7C0CA135DA3C.TMP
C:\WINDOWS\system32\efcdCsQJ.dll
C:\WINDOWS\system32\prun.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Step 2

Please scan you computer with Malwarebytes' Anti-Malware.

• Open Malwarebytes' Anti-Malware.
  On the Update tab:
  • Press Check for Updates and update Malwarebytes' Anti-Malware.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step 3

Please post a fresh HijackThis log, Malwarebytes' Anti-Malware log and Combofix log.

 

[regeditnewb]

Okay, sorry for the delay here are the logs

ComboFix Log:

ComboFix 08-11-02.02 - Durgut 2008-11-02 15:42:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534 [GMT -5:00]
Running from: C:\Documents and Settings\Durgut\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Durgut\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\7104189AC5924A56AC9E7C0CA135DA3C.TMP
C:\WINDOWS\system32\byXOhiIA.dll
C:\WINDOWS\system32\cbXNFywx.dll
C:\WINDOWS\system32\efcdCsQJ.dll
C:\WINDOWS\system32\hgGabyaa.dll
C:\WINDOWS\system32\prun.exe
C:\WINDOWS\system32\rqRIxxyA.dll
C:\WINDOWS\system32\ssqNHbYP.dll
C:\WINDOWS\system32\xxyvUmnl.dll
C:\WINDOWS\system32\yaywtQKE.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\byXOhiIA.dll
C:\WINDOWS\system32\cbXNFywx.dll
C:\WINDOWS\system32\efcdCsQJ.dll
C:\WINDOWS\system32\hgGabyaa.dll
C:\WINDOWS\system32\mdhash.dll' C:\WINDOWS\system32\mdhsh.sys
C:\WINDOWS\system32\prun.exe
C:\WINDOWS\system32\rqRIxxyA.dll
C:\WINDOWS\system32\ssqNHbYP.dll
C:\WINDOWS\system32\xxyvUmnl.dll
C:\WINDOWS\system32\yaywtQKE.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-10-30 17:18 . 2008-10-30 17:43 3,124 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-30 17:06 . 2008-10-30 17:06 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Malwarebytes
2008-10-30 17:06 . 2008-10-22 15:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-30 17:06 . 2008-10-22 15:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-30 17:05 . 2008-10-30 17:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-30 17:05 . 2008-10-30 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-30 16:36 . 2008-10-30 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-30 11:56 . 2008-10-30 12:05 203 --a------ C:\WINDOWS\wininit.ini
2008-10-30 11:38 . 2008-10-30 11:47 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-30 11:38 . 2008-10-30 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-30 11:35 . 2008-10-30 11:37 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-30 11:12 . 2008-10-30 11:24 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-10-30 11:01 . 2008-10-30 11:01 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-28 20:16 . 2008-10-28 20:16 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-28 20:14 . 2008-10-29 05:42 <DIR> d-------- C:\Program Files\Google
2008-10-28 19:47 . 2008-10-28 20:02 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-10-28 18:39 . 2008-10-28 18:39 <DIR> d-------- C:\WINDOWS\Sun
2008-10-28 18:35 . 2008-10-28 18:35 <DIR> d-------- C:\Program Files\Java
2008-10-28 18:35 . 2008-10-28 18:35 <DIR> d-------- C:\Program Files\Common Files\Java
2008-10-28 18:35 . 2007-05-22 16:39 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-10-28 15:36 . 2008-10-28 15:36 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-10-28 15:34 . 2008-10-28 15:34 <DIR> d-------- C:\Program Files\NOS
2008-10-28 15:34 . 2008-10-28 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-28 14:55 . 2008-10-28 14:55 <DIR> d-------- C:\WINDOWS\7104189AC5924A56AC9E7C0CA135DA3C.TMP
2008-10-28 14:46 . 2008-10-28 18:33 <DIR> d-------- C:\Program Files\Rail Simulator
2008-10-28 14:16 . 2008-10-28 14:16 <DIR> d-------- C:\Program Files\Ubisoft
2008-10-27 18:06 . 2008-10-27 18:06 <DIR> d-------- C:\Program Files\Watchtower
2008-10-26 21:10 . 2008-10-26 21:10 <DIR> d-------- C:\spoolerlogs
2008-10-26 20:43 . 2008-10-26 20:53 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\vlc
2008-10-26 20:42 . 2008-10-26 20:42 <DIR> d-------- C:\Program Files\VideoLAN
2008-10-26 20:37 . 2008-10-31 13:37 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-10-26 20:30 . 2008-10-26 20:30 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Windows Search
2008-10-26 17:12 . 2008-10-26 17:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-10-26 17:11 . 2008-10-26 17:11 <DIR> d-------- C:\Program Files\LG Soft India
2008-10-26 17:11 . 2004-04-16 10:24 61,440 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-10-26 17:03 . 2007-07-30 18:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-10-26 17:03 . 2007-07-30 18:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-10-26 17:02 . 2008-10-26 17:02 <DIR> d-------- C:\WINDOWS\nview
2008-10-26 17:02 . 2008-10-07 12:33 453,152 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-10-26 17:02 . 2008-11-02 15:50 200,819 --a------ C:\WINDOWS\system32\nvapps.xml
2008-10-26 17:02 . 2008-10-07 12:33 18,477 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-10-26 11:46 . 2008-10-26 11:46 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-10-26 11:41 . 2008-10-26 11:41 <DIR> d-------- C:\NVIDIA
2008-10-26 11:41 . 2008-10-02 09:07 453,152 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-10-26 00:31 . 2008-10-26 00:31 <DIR> dr-h----- C:\Documents and Settings\Durgut\Application Data\SecuROM
2008-10-26 00:31 . 2008-10-28 14:40 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-10-26 00:24 . 2008-10-26 17:03 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-10-26 00:24 . 2008-10-28 14:55 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-26 00:24 . 2008-10-26 17:03 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-10-26 00:24 . 2005-05-26 14:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2008-10-25 23:45 . 2008-10-25 23:45 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-10-25 23:17 . 2008-10-25 23:17 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\HP
2008-10-25 23:04 . 2008-10-25 23:04 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Canon
2008-10-25 23:04 . 2008-10-25 23:04 18,073 --a------ C:\WINDOWS\CSTBox.INI
2008-10-25 23:01 . 2008-10-25 23:01 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Image Zone Express
2008-10-25 22:50 . 2008-10-25 22:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-10-25 22:44 . 2007-04-09 12:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-10-25 22:44 . 2008-10-25 22:44 376 --a------ C:\WINDOWS\ODBC.INI
2008-10-25 22:42 . 2008-10-25 22:42 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-10-25 22:42 . 2008-10-25 23:04 <DIR> d-------- C:\Program Files\Microsoft Works
2008-10-25 22:42 . 2008-10-25 22:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-10-25 22:42 . 2008-10-25 22:42 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-10-25 22:41 . 2008-10-25 22:41 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-10-25 22:41 . 2007-11-27 21:56 116,416 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2008-10-25 22:41 . 2007-11-27 21:56 91,328 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2008-10-25 22:39 . 2008-10-26 17:03 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-10-25 22:39 . 2008-10-25 22:39 <DIR> dr-h----- C:\MSOCache
2008-10-25 22:39 . 2008-05-15 15:15 53,168 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2008-10-25 22:36 . 2008-11-02 15:50 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2008-10-25 22:36 . 2008-10-25 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-10-25 22:35 . 2008-10-25 22:35 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2008-10-25 22:35 . 2008-10-25 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-10-25 22:34 . 2008-10-25 22:35 <DIR> d-------- C:\Program Files\Common Files\HP
2008-10-25 22:32 . 2005-10-27 04:51 77,824 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-10-25 22:32 . 2005-10-14 21:42 37,376 --a------ C:\WINDOWS\system32\hpz3l43a.dll
2008-10-25 22:32 . 2008-10-25 22:32 732 --a------ C:\WINDOWS\hpntwksetup.ini
2008-10-25 22:32 . 2008-10-25 22:32 164 --a------ C:\WINDOWS\system32\AddPort.ini
2008-10-25 22:31 . 1998-10-29 15:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-10-25 22:31 . 2005-03-14 11:03 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-10-25 22:31 . 2005-03-14 11:05 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-10-25 22:31 . 2005-03-08 10:55 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-10-25 22:31 . 2007-08-09 02:27 73,728 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-10-25 22:31 . 2005-03-14 12:39 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-10-25 22:31 . 2005-03-08 10:55 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-10-25 22:31 . 2008-04-13 13:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-10-25 22:31 . 2008-04-13 13:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-10-25 22:30 . 2008-10-25 23:15 <DIR> d-------- C:\Program Files\HP
2008-10-25 22:30 . 2008-10-25 22:36 104,464 --a------ C:\WINDOWS\HPFins09.dat
2008-10-25 22:30 . 2005-11-01 04:29 3,732 --------- C:\WINDOWS\hpfmdl09.dat
2008-10-25 22:25 . 2008-04-13 13:45 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-10-25 22:25 . 2008-04-13 13:45 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-10-25 22:24 . 2008-10-25 22:24 <DIR> d-------- C:\Program Files\Canon
2008-10-25 22:21 . 2008-10-25 22:21 <DIR> d--h----- C:\CanoScan
2008-10-25 22:21 . 2002-05-24 02:04 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL
2008-10-25 22:21 . 2003-09-17 16:36 339,968 --a------ C:\WINDOWS\system32\N124UFW.dll
2008-10-25 22:21 . 2002-09-12 00:07 36,864 --a------ C:\WINDOWS\system32\CNQU70.DLL
2008-10-25 22:15 . 2008-10-25 22:15 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-10-25 22:15 . 2008-10-25 22:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-10-25 22:15 . 2008-10-25 22:15 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-10-25 22:15 . 2008-10-25 22:15 <DIR> d-------- C:\Documents and Settings\Durgut\Application Data\Windows Desktop Search
2008-10-25 22:15 . 2008-03-07 12:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-10-25 22:15 . 2008-03-07 12:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-10-25 22:15 . 2008-03-07 12:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-10-25 22:14 . 2008-10-26 11:43 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-25 22:14 . 2008-10-25 22:14 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-10-25 22:13 . 2008-10-25 22:13 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-10-25 22:10 . 2008-10-25 22:10 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-25 22:10 . 2008-10-25 22:10 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-10-25 22:09 . 2008-04-13 19:11 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-10-25 22:03 . 2008-10-25 22:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-10-25 21:59 . 2008-09-15 07:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-25 21:59 . 2008-09-08 05:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-25 21:59 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-10-25 21:58 . 2008-08-14 05:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-25 21:58 . 2008-08-14 05:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-25 21:58 . 2008-08-14 04:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-25 21:58 . 2008-08-14 04:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-25 21:58 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-10-25 21:58 . 2008-10-15 11:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-25 21:58 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-25 21:58 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-10-25 21:48 . 2008-10-25 21:48 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-25 21:48 . 2008-10-25 21:48 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-25 21:48 . 2008-10-25 21:48 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-25 21:33 . 2008-10-25 21:33 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\ATI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-28 19:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-27 17:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-26 01:55 --------- d-----w C:\Program Files\Realtek
2008-10-26 01:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-10-26 01:53 --------- d-----w C:\Documents and Settings\Durgut\Application Data\ATI
2008-10-26 01:48 --------- d-----w C:\Program Files\ATI Technologies
2008-10-26 01:39 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-07 17:33 6,133,856 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-09-25 17:51 115,328 ----a-w C:\WINDOWS\system32\drivers\Rtenicxp.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-01_20.42.57.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 12:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 13:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
- 2008-10-30 16:36:18 70,524 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-11-02 16:14:25 70,524 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-30 16:36:18 426,932 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-11-02 16:14:25 426,932 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-11-02 20:51:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_258.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-01 1629744]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-01 1057328]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-08-08 67112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-10-07 86016]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe" [2007-05-22 32881]
"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-10-07 C:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^forteManager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\forteManager.lnk
backup=C:\WINDOWS\pss\forteManager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 11:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=

R2 OcHealthMon;Windows Live OneCare Health Monitor;C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2008-08-08 28200]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;C:\WINDOWS\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S3 LGDDCDevice;LGDDCDevice;C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys [2007-12-24 14336]
S3 LGII2CDevice;LGII2CDevice;C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys [2007-12-24 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 15:50:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-11-02 15:53:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-02 20:52:57
ComboFix2.txt 2008-11-02 00:43:20

Pre-Run: 142,573,150,208 bytes free
Post-Run: 142,565,863,424 bytes free

277 --- E O F --- 2008-10-26 03:22:07

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55:46, on 11/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\regeditnewb.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1224987278678
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1224993225546
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6736 bytes


MBAM Log:

Malwarebytes' Anti-Malware 1.30
Database version: 1357
Windows 5.1.2600 Service Pack 3

11/2/2008 10:17:47 PM
mbam-log-2008-11-02 (22-17-47).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 130135
Time elapsed: 32 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 51

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\awttrspq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bbkpaw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\beguuneu.exe.vir (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\byXOhiIA.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXNFywx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ddcCtSIX.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\efcdCsQJ.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fccbaxuT.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fkqruamb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGabyaa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jobioybp.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jpdpyexy.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jqxquo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lglfkpks.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lkpapbso.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lsjvpjfi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nswwba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\prun.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qemdoi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qgqeeswi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRIxxyA.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqNHbYP.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wqewrstf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxyvUmnl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yaywtQKE.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP58\A0018552.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025829.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025830.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025831.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025832.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025833.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025834.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025836.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025837.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025838.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025839.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025840.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025841.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025845.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025846.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025847.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP62\A0025842.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0025999.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0026000.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0026001.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0026002.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0026003.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0026004.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0026005.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0026006.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A512BA6-E25D-4204-8EE4-9CD980899A98}\RP63\A0026007.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

 

[muuli]

Hi,

How your computer running now?

Step 1

Please remove via Add or Remove programs (press Start -> Controlpanel -> Add or Remove programs):
Java 2 Runtime Environment, SE v1.4.2_15

Step 2

Update Java...

1. Download the latest version of Java Runtime Environment (JRE) 6 Update 10 and save it to your desktop.
2. Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
3. Click the Download button to the right.
4. Select Windows on platform combobox and check the box that says:
   Accept License Agreement. Click continue.
5. The page will refresh.
6. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

Step 3

Please post a fresh HijackThis log.

 

[regeditnewb]

My computer is running fine and I have installed the JRE. I am posting a fresh HijackThis Log. I am scanning my system with spybot and I will post whatever results I find. I think Virtumonde will be the next task! Thanks for your help with this muuli!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:41, on 11/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\regeditnewb.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1224987278678
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1224993225546
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6946 bytes

 

[regeditnewb]

Okay Muuli I scanned my system with spybot and thanks to your help Smitfraud is gone! Now however I have to get rid of these programs.....

 

[muuli]

Hi,

Now however I have to get rid of these programs.....

Spybot found only cookies... They are neither spyware nor viruses etc... Here are some links about cookies:
http://www.cookiecentral.com/cm002.htm
http://en.wikipedia.org/wiki/HTTP_cookie
http://www.tech-faq.com/browser-cookie.shtml

Below is some tips how to blocking cookies. There's HOSTS file etc.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Also, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor
3) PC Tools
4) Sunbelt/Kerio
5) ZoneAlarm (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Re-enable Spybot Teatimer...

1. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
2. On the left hand side, click on Tools.
3. Check (tick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
4. Exit Spybot Search & Destroy.
5. Restart your computer for the changes to take effect.

Now lets uninstall ComboFix:

• Click START then RUN
  
• Now type Combofix /u in the runbox and click OK

• Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows XP System Restore Guide
  
  Re-enable system restore with instructions from tutorial above
  
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
    
  • Change the Download unsigned ActiveX controls to Disable
    
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
    
  • Change the Installation of desktop items to Prompt
    
  • Change the Launching programs and files in an IFRAME to Prompt
    
  • Change the Navigate sub-frames across different domains to Prompt
    
  • When all these settings have been made, click on the OK button.
    
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software and keep your other programs up-to-date
    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
    You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check
    
    
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    
    
  • Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
    
    Malwarebytes' Anti-Malware Setup Guide
    
    Malwarebytes' Anti-Malware Scanning Guide
    
    
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    
    A tutorial on installing & using this product can be found here:
    
    Using SpywareBlaster to protect your computer from Spyware and Malware
    
    
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  Follow this list and your potential for being infected again will reduce dramatically.
  
  Here are some additional utilities that will enhance your safety
  
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!